The document discusses corporate governance and responsibilities regarding security management, highlighting varying perspectives among CIOs, CEOs, and CISOs on accountability for security. It emphasizes the need for a business-centric approach to cybersecurity that treats security as a service while integrating it into business outcomes, along with providing a roadmap for sustainable security programs. Key takeaways include understanding roles and goals, creating clear responsibilities, and adopting risk-based funding plans to align security with business strategies.

1. DOES TITLE MAKE A
DIFFERENCE?
A personal view of
corporate governance
Pete Nieminen
Enfo Oyj
pete@enfogroup.com
@PeteNieminen
https://www.linkedin.com/in/petenieminen/
28.3.2019

2. WHO IS RESPONSIBLE FOR
MANAGING SECURITY?

3. NTT Security Risk:Value report 2019, decision makers believe on security responsibility
22% of believe CIO is responsible for managing security
20% of believe CEO is responsible for managing security
19% of believe CISO is responsible for managing security
0% of CIO’s believe they are responsible for managing security
0% of CEO’s believe they are responsible for managing security
100% of CISO’s believe they are responsible for managing security

4. 39% have no idea who is responsible for managing security
…but they sure hope some-one is

5. CISO

6. BUSINESS CONTINUITY

7. CONCERNS
AND GOALS
CISO
Strategic alignment
Regulations
Cloud security
Staffing
Emerging technologies
Response and remediation
Expanding responsibilities
Large scale attacks
Managing data
Foundational security

8. CIO

9. GROWTH ENABLEMENT

10. CONCERNS
AND GOALS
CIO
New business models
Increased customer focus
Manage information security
People and talent management
Digital transformation
Public cloud
Application upgrades
More value for investments, digital twins
New technologies (analytics/BI/AI/IoT/RPA)
Personal transformation

11. CEO

12. OWNER VALUE

13. CONCERNS
AND GOALS
CEO
Attracting and retaining top talent
New business models with disruptive technologies
Leading business transformation
Leadership development for future leaders
Navigating and communicating constant change
Business growth, stayng ahead of competition
Managing data and skill gaps
Nurturing a strong company culture
Choosing the right opportunities
Fear of recession

14. GROWTH
CONTINUITY
RESIDUAL
RISK
Traditional roles on
business growth vs
continuity

15. Gartner 2019
99% CEO’s estimate cybercrime to rise during 2019

20. Gartner 2019
100% of CISO’s are pissed about the previous fact
5% of CEO’s plan to do something about it
99% CEO’s estimate cybercrime to rise during 2019

21. Executives fired
due
major security
incidents 2012-
2017.
Gartner 2019

22. THREAT VECTOR EXAMPLE

23. BUSINESS VALUE
BUSINESS INNOVATIONREACTIVE DEVELOPMENT
OPERATIONL EXCELLENCE
STAGE 0
STAGE 1
STAGE 2
PAR
AD
IG
M
SH
IFT
CLOUD ADOPTION
CLOUDMATURITY
IN
N
O
VATIO
N
Enfo, 2018
ENFO CLOUD ASSESSMENT
CIO 2018
REACTIVE DEVELOPMENT
IT uses public cloud to answer business requirements. Most
business support and IT processes are based on manual execution.
On-demand skills and partnerships.
OPERATIONAL EXCELLENCE
Advanced understanding and automated usage of IaaS services.
Fine tuned ITSM and agile public cloud design with trusted partners.
IT centric service culture. Cloud and control established.
BUSINESS INNOVATION
Business and IT work tightly together to create more agile and
scalable solutions in the public cloud. IT skills or/and partners are
not quite mature enough for automated execution.
BUSINESS VALUE
Business model and processes aligned with extensive public cloud
experience. IT is seen as an investment and it scales with the
business. Advanced service automation, agile processes and multi-
cloud management with skilled partners.
EXPER
IEN
C
E
/
O
PTIM
IZATIO
N
SECURITY
BY DESIGN

25. What to expect at 2019
• More data leaks and exposures
• Work-From-Home scenarios will open enterprises to BYOD-like security risks
• Brexit will hamper U.K. tech, startup and filial growth
• Facebook’s privacy woes will spread to other Silicon Valley giants
• One incident away from sparking another Apple v. FBI crypto-war
• Innocent victims will get caught in the cyberwar crossfire
• Focus on cloud-based security platforms and aim to be secure by design
• Tighter regulation is affecting risk profiles (GDPR, Australia, California)
• Mass real-world use of breached credentials
• Voice-controlled digital Assistants the next vector in attacking
• Cybercriminals will use more advanced techniques to blend in

26. CAN CISO GET CIO AND CEO TO UNDERSTAND?
YES

27. SUSTAINABLE
MEASURABLE
DEFINED
BENEFITS
NON-IT VALUE
COST
CONTROL
BUSINESS
DECISION
PROCESS
GOVERNANCE
Treat security like a business service

29. Business security services
Enterprise risk and
security requirements
defined in business terms
How does the service
affect the business, results
and value
What are the service
businesses want to buy
Business services
reflected to customer
facing services

30. Business centric view to
Cybersecurity
• Treat risk and security as a business service
• Move cybersecurity from project management to product management
• Integrate cybersecurity with customer experience
• Create the right balance between effort and value
• Address risk-aware cultural challenges and disconnects
• Increase the engagement of executives
• Prioritize based on business outcomes and value delivery
• Balance business between risk and security
• Focus on transparency and communications
• Try hacking instead of traditional

31. SIZEOFBUSINESS
MORE A TARGET
LOW RISK
HIGH COST
HIGH RISK
LOW COST
SECURITY
BUSINESS
Create sustainable program to protect the business
Reconstituting continous plan according business growth
BALANCE BETWEEN
RISK AND COST

32. Maintain a risk-based funding plan
BUDGET
YEAR 1
YEAR 2
YEAR 3
1
2
3
4
5
6
7
8
9
10
PRIORITY
RESIDUAL
RISK
PROJECTS
Strategic plan
• Prioritize projects on budget, impact and schedule.
• Create a roadmap, where all the projects are listed.
• Concentrate on the recommendation for the
improvement and lowering risk on the first year.
Three-year plan
• Get funding for the first year (strategic).
• At the end of the year, do not just start the year
two.
• Each year, reconstitute the entire plan, so you
always have a three-year plan with always funded
first year.
• This way you have the funding for the critical
projects and keep your focus on execution.
• If the residual risk grows too high, you need more
annual funding.

33. CONFIDENTIALITY
PRIVACY
AVAILABILITY
RISK MANAGEMENT
BUSINESS CONTINUITY
SOURCING
INTEGRITY
Percentage of deals lost to competitive
intelligence
Percentage of incidents where customer
personal data is put at risk
Percentage of lost or delayed inventory due
failure
Percentage of critical business processes
that have had a risk assessment in the past
24 months
Percentage of disaster recovery plans
tested in the past 12 months
Percentage of suppliers with approved
security control frameworks
Defect rate attribute to integrity
failures
Competiteveness index
Customer satisfaction and renewal indexes
Manufacturing capacity index
Related to bad managemet decisions
High personnel turnover
Sales index
Financial integrity, engineering effectiveness
Business/real-world KRI and KPI mappings
KEY RISK INDICATORS KEY PERFORMANCE INDICATORS

34. Typical security
metrics
MEASURE KPI INDICATOR OF
Server patching Time to patch critical vulnerabilities in
servers or time to patch vulnerabilities in
critical servers
Operational disruption,
reputation
Client patching Time to patch OS and other key software by
client OS
Operational disruption,
reputation
AV coverage Percentage of clients by OS with up to date
AV
Operational disruption,
reputation
Penetration testing Mean time to fix critical and high
vulnerabilities by stream, percent not fixed
within SLA
Operational disruption,
reputation
Training completion Percentrage of employees that have
completed their annual training
Operational disruption,
reputation
Phishing results Phising test failure rates by campaign Operational disruption,
reputation
Compromized customer accounts Number of customer accounts that are
known to have been compromised
Reputation, financial
Fraudulent orders using hacked
accounts
Value and quantity on fraudulent orders
placed using a hacked account
Reputation, financial
Incidents Mean time to identify and mean time to
contain
Operational disruption

35. Map risks to business
Vulnerability
breach
Critical
application
failure
Business process
shutdown
KPI:
Time to patch
KPI:
Application usability
KPI:
Production utilization
KRI indicator leading to… KRI indicator leading to… KRI indicator leading to…

36. TECHNOLOGY DEPENDENCY ANALYSIS
TRADITIONAL
TOP DOWN

37. Business
metrics
Business metric for
technology informs
business decisions
related to business
outcomes that are
dependent on
technolgy
”Automated loan origination process impacts the number of in
branch service people are needed”
•Technology dependency creates a lot of opportunity to influence investment
decisions across both technology and business operations
Business metric
aligns with and
informs business
decisions
”Inventory turnover informs the investment of inventory”
IT metric aligns
with and informs IT
decisions
”Mean time between failure informs the upgrade and
maintenance schedules of hardware”

38. Ten takeaways for
raising the bar
• Understand the roles, concerns and the goals
• Make responsibilities clear and communicated
• Know business threat horizon and vectors
• Build a sustainable security program
• Create a risk-based funding plan and a roadmap
• Offer security as a business service
• Learn a business centric view to cybersecurity
• Map risks to business
• Perform Top-down dependency analysis
• Remember to use business metrics