The CISO is evolving to CIRO. Successful IT security leaders are transforming their skills to meet the demands for today and future needs of their organization. A CIRO understands how to prepare board presentations, information risk management, third-party risk and regulatory requirements, and how to balance those with the needs of the business. Earn your seat at the table by becoming a CIRO! (Source: RSA USA 2016-San Francisco)

1. SESSION ID:
#RSAC
James Christiansen
Cave Man to Business Man,
the Evolution of the CISO to CIRO
PROF-M07
VP Information Risk Management
Optiv

2. #RSAC
The Evolution of the CISO
2

3. #RSAC
The Expanded Role of the CISO
Assess
Improve
Monitor
SECURE & COMPLIANT
BUSINESSSTRATEGY
Business Drivers
and Initiatives
Risk and Security
CoverageRisks OversightApproach
Coordinated Approach To Risk
Aligned to Business Drivers
Asset
& Capital
Management
Earnings &
Operating
Margins
Revenue &
Market Share
Reputation
& Brand
COBIT
COSO
ITIL
ISO 17799
Frameworks
Executive
Management
Board
Audit
Committee
Risk
Committee
ENABLE THE BUSINESS
SOX
Patriot Act
GLBA
Other
Regulations
Regulations
Strategic
Operations
Financial
Compliance
Busines
s
Drivers
Governance,
Policies, & Standards
Security Program Compliance, Monitoring, & Reporting
Technical Security Architecture
Processes
&
Operational
Practices
Technical
Specifications
Asset Profile
People &
Organizational
Management
AVAILABILITY
EXECUTIVE
MANAGEMENT COMPLEX JOB
Board of Directors, Media, Investors, Clients
ACHIEVEBUSINESS
OBJECTIVES
3

4. #RSAC
Agenda
The Evolution of the Role
Drivers of CIRO Emergence
What Makes the CIRO Different
Making the Transition
How to Apply What You Learned
Summary
4

5. #RSAC
Introduction
The role of information security is
changing
There is a disconnect between the
objectives of the traditional CISO
and the needs today
The role of the CISO needs to change
to meet the business needs
5

6. #RSAC
Common Complaints about the CISO
Doesn’t positively engage with the business
Security strategy and spending does not align with the business
strategy
Focus on information protection at the expense of other
corporate goals
Roadblock to innovation and revenue growth
Can articulate value to the business
We are going to change
the perception of the
executive team!
6

7. #RSAC
The Basics of the CIRO

8. #RSAC
A business aligned strategy includes
understanding the business and compliance
objectives, threats and risks.
AD HOC
INFRASTRUCTURE
BASED
COMPLIANCE
BASED
THREAT BASED
BUSINESS ALIGNED
RISK
BASED
Shortcut =
Failure to
Pass
INTELLIGENCE DRIVEN
The Security
Journey
8

9. #RSAC
Drivers of the Emergence of the CIRO
Increase in outsourcing
(greater emphasis on third party oversight)
Changing threat landscape
(need for risk based remediation)
Greater expectations
of boards and executive teams
9

10. #RSAC
Skills of the CIRO
Has traditional security knowledge (CISSP, CISM, etc.)
Exhibits business savviness (MBA)
Thinks like a lawyer and a hacker
Possesses leadership skills (comfortable in front of the board)
Understands risk management principles
Can implement project management fundamentals
10

11. #RSAC
The Successful Chief Information Risk Officer
Information Driven Decision Making
• Strategic and Operational Metrics / Dashboard
• Information Risk Assessment and Management
• Integration with Enterprise Risk Management
CIRO
Information Security is a Business Imperative
• Enable Business to Securely Deliver Product and Services
• Positive Interaction With Partners, Third Parties and Regulators
Shared Budget Responsibility
• Corporate and Business Unit – Balanced Risk and Cost
• Prioritization With Other Strategic Business Projects
11

12. #RSAC
2nd Line of Defense
Information Risk Office
Information Risk Program
1st Line of Defense
IT Information Security
3rd Line of Defense
Audit and External
• Highly Skilled and
Trained Staff
• Processes to Protect,
Detect and Respond
• Implement Enabling
Security
Technologies
• Define and Enforce
Information Security Policy
• Program Strategy and Goals
• Measure and Manage
Information Risk
• Oversee Industry and
Regulatory Requirements
• Board of Directors
Oversight
• Internal and External
Audit Validation
• External Testing and
Validation of Controls
Three Lines of Defense to Achieve Effective Information Risk Management
12

13. #RSAC
Reporting Structures, Old and New
13
Threat
Management
Security
Technology
Security
Operations
Business
Continuity
Regulatory
Compliance
Third Party
Risk
Governance
and Risk
Management
Threat Management
Governance and Risk
Management
Security Operations
Business Continuity
Governance and Risk
Management
Security Operations

14. #RSAC
Advantages of New Organizational
Structure
 Aligns information risk with business priorities
 Visibility into organizational or product changes
 Supports shared responsibility for information risk
 Focus on risk of information regardless of location or form
 Able to address board, executive management and customers
14

15. #RSAC
The Skills of the CIRO

16. #RSAC
Skills Required to Make the CIRO Transition
Thorough understanding of risk management
concepts
 e.g. Factor Analysis of Information Risk (FAIR)1
Executive level communication skills
 Presentation Skills – Toastmasters
 Written Skills – College and Editors / Colleagues
Thorough understanding of your organization’s
business, objectives and growth plans
 Regular meetings with business executives
1Source: Risk Management Insight (riskmanagementinsight.com)
16

17. #RSAC
How?
Know the Regulations:
 Establish a good working relationship with your attorneys
 Participate in standard setting and regulatory rulemaking
processes (i.e., help shape the rules)
 Understand the privacy laws impacting your organization
Determine Threat Landscape:
 Implement a threat analytics maturity model
Understand the Corporate Culture:
 Determine the risk aversion, rate of change, cultural differences
and countries of operation
17

18. #RSAC
Business Acumen
Regulatory Compliance
Management
Third-Party Risk
Management
Information
Security
CIRO
Evolution of the CISO to the CIRO
Securing the
Organization
CISO
Secure the internal
organization
Manage the risk of
third parties
Manage regulatory
risks
Communicate
current status and
risks to board
18

19. #RSAC
Speaking to the Board of Directors

20. #RSAC
Executive Management / Board – NACD
Guidance from the National Association of Corporate Directors (NACD)
Guidance includes specific questions about program maturity, breach notification,
situational awareness, strategy and incident response
PRINCIPLE 1:
Cyber security is
an enterprise risk
management
issue, not just an
IT issue
PRINCIPLE 2:
Understand
legal
implications
of cyber risks
PRINCIPLE 3:
Have regular
updates and
access to cyber
security experts
PRINCIPLE 4:
Establish cyber-risk
management
framework with
adequate staffing and
budget
PRINCIPLE 5:
Discuss which risks
to avoid, accept,
mitigate or
transfer through
cyber insurance
Source: nacdonline.org/cyber 20

21. #RSAC
Executive Management / Board – Tips
Keep it short and concise – Typically they will want pre-
materials
Never guess at an answer – They read people very well!
Information Risk Dashboard – Include risk inside and outside
the organization
• New risk highlights
• Trends – What areas of risk are increasing and decreasing
• Overall goal – Demonstrate the effectiveness of your information risk
management program over time
Source: NACD, Cyber-Risk Oversight, Directors Handbook 2014
21

22. #RSAC
Driving Value Into Enterprise

23. #RSAC
Leveraging Information Risk to Drive Value
Concrete Examples:
Enabling a new customer product through advanced security
practices and knowledge of the privacy protection
requirements
Factoring in an information risk discount on an acquisition
valuation / purchase price
Leveraging fraud and security data to improve customer
experience
23

24. #RSAC
Contributing to the Organization’s Success
Revenue Contribution
• Enable Business Efficiency
• Product Delivery
• Brand Name Confidence
Earnings Contribution
• Reduced Operating Expenses Related to Security Failure
• Long-Term Reduction of Security Program Costs
• Circumvent Costs of Regulatory Non-Compliance
24

25. #RSAC
Summary
The current CISO role is not meeting organizational needs
CISO must adapt or will be replaced by person with needed
skills
A focus on managing information risk offers a superior
alignment to the organization’s objectives
There are steps you can take to position yourself for this
transition
25

26. #RSAC
Apply It
TODAY
Immediate actions:
Assess you and your
program’s readiness to
make the CIRO
transition
Establish YOUR plan to
gain and implement
necessary skills
90 DAYS
Take steps to realign
skill sets, focus, and
organizational structure
to an information risk
based approach
+90
DAYS
26

27. #RSAC
Resources
The Evolution of the CISO
(Optiv.com/Resource Library)
NACD – Cyber-Risk Oversight Handbook
(nacdonline.org/cyber)
Introduction to Factor Analysis of
Information Risk (FAIR)
(riskmanagementinsight.com)
Six Forces of Security Strategy
(Optiv.com/Resource Library)
27

28. #RSAC
Questions?
James.Christiansen@optiv.com
28