Priyanka Aash, profile picture
Uploaded byPriyanka Aash
2,614 views

Don't Get Left In The Dust How To Evolve From Ciso To Ciro

The role of the CISO is evolving to become the CIRO (Chief Information Risk Officer) to better align information security with business objectives. Drivers for this change include the growing importance of information to businesses and increased expectations from boards. To become a CIRO, one must adopt a risk-based approach, demonstrate business acumen, and have strong communication and leadership skills. The CIRO role oversees a broader set of functions beyond security to holistically manage information risk across the enterprise.

Embed presentation

#RSAC SESSION ID: James Christiansen Bradley J. Schaufenbuel, CISSP Don’t Get Left in the Dust: How to Evolve from CISO to CIRO CXO-W04 Director of Information Security Midland States Bank bschaufenbuel@midlandsb.com VP – Information Risk Management Accuvant jchristiansen@accuvant.com JC-JC
#RSAC Agenda  The Evolution of the Role  Drivers of CIRO Emergence  What Makes the CIRO Different  Making the Transition  How to Apply  Summary JC-JC CIRO 2
#RSAC Introduction  The security landscape is changing.  There is a disconnect between the objectives of the traditional CISO and the businesses they serve.  It is time to evolve with the organizations we serve. JC-JC 3
#RSAC The Six Forces Require a Resilient Security Strategy Business Strategy Global Social and Political Forces Government and Industry Regulations Adversaries and Threats Organizational Culture IT Organization, Systems and Infrastructure JC-JC 4
#RSAC Progression of this Field… 1990-1998 IT Security 1999-2004 Info Sec 2005-2014 IT Risk Management 2015-??? Information Risk Management? JC-JC 5
#RSAC The Security Journey A business aligned strategy includes understanding the business and compliance objectives, threats, and risks AD HOC INFRASTRUCTURE BASED COMPLIANCE BASED THREAT BASED BUSINESS ALIGNED RISK BASED Shortcut = Failure to Pass INTEL DRIVEN JC-JC 6
#RSAC Guidance from the National Association of Corporate Directors (NACD) Executive Management / Board – NACD  Guidance includes specific questions about program maturity, breach notification, situational awareness, strategy and incident response PRINCIPLE 1: Cybersecurity is an enterprise- wide risk management issue, not just an IT issue PRINCIPLE 2: Understand Legal implications of cyber PRINCIPLE 3: Have regular updates and access to cyber security experts PRINCIPLE 4: Establish an enterprise- wide cyber-risk management framework with adequate staffing and budget PRINCIPLE 5: Discussion of which risks to avoid, accept, mitigate, or transfer through cyber insurance JC-BS 7
#RSAC Drivers of the Emergence of the CIRO – 1/2 Increase in outsourcing (greater emphasis on third party oversight) Changing threat landscape (need for risk based remediation) Greater expectations of boards and executive teams BS-BS 8
#RSAC Drivers of the Emergence of the CIRO – 2/2  Misalignment of security spending with business risk  Lack of support for taking calculated risks  Divergence amongst existing information governance functions BS-BS 9
#RSAC Where CISOs Fall Short – 1/2  Focus on information protection at the expense of other corporate goals. Information risk is a business problem with a shared budget responsibility  Focus on technology solutions in lieu of other controls (continual search for the next silver bullet) BS-BS 10
#RSAC  Emphasize risk elimination instead of risk optimization (‘no’ instead of ‘yes – if we …’)  Even “risk enlightened” leaders are fixated on technology risks (focus on ‘IT’ risk instead of ‘information’ risk) Where CISOs Fall Short – 2/2 BS-BS 11
#RSAC The Ideal CIRO  Traditional security knowledge (CISSP, CISM, etc.)  Business savvy (MBA)  Thinks like a lawyer and a hacker  Leader (comfortable in front of the board)  Understands risk management principles  Can implement project management fundamentals BS-JC 12
#RSAC The Successful Chief Information Risk Officer CIRO Information Driven Decision Making  Strategic and Operational Metrics / Dashboard  Information Risk Assessment and Management  Integration with Enterprise Risk Management Information Security is a Business Imperative  Enable Business to Securely Deliver Product and Services  Positive Interaction With Partners, Third-parties and Regulators Shared Budget Responsibility  Corporate and Business Unit - Balanced Risk and Cost  Prioritization With Other Strategic Business Projects JC-JC 13
#RSAC What Makes the CIRO Different?  Organizational profile – Executive team member with board access  Organizational alignment – Strategy dovetails with organization’s  Depth and breadth of skills  Business risk based approach  Leadership JC-JC 14
#RSAC Not Just Context, but Also Content Not just protection, but also: Timely destruction: What is the risk of keeping information too long or not long enough? Optimization of use: Are we extracting value from information? Collection practices: Do we even need to obtain the information? JC-JC 15
#RSAC What Functions Fall Under CIRO? May include parts of:  Traditional Information Security  Legal and Regulatory Compliance  Privacy  Third Party Oversight  Business Resilience  Physical Security JC-JC 16
#RSAC Reporting Structures, Old and New JC-BS 17
#RSAC Advantages of New Organizational Structure Aligns information risk with business priorities Visibility into organizational or product changes Supports shared responsibility for information risk Ensures that all types of information risk are addressed Able to address board, executive management and customers BS-BS 18
#RSAC Do We Need Another C-Level Position?  Value of information (and associated risk) rising.  Executive composition should parallel board’s fiduciary duties.  Consolidation of existing C-level positions (CPO, CISO / CSO, etc.) BS-BS 19
#RSAC Skills Required to Make the CIRO Transition Thorough understanding of risk management concepts  Factor Analysis of Information Risk (FAIR)1 1Source: Risk Management Insight (riskmanagementinsight.com) Executive level communication skills  Presentation Skills – Toastmasters  Written Skills – College & Editors / Colleagues Thorough understanding of your organization’s business, objectives and growth plans  Regular meetings with business executives BS-BS 20
#RSAC The Information Risk Transformation  Transition yourself from law enforcement / military mindset to that of a business risk manager  Add risk management skill set to staff (through training or hiring)  Don’t forget about information in non- electronic format BS-BS 21
#RSAC  Understanding Regulations:  Translate legal regulations to internal activities to meet spirit (legislative intent) and letter of the law. Establish a good working relationship with your attorneys. Participate in standard setting and regulatory rulemaking processes (i.e., help shape the rules).  Threat Landscape: Implement threat analytics maturity model  Understand the corporate culture: Risk aversion, rate of change, cultural differences, countries of operation How? BS-JC 22
#RSAC Evolution of the CISO to the CIRO Securing the Organization CISO Secure the internal organization Manage the risk of third parties Manage regulatory risks Communicate current status and risks to boardBusiness Acumen Regulatory Compliance Management Third-Party Risk Management Information Security CIRO JC-JC 23
#RSAC  Keep it short and concise – Typically they will want pre-materials  Never guess at an answer – They read people very well!  Information Risk Dashboard  Include areas of risk inside and outside the organization  Trends – What areas of risk are increasing and decreasing  New risk highlights  Overall goal – Demonstrate the effectiveness of your information risk management program over time. Executive Management / Board – Tips Source: NACD, Cyber-Risk Oversight, Directors Handbook 2014 JC-BS 24
#RSAC Using Existing Enterprise Risk Management (ERM) Program (or Create One)  Leverage the existing enterprise risk management (ERM) program (if one exists).  Information risk is a subset of enterprise risk.  If there isn’t an enterprise risk management program, sponsor one (position yourself to be CRO). BS-BS 25
#RSAC Leveraging Information Risk to Drive Value Concrete Examples:  Factoring in an information risk discount on an acquisition valuation / purchase price  Leveraging fraud and security data to improve customer experience BS-JC 26
#RSAC  Revenue Contribution  Enable Business Efficiency  Product Delivery  Brand Name Confidence  Earnings Contribution  Reduced Operating Expenses Related to Security Failure  Long Term Reduction of Security Program Costs  Circumvent Costs of Regulatory Non-compliance 27 Contributing to the Organization’s Success JC-JC
#RSAC Managing Information Risk 28 Ease of Doing Business Effective Compliance Information Technology GovernancePeople Information Security Regulatory Compliance Third Party Risk Information Risk Management JC-JC Enhanced Security Global Execution Process Improvement Third PartiesRegulations
#RSAC The Reward  Earned respect from organizational peers  Inclusion in your organization’s strategic decision making processes and forums  Perception shifts from marginal cost center to value adding unit JC-BS 29
#RSAC Summary We have established:  The current CISO role is not meeting organizational needs  CISO must adapt or go the way of the Dodo bird  A focus on managing information risk offers a superior alignment to the organization’s objectives  There are steps you can take to position yourself for this transition BS-BS 30
#RSAC Apply It TODAY Immediate actions: Assess you and your program’s readiness to make the CIRO transition Establish YOUR plan to gain and implement necessary skills 90 DAYS Take steps to realign skill sets, focus, and organizational structure to an information risk based approach +90 DAYS BS-BS 31
#RSAC Resources  The Evolution of the CISO (accuvant.com/resources/risk-and-the-ciso- role#sthash.TUMIWWV7.dpuf)  NACD – Cyber-Risk Oversight Handbook (nacdonline.org/cyber)  Introduction to Factor Analysis of Information Risk (FAIR) (riskmanagementinsight.com)  Six Forces of Security Strategy (accuvant.com/resources/accuvants-six- forces-of-security-strategy) 32 BS-BS
#RSAC Questions? jchristiansen@accuvant.com bschaufenbuel@midlandsb.com 33

More Related Content

PPT
The 7 Habits of Highly Effective People
byTania Aslam
 
PDF
Desafios lencioni-out16
byIvo M Michalick Vasconcelos, PMP, PMI-SP, CPCC
 
PPTX
Respiratory drugs
byakifab93
 
PPT
Vaccines and sera
byPatel maulik
 
PPTX
Foods to Eat in Swelling & Edema
byHerbal Daily
 
PDF
Finding a Strategic Voice - IBM CISO Study
byIBMGovernmentCA
 
PPTX
The one minute manager
byTania Aslam
 
PDF
Cybersecurity Preparedness Trends and Best Practices
byTony Moroney
 
The 7 Habits of Highly Effective People
byTania Aslam
 
Desafios lencioni-out16
byIvo M Michalick Vasconcelos, PMP, PMI-SP, CPCC
 
Respiratory drugs
byakifab93
 
Vaccines and sera
byPatel maulik
 
Foods to Eat in Swelling & Edema
byHerbal Daily
 
Finding a Strategic Voice - IBM CISO Study
byIBMGovernmentCA
 
The one minute manager
byTania Aslam
 
Cybersecurity Preparedness Trends and Best Practices
byTony Moroney
 

Viewers also liked

PPTX
Effective listening
byTania Aslam
 
PPTX
Selling effective techniques that work!
byTania Aslam
 
PDF
Improving Your Information Security Program
bySeccuris Inc.
 
PDF
Productivity Tips: Change Your Mood
byMuhammad Noer
 
PDF
Super CISO 2020: How to Keep Your Job
byPriyanka Aash
 
PPTX
What is Information Governance
byAtle Skjekkeland
 
PDF
The 5 Dysfunctions of a Team
byEric Brown, Author and Coach
 
PPT
The 5 dysfunctions of a team Management Presentation
byrajopadhye
 
PDF
Presentasi Corporate Profile - Presentasi.net menggunakan template WOW Presen...
byMuhammad Noer
 
PPTX
From Zero to Hero
byMuhammad Noer
 
PDF
Top 10 Essentials for Building a Powerful Security Dashboard
byTripwire
 
PPTX
Structuring for success - Developing a dynamic structure for your marketing t...
byB2B Marketing
 
PDF
Security Best Practices: AWS AWSome Day Management Track
byIan Massingham
 
PDF
Talent Is Never Enough - Presentasi.net
byMuhammad Noer
 
Effective listening
byTania Aslam
 
Selling effective techniques that work!
byTania Aslam
 
Improving Your Information Security Program
bySeccuris Inc.
 
Productivity Tips: Change Your Mood
byMuhammad Noer
 
Super CISO 2020: How to Keep Your Job
byPriyanka Aash
 
What is Information Governance
byAtle Skjekkeland
 
The 5 Dysfunctions of a Team
byEric Brown, Author and Coach
 
The 5 dysfunctions of a team Management Presentation
byrajopadhye
 
Presentasi Corporate Profile - Presentasi.net menggunakan template WOW Presen...
byMuhammad Noer
 
From Zero to Hero
byMuhammad Noer
 
Top 10 Essentials for Building a Powerful Security Dashboard
byTripwire
 
Structuring for success - Developing a dynamic structure for your marketing t...
byB2B Marketing
 
Security Best Practices: AWS AWSome Day Management Track
byIan Massingham
 
Talent Is Never Enough - Presentasi.net
byMuhammad Noer
 

Similar to Don't Get Left In The Dust How To Evolve From Ciso To Ciro

PDF
From Cave Man to Business Man, the Evolution of the CISO to CIRO
byPriyanka Aash
 
PDF
Briefing the board lessons learned from cisos and directors
byPriyanka Aash
 
PPTX
Ten Tenets of CISO Success
byFrank Kim
 
PDF
SBIC Report : Transforming Information Security: Future-Proofing Processes
byEMC
 
PPTX
The Gathering Storm
byInnoTech
 
PDF
A Major Revision of the CISRCP Program
byGoogleNewsSubmit
 
PPTX
crisc_wk_2a.pptx
bydotco
 
PDF
Transforming Information Security: Designing a State-of-the-Art Extended Team
byEMC
 
PDF
Cyber security: five leadership issues worthy of Board and executive attention
byRamón Gómez de Olea y Bustinza
 
PDF
Cyber security: Five leadership issues worthy of board and executive attention
byRamón Gómez de Olea y Bustinza
 
PDF
IREC165473PR RP 2017 Security Outlook
byChris Cornillie
 
PDF
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
byawish11
 
PDF
Does title make a difference?
byPete Nieminen
 
PPT
Enterprise Risk Management
byContinuity and Resilience
 
PDF
Coordinating Security Response and Crisis Management Planning
byCognizant
 
PPTX
CISO's first 100 days
byMichaelSadeghiPhDABD
 
PDF
my experience as ciso
byMarc Vael
 
PPTX
Stay Ahead of Threats with Advanced Security Protection - Fortinet
byMarcoTechnologies
 
PDF
File000170
byDesmond Devendran
 
PPTX
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
bycentralohioissa
 
From Cave Man to Business Man, the Evolution of the CISO to CIRO
byPriyanka Aash
 
Briefing the board lessons learned from cisos and directors
byPriyanka Aash
 
Ten Tenets of CISO Success
byFrank Kim
 
SBIC Report : Transforming Information Security: Future-Proofing Processes
byEMC
 
The Gathering Storm
byInnoTech
 
A Major Revision of the CISRCP Program
byGoogleNewsSubmit
 
crisc_wk_2a.pptx
bydotco
 
Transforming Information Security: Designing a State-of-the-Art Extended Team
byEMC
 
Cyber security: five leadership issues worthy of Board and executive attention
byRamón Gómez de Olea y Bustinza
 
Cyber security: Five leadership issues worthy of board and executive attention
byRamón Gómez de Olea y Bustinza
 
IREC165473PR RP 2017 Security Outlook
byChris Cornillie
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
byawish11
 
Does title make a difference?
byPete Nieminen
 
Enterprise Risk Management
byContinuity and Resilience
 
Coordinating Security Response and Crisis Management Planning
byCognizant
 
CISO's first 100 days
byMichaelSadeghiPhDABD
 
my experience as ciso
byMarc Vael
 
Stay Ahead of Threats with Advanced Security Protection - Fortinet
byMarcoTechnologies
 
File000170
byDesmond Devendran
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
bycentralohioissa
 

More from Priyanka Aash

PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
 
PDF
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
 
PDF
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
 
PDF
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
 
PDF
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
 
PDF
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
 
PDF
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
 
PDF
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
 
PDF
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
 
PDF
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
 
PDF
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
 
PDF
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
 
PDF
Keynote : Presentation on SASE Technology
byPriyanka Aash
 
PDF
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
 
PDF
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
 
PDF
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
 
PDF
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
 
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
 
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
 
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
 
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
 
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
 
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
 
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
 
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
 
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
 
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
 
Keynote : Presentation on SASE Technology
byPriyanka Aash
 
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
 
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
 
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
 
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
 

Recently uploaded

PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PPTX
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
PDF
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PDF
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
Antminer S23Hyd-580_Manual-V1.1-oneminers.pdf
byFranzhLawrenceBataan1
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
Antminer S23Hyd-580_Manual-V1.1-oneminers.pdf
byFranzhLawrenceBataan1
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 

Don't Get Left In The Dust How To Evolve From Ciso To Ciro

  • 1.
    #RSAC SESSION ID: James ChristiansenBradley J. Schaufenbuel, CISSP Don’t Get Left in the Dust: How to Evolve from CISO to CIRO CXO-W04 Director of Information Security Midland States Bank bschaufenbuel@midlandsb.com VP – Information Risk Management Accuvant jchristiansen@accuvant.com JC-JC
  • 2.
    #RSAC Agenda  The Evolutionof the Role  Drivers of CIRO Emergence  What Makes the CIRO Different  Making the Transition  How to Apply  Summary JC-JC CIRO 2
  • 3.
    #RSAC Introduction  The securitylandscape is changing.  There is a disconnect between the objectives of the traditional CISO and the businesses they serve.  It is time to evolve with the organizations we serve. JC-JC 3
  • 4.
    #RSAC The Six Forces Requirea Resilient Security Strategy Business Strategy Global Social and Political Forces Government and Industry Regulations Adversaries and Threats Organizational Culture IT Organization, Systems and Infrastructure JC-JC 4
  • 5.
    #RSAC Progression of thisField… 1990-1998 IT Security 1999-2004 Info Sec 2005-2014 IT Risk Management 2015-??? Information Risk Management? JC-JC 5
  • 6.
    #RSAC The Security Journey A businessaligned strategy includes understanding the business and compliance objectives, threats, and risks AD HOC INFRASTRUCTURE BASED COMPLIANCE BASED THREAT BASED BUSINESS ALIGNED RISK BASED Shortcut = Failure to Pass INTEL DRIVEN JC-JC 6
  • 7.
    #RSAC Guidance from theNational Association of Corporate Directors (NACD) Executive Management / Board – NACD  Guidance includes specific questions about program maturity, breach notification, situational awareness, strategy and incident response PRINCIPLE 1: Cybersecurity is an enterprise- wide risk management issue, not just an IT issue PRINCIPLE 2: Understand Legal implications of cyber PRINCIPLE 3: Have regular updates and access to cyber security experts PRINCIPLE 4: Establish an enterprise- wide cyber-risk management framework with adequate staffing and budget PRINCIPLE 5: Discussion of which risks to avoid, accept, mitigate, or transfer through cyber insurance JC-BS 7
  • 8.
    #RSAC Drivers of theEmergence of the CIRO – 1/2 Increase in outsourcing (greater emphasis on third party oversight) Changing threat landscape (need for risk based remediation) Greater expectations of boards and executive teams BS-BS 8
  • 9.
    #RSAC Drivers of theEmergence of the CIRO – 2/2  Misalignment of security spending with business risk  Lack of support for taking calculated risks  Divergence amongst existing information governance functions BS-BS 9
  • 10.
    #RSAC Where CISOs Fall Short– 1/2  Focus on information protection at the expense of other corporate goals. Information risk is a business problem with a shared budget responsibility  Focus on technology solutions in lieu of other controls (continual search for the next silver bullet) BS-BS 10
  • 11.
    #RSAC  Emphasize riskelimination instead of risk optimization (‘no’ instead of ‘yes – if we …’)  Even “risk enlightened” leaders are fixated on technology risks (focus on ‘IT’ risk instead of ‘information’ risk) Where CISOs Fall Short – 2/2 BS-BS 11
  • 12.
    #RSAC The Ideal CIRO Traditional security knowledge (CISSP, CISM, etc.)  Business savvy (MBA)  Thinks like a lawyer and a hacker  Leader (comfortable in front of the board)  Understands risk management principles  Can implement project management fundamentals BS-JC 12
  • 13.
    #RSAC The Successful ChiefInformation Risk Officer CIRO Information Driven Decision Making  Strategic and Operational Metrics / Dashboard  Information Risk Assessment and Management  Integration with Enterprise Risk Management Information Security is a Business Imperative  Enable Business to Securely Deliver Product and Services  Positive Interaction With Partners, Third-parties and Regulators Shared Budget Responsibility  Corporate and Business Unit - Balanced Risk and Cost  Prioritization With Other Strategic Business Projects JC-JC 13
  • 14.
    #RSAC What Makes theCIRO Different?  Organizational profile – Executive team member with board access  Organizational alignment – Strategy dovetails with organization’s  Depth and breadth of skills  Business risk based approach  Leadership JC-JC 14
  • 15.
    #RSAC Not Just Context, butAlso Content Not just protection, but also: Timely destruction: What is the risk of keeping information too long or not long enough? Optimization of use: Are we extracting value from information? Collection practices: Do we even need to obtain the information? JC-JC 15
  • 16.
    #RSAC What Functions FallUnder CIRO? May include parts of:  Traditional Information Security  Legal and Regulatory Compliance  Privacy  Third Party Oversight  Business Resilience  Physical Security JC-JC 16
  • 17.
  • 18.
    #RSAC Advantages of New OrganizationalStructure Aligns information risk with business priorities Visibility into organizational or product changes Supports shared responsibility for information risk Ensures that all types of information risk are addressed Able to address board, executive management and customers BS-BS 18
  • 19.
    #RSAC Do We NeedAnother C-Level Position?  Value of information (and associated risk) rising.  Executive composition should parallel board’s fiduciary duties.  Consolidation of existing C-level positions (CPO, CISO / CSO, etc.) BS-BS 19
  • 20.
    #RSAC Skills Required toMake the CIRO Transition Thorough understanding of risk management concepts  Factor Analysis of Information Risk (FAIR)1 1Source: Risk Management Insight (riskmanagementinsight.com) Executive level communication skills  Presentation Skills – Toastmasters  Written Skills – College & Editors / Colleagues Thorough understanding of your organization’s business, objectives and growth plans  Regular meetings with business executives BS-BS 20
  • 21.
    #RSAC The Information RiskTransformation  Transition yourself from law enforcement / military mindset to that of a business risk manager  Add risk management skill set to staff (through training or hiring)  Don’t forget about information in non- electronic format BS-BS 21
  • 22.
    #RSAC  Understanding Regulations: Translate legal regulations to internal activities to meet spirit (legislative intent) and letter of the law. Establish a good working relationship with your attorneys. Participate in standard setting and regulatory rulemaking processes (i.e., help shape the rules).  Threat Landscape: Implement threat analytics maturity model  Understand the corporate culture: Risk aversion, rate of change, cultural differences, countries of operation How? BS-JC 22
  • 23.
    #RSAC Evolution of theCISO to the CIRO Securing the Organization CISO Secure the internal organization Manage the risk of third parties Manage regulatory risks Communicate current status and risks to boardBusiness Acumen Regulatory Compliance Management Third-Party Risk Management Information Security CIRO JC-JC 23
  • 24.
    #RSAC  Keep itshort and concise – Typically they will want pre-materials  Never guess at an answer – They read people very well!  Information Risk Dashboard  Include areas of risk inside and outside the organization  Trends – What areas of risk are increasing and decreasing  New risk highlights  Overall goal – Demonstrate the effectiveness of your information risk management program over time. Executive Management / Board – Tips Source: NACD, Cyber-Risk Oversight, Directors Handbook 2014 JC-BS 24
  • 25.
    #RSAC Using Existing EnterpriseRisk Management (ERM) Program (or Create One)  Leverage the existing enterprise risk management (ERM) program (if one exists).  Information risk is a subset of enterprise risk.  If there isn’t an enterprise risk management program, sponsor one (position yourself to be CRO). BS-BS 25
  • 26.
    #RSAC Leveraging Information Risk toDrive Value Concrete Examples:  Factoring in an information risk discount on an acquisition valuation / purchase price  Leveraging fraud and security data to improve customer experience BS-JC 26
  • 27.
    #RSAC  Revenue Contribution Enable Business Efficiency  Product Delivery  Brand Name Confidence  Earnings Contribution  Reduced Operating Expenses Related to Security Failure  Long Term Reduction of Security Program Costs  Circumvent Costs of Regulatory Non-compliance 27 Contributing to the Organization’s Success JC-JC
  • 28.
    #RSAC Managing Information Risk 28 Easeof Doing Business Effective Compliance Information Technology GovernancePeople Information Security Regulatory Compliance Third Party Risk Information Risk Management JC-JC Enhanced Security Global Execution Process Improvement Third PartiesRegulations
  • 29.
    #RSAC The Reward  Earnedrespect from organizational peers  Inclusion in your organization’s strategic decision making processes and forums  Perception shifts from marginal cost center to value adding unit JC-BS 29
  • 30.
    #RSAC Summary We have established: The current CISO role is not meeting organizational needs  CISO must adapt or go the way of the Dodo bird  A focus on managing information risk offers a superior alignment to the organization’s objectives  There are steps you can take to position yourself for this transition BS-BS 30
  • 31.
    #RSAC Apply It TODAY Immediate actions: Assessyou and your program’s readiness to make the CIRO transition Establish YOUR plan to gain and implement necessary skills 90 DAYS Take steps to realign skill sets, focus, and organizational structure to an information risk based approach +90 DAYS BS-BS 31
  • 32.
    #RSAC Resources  The Evolutionof the CISO (accuvant.com/resources/risk-and-the-ciso- role#sthash.TUMIWWV7.dpuf)  NACD – Cyber-Risk Oversight Handbook (nacdonline.org/cyber)  Introduction to Factor Analysis of Information Risk (FAIR) (riskmanagementinsight.com)  Six Forces of Security Strategy (accuvant.com/resources/accuvants-six- forces-of-security-strategy) 32 BS-BS
  • 33.