Barry Caplin, Chief Information Security Official at Fairview Health Services, discusses the challenges of security awareness at the Argyle CISO Summit. He emphasizes the need for engaging, understandable security policies and the importance of management support in fostering a security-conscious culture. Caplin advocates for a risk management approach, iterative improvement, and collaboration in implementing effective security measures.

1. #*%! my CISO Says
Barry Caplin
Chief Information Security Official
Fairview Health Services
Argyle CISO Summit
Wed. Nov. 19, 2014
bcaplin1@fairview.org
bc@bjb.org @bcaplin
http://about.me/barrycaplin
http://securityandcoffee.blogspot.com

2. Barry Caplin
Chief Information Security Official
Fairview Health Services
tuff
Argyle CISO Summit
Wed. Nov. 19, 2014
bcaplin1@fairview.org
bc@bjb.org @bcaplin
http://about.me/barrycaplin
http://securityandcoffee.blogspot.com

3. Security Isn’t Easy…
We didn’t get into it for the…

4. And how do we get their attention and
support?
Nobody cares about Security…
The Challenge of Security Awareness
Why?

5. Stuff happens…

6. • Security viewed as a negative
• Avoidance v. “risk”
– Delays
– Cost
– Extra work
– “Gotchas”
Issues

7. It Can’t Be Just…

8. We need sensible
controls…

10. … early in the process…

12. Good CISO/Bad CISO

13. Governance
Governance
… We don’t
need no
stinkin’
governance!
Bad CISO
“Badges?...”

14. Governance
Develop a
clear strategy
using an
industry
standard
framework.

15. Policy
All Security
Policy is the
same. I got
mine from a
book.
“Hello Mr. Anderson”
Bad CISO

16. Policy
Policies are
based on solid
principles, but
adapted to fit
the
organization.
“Fate, it seems, is not without
a sense of irony.”

17. Compliance
We write the
policies. We
make people
sign an oath.
Done.
“So there is a point you will not go beyond.”
Bad CISO

18. Compliance
We must make
(understandable)
policies. We must
teach. We must
assess, measure
and report.
“It's like a finger pointing away to the moon...”

19. Awareness
Users will know
what they have
to do or be
eliminated.
Bad CISO
“The successful criminal brain is
always superior. It has to be.”

20. Awareness
Users can talk to
Security. We
teach. We
answer questions.
“Shaken, not stirred”

21. Senior Management
I say what
they want to
hear.
They’re not
listening
anyway.
Bad CISO
“Why make a trillion when we could make...
billions?”

22. Senior Management
Give them the
info they need
and they will be
an engaged
partner.
“Smashing Baby!”

23. Bad CISO
“Your lack of faith is disturbing”
Business Needs
I buy the best
known security
products
because
they’ve got to
be good.

24. “The Force is strong with
this one.”
Business Need
Working together
we find control-
and cost-effective
security products
that work and are
usable.

25. Stuff I Say…
KISS

26. Stuff I Say…
No one has “read and
understood”
• but definitely still responsible
• Simple, direct language in policy
• Compliance via education

27. Stuff I Say…
You pay by the word
• Keep policies short and sweet
• If not, you’ll pay on the
compliance-effort side

28. Stuff I Say…
People want to do the right thing
• but what is the right thing?
• Understandable policy
• Simple rules

29. Stuff I Say…
Do What Makes Sense
• Risk Management approach
• Seek out and destroy
meaningless
policy/controls/practices

30. Stuff I Say…
Iterative Improvement
• Maturity model
• CObIT, SEI CMMI

31. Stuff I Say…
Automation!
• Metrics
• Tools
• Reporting

32. Stuff I Say…
What is the business need?
• Find out business need in plain
business language

33. Stuff I Say… Have Fun!

34. about.me/barrycaplin
Securityandcoffee
.blogspot.com
@bcaplin