Priyanka Aash, profile picture
Uploaded byPriyanka Aash
553 views

CISO Platform Security Maturity Model

The document discusses the challenges of existing security models, highlighting their complexity and lack of prioritization. It introduces the CISO Platform Security Strategy Model (CP-SSM), which aims to offer a minimalist and focused approach to security strategy through threat modeling and prioritization. Key elements include a threat repository, prioritization guidelines, and a mapping between threats and controls.

Embed presentation

CISO Platform Security Strategy Model ( CP-SSM ) Bikash Barai
Challenges with existing models • Too heavy to be intimidating - Too many steps • Cannot be done incrementally – Needs big bang approach • Very few SABSA professionals and very few implementation • Does not produce a prioritized list of security activities
Goodness Criteria • Should help to eliminate • Should help to focus • Should be simple • Should be easy to remember
Introducing CP-SSM
Goals of CP-SSM • Light • Minimalist • Focused
Steps • Create Business Architecture (High Level) • Strategic Threat Modeling • Elimination: Bucket and Prune • Mapping: Threats to 4 types of controls • Priority Bucketing of Activities
Key Elements • CP- Threat Repository • Threat Prioritization Guideline – Available – Benchmark, Risk Management Model • CP - Control Repository – Not available • CP- Threat to Control Map – Not available • CP- Activity/Control Priority Map
Threat Repository • Taxonomy – Software (26 sub class) – Hardware (3) – Physical Security (3) – Supply Chain (2) – Human (3) • Industry or vertical specific top N listing
CISO Platform Threat – Control Map • Threat: SQL Injection Attack – Detection: WAF, SAST, DAST, IAST, RASP – Prevention: Secure Coding, WAF, RASP – Response: SIEM, SOC Response Process – Prediction: TI (External and Internal)
Prioritization Matrix Prevention Detection Response Prediction High Risk 1 1 2 3 Medium Risk 2 2 2 3 Low Risk 3 3 3 3
Next Steps • Utilize the model (loosely) for building an Appsec Program - Post Lunch • Create Community Projects – Threat Repository (Comprehensive + Top N) – Threat Control
Thank You @bikashbarai1

More Related Content

PDF
SABSA vs. TOGAF in a RMF NIST 800-30 context
byDavid Sweigert
 
PPTX
Enterprise Security Architecture Design
byPriyanka Aash
 
PDF
SACON Orientation
byPriyanka Aash
 
PDF
Zachman Enterprise Security Architecture
byJoaquin Marques
 
PPTX
Enterprise Security Architecture
byPriyanka Aash
 
PDF
Enterprise Security Architecture for Cyber Security
byThe Open Group SA
 
PPTX
Risk Management Strategy (RMF v2)
byAmy Nicewick, CISSP, CCSP, CEH
 
PDF
Enterprise Security Architecture
byPriyanka Aash
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
byDavid Sweigert
 
Enterprise Security Architecture Design
byPriyanka Aash
 
SACON Orientation
byPriyanka Aash
 
Zachman Enterprise Security Architecture
byJoaquin Marques
 
Enterprise Security Architecture
byPriyanka Aash
 
Enterprise Security Architecture for Cyber Security
byThe Open Group SA
 
Risk Management Strategy (RMF v2)
byAmy Nicewick, CISSP, CCSP, CEH
 
Enterprise Security Architecture
byPriyanka Aash
 

What's hot

PPTX
Conceptual security architecture
byMubashirAslam5
 
PPTX
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
byAllen Baranov
 
PPTX
SABSA Implementation(Part II)_ver1-0
byMaganathin Veeraragaloo
 
PPTX
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
byManoj Purandare ☁
 
PDF
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
byChristina33713
 
PPTX
Security architecture frameworks
byJohn Arnold
 
PPTX
Does Anyone Remember Enterprise Security Architecture?
byrbrockway
 
PDF
Security Patterns How To Make Security Arch Easy To Consume
byJeff Johnson
 
PPT
SLVA - Security monitoring and reporting itweb workshop
bySLVA Information Security
 
PDF
Security services mind map
byDavid Kennedy
 
PPTX
Building a SOC - hackmiami 2018
byJose Hernandez
 
PPTX
Information Security and the SDLC
byBDPA Charlotte - Information Technology Thought Leaders
 
PPTX
Chapter 1 Security Framework
byKarthikeyan Dhayalan
 
PPTX
Soc
byMukesh Chaudhari
 
PPT
Uac sales pres_20_apr09-2
bylousifers
 
PDF
Security operations center-SOC Presentation-مرکز عملیات امنیت
byReZa AdineH
 
PPTX
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
byMaganathin Veeraragaloo
 
PDF
Chapter 10 security standart
bynewbie2019
 
PPTX
SABSA overview
bySABSAcourses
 
PPTX
Secure Design: Threat Modeling
byCigital
 
Conceptual security architecture
byMubashirAslam5
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
byAllen Baranov
 
SABSA Implementation(Part II)_ver1-0
byMaganathin Veeraragaloo
 
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
byManoj Purandare ☁
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
byChristina33713
 
Security architecture frameworks
byJohn Arnold
 
Does Anyone Remember Enterprise Security Architecture?
byrbrockway
 
Security Patterns How To Make Security Arch Easy To Consume
byJeff Johnson
 
SLVA - Security monitoring and reporting itweb workshop
bySLVA Information Security
 
Security services mind map
byDavid Kennedy
 
Building a SOC - hackmiami 2018
byJose Hernandez
 
Information Security and the SDLC
byBDPA Charlotte - Information Technology Thought Leaders
 
Chapter 1 Security Framework
byKarthikeyan Dhayalan
 
Soc
byMukesh Chaudhari
 
Uac sales pres_20_apr09-2
bylousifers
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
byReZa AdineH
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
byMaganathin Veeraragaloo
 
Chapter 10 security standart
bynewbie2019
 
SABSA overview
bySABSAcourses
 
Secure Design: Threat Modeling
byCigital
 

Similar to CISO Platform Security Maturity Model

PDF
Scale vp wisegate-investing-in_security_innovation_aug2014-gartner_catalyst
byBill Burns
 
PDF
Blueprint for Security Architecture & Strategy.pdf
byFetri Miftach
 
PDF
The Connors Group Cyber Security Infographic
byThe Connors Group
 
PDF
Top 10 Security Risks .pptx.pdf
byPriyanka Aash
 
PDF
Business case for information security program
byWilliam Godwin
 
PDF
Business case for Information Security program
byWilliam Godwin
 
PPTX
Cyber Security in the market place: HP CTO Day
bySymantec
 
PDF
Building an effective Information Security Roadmap
byElliott Franklin
 
PDF
Data security in cloud
byInterop
 
PPTX
Risks vs real life
byMona Arkhipova
 
PPTX
Data Security: Why You Need Data Loss Prevention & How to Justify It
byMarc Crudgington, MBA
 
PDF
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
byParishSummer
 
PPTX
Top 12 Threats to Enterprise
byArgyle Executive Forum
 
PDF
Integrated Security for Software Development and Advanced Penetration Testing...
bySymptai Consulting Limited
 
PPTX
Check Point: Defining Your Security blueprint
byGroup of company MUK
 
PPTX
Privacies are coming
byErnest Staats
 
PDF
BATbern48_How Zero Trust can help your organisation keep safe.pdf
byBATbern
 
PDF
G05.2013 gartner top security trends
bySatya Harish
 
PDF
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
byNorth Texas Chapter of the ISSA
 
PDF
CHIME Lead Forum - Seattle 2015
byHealth IT Conference – iHT2
 
Scale vp wisegate-investing-in_security_innovation_aug2014-gartner_catalyst
byBill Burns
 
Blueprint for Security Architecture & Strategy.pdf
byFetri Miftach
 
The Connors Group Cyber Security Infographic
byThe Connors Group
 
Top 10 Security Risks .pptx.pdf
byPriyanka Aash
 
Business case for information security program
byWilliam Godwin
 
Business case for Information Security program
byWilliam Godwin
 
Cyber Security in the market place: HP CTO Day
bySymantec
 
Building an effective Information Security Roadmap
byElliott Franklin
 
Data security in cloud
byInterop
 
Risks vs real life
byMona Arkhipova
 
Data Security: Why You Need Data Loss Prevention & How to Justify It
byMarc Crudgington, MBA
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
byParishSummer
 
Top 12 Threats to Enterprise
byArgyle Executive Forum
 
Integrated Security for Software Development and Advanced Penetration Testing...
bySymptai Consulting Limited
 
Check Point: Defining Your Security blueprint
byGroup of company MUK
 
Privacies are coming
byErnest Staats
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
byBATbern
 
G05.2013 gartner top security trends
bySatya Harish
 
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
byNorth Texas Chapter of the ISSA
 
CHIME Lead Forum - Seattle 2015
byHealth IT Conference – iHT2
 

More from Priyanka Aash

PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
 
PDF
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
 
PDF
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
 
PDF
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
 
PDF
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
 
PDF
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
 
PDF
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
 
PDF
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
 
PDF
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
 
PDF
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
 
PDF
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
 
PDF
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
 
PDF
Keynote : Presentation on SASE Technology
byPriyanka Aash
 
PDF
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
 
PDF
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
 
PDF
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
 
PDF
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
 
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
 
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
 
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
 
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
 
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
 
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
 
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
 
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
 
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
 
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
 
Keynote : Presentation on SASE Technology
byPriyanka Aash
 
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
 
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
 
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
 
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
 

Recently uploaded

PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
PPTX
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PPTX
cybercrime in Information security .pptx
byismaeelsahib032
 
PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PPTX
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
PPTX
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PPTX
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
PDF
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
PDF
Cybersecurity: Safeguarding Digital Assets
byYasir Naveed Riaz
 
PDF
December Patch Tuesday
byIvanti
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
cybercrime in Information security .pptx
byismaeelsahib032
 
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
Cybersecurity: Safeguarding Digital Assets
byYasir Naveed Riaz
 
December Patch Tuesday
byIvanti
 

CISO Platform Security Maturity Model

  • 1.
    CISO Platform SecurityStrategy Model ( CP-SSM ) Bikash Barai
  • 3.
    Challenges with existingmodels • Too heavy to be intimidating - Too many steps • Cannot be done incrementally – Needs big bang approach • Very few SABSA professionals and very few implementation • Does not produce a prioritized list of security activities
  • 4.
    Goodness Criteria • Shouldhelp to eliminate • Should help to focus • Should be simple • Should be easy to remember
  • 5.
  • 6.
    Goals of CP-SSM •Light • Minimalist • Focused
  • 7.
    Steps • Create BusinessArchitecture (High Level) • Strategic Threat Modeling • Elimination: Bucket and Prune • Mapping: Threats to 4 types of controls • Priority Bucketing of Activities
  • 8.
    Key Elements • CP-Threat Repository • Threat Prioritization Guideline – Available – Benchmark, Risk Management Model • CP - Control Repository – Not available • CP- Threat to Control Map – Not available • CP- Activity/Control Priority Map
  • 9.
    Threat Repository • Taxonomy –Software (26 sub class) – Hardware (3) – Physical Security (3) – Supply Chain (2) – Human (3) • Industry or vertical specific top N listing
  • 10.
    CISO Platform Threat– Control Map • Threat: SQL Injection Attack – Detection: WAF, SAST, DAST, IAST, RASP – Prevention: Secure Coding, WAF, RASP – Response: SIEM, SOC Response Process – Prediction: TI (External and Internal)
  • 11.
    Prioritization Matrix Prevention DetectionResponse Prediction High Risk 1 1 2 3 Medium Risk 2 2 2 3 Low Risk 3 3 3 3
  • 12.
    Next Steps • Utilizethe model (loosely) for building an Appsec Program - Post Lunch • Create Community Projects – Threat Repository (Comprehensive + Top N) – Threat Control
  • 13.