Olivier Busolini discusses cybersecurity strategy planning in the banking sector. He outlines an approach that includes understanding business risks, assessing gaps, agile planning, implementation, and monitoring. Key aspects are controls hygiene and compliance using frameworks like NIST and ANSSI. A security program should focus on people, processes, infrastructure, applications, and data, and increase maturity over multiple years. Risks and tips from experience are also covered, like focusing on people, defining risk appetite, and ensuring budget supports ongoing work.

1. 15th November 2018
Forum Genève, Geneva, Switzerland
#ZeroDayCh
@ZeroDayCh
www.zero-day.ch
PART II
Cybersecurity
strategy planning in
the banking sector
Olivier BUSOLINI
Head of IT risks and cyber
security

2. 2Olivier BusoliniCybersecurity strategy planning in the banking sector
Our short journey together
Let’s browse together the
notes of an adventurer CISO
Cybersecurity management has been transformed completely in the
last couple of years.
It is now a board level topic, Yes !, and should be addressed as such.
It is also a very complex human, organisational and technical domain,
which is under heavy scrutiny in today’s corporate world, and re-
invents itself every year, if not every quarter.
On the other hand, the IT security industry has matured tremendously
and offers today an universe of capabilities that need to be properly
articulated together to create the right level of cybersecurity resilience
that each company demands.
That’s where the fun begins.
Source: Google image

3. 3Olivier BusoliniCybersecurity strategy planning in the banking sector
Agenda
• An approach to IT security
strategic planning
• Controls hygiene and
Compliance
• Security program
• Risks
• Tips from the trenches
Source: Google image

4. 4Olivier BusoliniCybersecurity strategy planning in the banking sector
An approach to IT security strategic planning
• Business, Risks and Enterprise risk appetite
• Educate - Get active business support - Security as an
enterprise enabler - Formalise Enterprise risk appetite
• Assess gaps
• Assess IT’s effectiveness at key capabilities - Benchmark it with
peers - Gather feedback from on Security’s performance
• Agile planning
• Controls maturity goals % risk appetite and budgets - Maximize
impact of cybersecurity investments
• Implementation
• Clear steps and RACI – Talents – Metrics – Change mgt
• Monitoring
Source: Google image

5. 5Olivier BusoliniCybersecurity strategy planning in the banking sector
Controls hygiene and Compliance
Source: ANSSI
Source: Google image

6. 6Olivier BusoliniCybersecurity strategy planning in the banking sector
Controls hygiene and Compliance (II)
Source: NIST
Source: Google image
Function Category ID
What processes
and assets need
protection? Identify
Asset Management ID.AM
Business Environment ID.BE
Governance ID.GV
Risk Assessment ID.RA
Risk Management Strategy ID.RM
Supply Chain Risk Management ID.SC
What safeguards
are available?
Protect
Identity Management & Access Control PR.AC
Awareness and Training PR.AT
Data Security PR.DS
Information Protection Processes &
Procedures
PR.IP
Maintenance
PR.M
A
Protective Technology PR.PT
What techniques
can identify
incidents?
Detect
Anomalies and Events DE.AE
Security Continuous Monitoring
DE.C
M
Detection Processes DE.DP
What techniques
can contain
impacts of
incidents?
Respond
Response Planning RS.RP
Communications RS.CO
Analysis RS.AN
Mitigation RS.MI
Improvements RS.IM
What techniques
can restore
capabilities?
Recover
Recovery Planning RC.RP
Improvements RC.IM
Communications RC.CO

7. 7Olivier BusoliniCybersecurity strategy planning in the banking sector
Controls hygiene and Compliance (III)
Source: Financial Services Sector Specific Cybersecurity
“Profile”, NIST Cybersecurity Workshop May 17, 2017
Source: Wavestone
• New risk–tiering methodology
• Significant changes to the framework core and diagnostic
statements
• More precise assessment criterias
NIST has been working with the Financial
Services Sector Coordinating Council (FSSCC) to
develop a NIST Cybersecurity Framework
(CSF) sector-specific “Profile” for Financial
Services that could include:

8. 8Olivier BusoliniCybersecurity strategy planning in the banking sector
Security program, one way to go
Source: Google image

9. 9Olivier BusoliniCybersecurity strategy planning in the banking sector
Security program, another one
• Plan a maturity increase across multiple years
1. Design and build program
2. Trust and Resilience foundations
3. e.g. Extended Detection and Customer Security
4. Target objective
• Across main categories of IT assets
• People – awareness, training, trust and key enabler of
security…
• Process – formalised, implemented, measured, reported…
• Infrastructure - identified, classified, protected and resilient
to attacks, monitored to detect new and advanced threats
• Applications – identified, classified, SDLC, fraud
detection…
• Data – identified, classified, protected, monitored…Source: Google image

10. 10Olivier BusoliniCybersecurity strategy planning in the banking sector
Security program – example of tools & steps
Source: SANS
(Brian Ventura)
Source: Google image

11. 11Olivier BusoliniCybersecurity strategy planning in the banking sector
Risks
Source: Wikipedia

12. 12Olivier BusoliniCybersecurity strategy planning in the banking sector
Tips from the trenches
• People first
• Source and secure key talents in a multi-year people strategy
• Enterprise risk appetite is
• Key to drive decisions
• Difficult to define beforehand
• When sitting at the board, speak the boards’ language
• No tech terms, RoI, Cost effectiveness, etc.
• Budget management
• Investments (people and $), and do not forget induced
additional BAU work created across IT and Security
• Work on quick improvements of Incident and Crisis
management
• Build agility in your program to re-prioritize projects
• Evolution of threats, technology landscape of the company,
regulations, business focus, etc.Source: Google image

13. 13Olivier BusoliniCybersecurity strategy planning in the banking sector
Contacts and Q&A
Help me find new ideas: challenge my views !
Thanks in advance
Olivier Busolini
busolivier@protonmail.com
Olivier Busolini has been involved in IT security for 25 years, in the private and public sectors, across several industries. He experienced
different business dynamics, and developed leadership in IT risk and security management, as an integrated part of operational risks, data
governance and digital business activities.
He has been holding CISO roles for Swiss banks for the last 10 years. He focuses on managing technology risks and security from a business
risk perspective, to deliver cost efficient risk assurance.
This presentation was created in my personal capacity. The opinions expressed in this document are mine only, and do not necessarily reflect the view of my employer. All right
reserved to the author.