Downloaded 46 times
Uploaded byTripwire
I.T. Geeks Can't Talk to Management
The document outlines the security needs of a Chief Information Security Officer (CISO) and highlights the importance of a security report card that tracks various metrics across divisions, particularly in the U.S. consumer sector. It emphasizes the necessity of foundational security controls, business context, and aligned risk-based security to improve decision-making and overall security performance. The content also discusses the value of connecting security to business objectives and offers flexible deployment options.
More Related Content
Similar to I.T. Geeks Can't Talk to Management
I.T. Geeks Can't Talk to Management
- 18. The CISO needswhat the CFO has….
- 21.
- 26. Systems, tests, incidents,breaches
- 27. WEEKLY SECURITY REPORTCARD U.S. CONSUMER DIVISION TARGET 85 HIGHEST SCORE 88 FULFILLMENT, EMEA U.S. CONSUMER 71 ORG RANK: 17/25 LOWEST SCORE 61 U.S. COMMERCIAL MEDIAN 76
- 28. SECURITY POLICY STATEBY LINE OF BUSINESS Organizational Benchmark: 75
- 29. SYSTEM HARDENING REPORT,BY DIVISION CIS Benchmark
- 30. CURRENT SECURITY BREAKDOWN CONSUMERDIVISION SERVICE GEOGRAPHY APPLICATION OWNER
- 31.
- 32. Systems, tests, incidents,breaches
- 38. • Broadest setof foundational security controls • Business context with blended asset and risk scoring • Security business intelligence with performance reporting and visualization to make better decisions • Covering the extended enterprise
- 41.
- 43. Connect Security Tothe Business Enable Aligned & Risk-based Security Deliver Foundational Security Controls Provide Flexible & Scalable Deployment Options
- 44. Connect Security Tothe Business Enable Aligned & Risk-based Security Deliver Foundational Security Controls Provide Flexible & Scalable Deployment Options
Editor's Notes
- #5 Ask the audience whether they think risk management is an art or a science
- #7 By industry:- Largest difference in the industrial industry. By job title:Professionals with roles in IT (security, operations) or in compliance, tend to think it’s more a SCIENCEProfessionals in business operations or risk management (IT or ERM) tend to lean towards ART
- #9 Key findings from the survey include:81 percent rated their organization’s commitment to risk-based security management as ‘significant’ or ‘very significant’
- #10 However:46 percent say their organization’s approach or strategy for risk-based security management is non-existent or ‘ad-hoc’Only 29 percent have a security risk management strategy that is applied consistently across the enterprise
- #11 47 percent don’t have a risk-based security management program or most program activities have not been deployed
- #13 62 percent say that the business has little or no input involvement in providing risk-based analysisRoughly 50%say their metrics are not aligned with needs of the business
- #14 Key findings from the survey include:88 percent identified the protection of intellectual property and 78 percent identified the minimization of non-compliance as a key business objectives for risk-based security programs
- #16 The lack of proactive security posture communication that can be understood by nontechnical executives is a significant challenge for a majority of security professionals. The chain of communication to the senior executive team is definitely broken. Key findings from the survey include:- 64 percent said they don’t communicate security risk with senior executives or only communicate when a serious security risk is revealed.
- #17 50/50 effective and not effective. Why? Top reasons:- Information is too technical to be understood by non-technical managementMore pressing issues take precedenceWe only communicate with senior executives when there is an actual incidentIt takes too much time and resources to prepare and report metrics for senior executives
- #19 What’s needed is a way to communicate that is like how CFOs do it. THEY communicate highly technical, conceptual information about business every day, month, quarter, and year, and most in the C-suite seem to get it. I reject the notion that execs at that level cannot be communicated with except by ‘dumbing down’ the data. Sure – they’re not going to get or even care about security details, but they need trends, comparisons, and big-picture views that only the CISO can provide.
- #34 Instead, all they usually want to know is are we secure, and how we’re trending. Really, not even that – their questions go to – will I be sued? Are you keeping our company safe such that we won’t be subject to humiliation, public ridicule, and of course, a lower P/E ratio? So charts like these might make sense to you and your team, (CLICK) but execs may need an even higher roll-up. Regardless of the visuals – and they should be designed to fit what your organization could best receive, your execs need a higher level roll-up.A Rollup, a summary, a dashboard, regardless of the tool you use – this is preferred. Visualizations can really help your work resonate with your peers and boards. Some of you may already be collecting the right data, and you and your teams DO get into the small details because you know it’s where a lot of the more subtle issues exist. Most CISOs I talk to will acknowledge that they spend a lot of manhours, manual labor and analysis to produce something from data across the organizational and technical silos. And, there’s often fine art of extrapolation, probabilities, and impact assessed between apples and pears. As you know everything is not easily comparable. Ideally to automate and save time, as well as keep the data consistent and normalized across dissimilar systems, you could use a tool like ours (CLICK)
- #35 We help you connect security to the business by:Continuously measuring security and risk postureDelivering reports easily understood by non-technical executivesMaking it easy to customize and integrate into your environment to improve decision makingWhich saves you time, money and effort to reducing risks in your business
- #39 Covering the extended enterprise so you know you are secure
- #40 Tripwire is unique becauseThe resource to make CSTB a realityLeverage our best-in-class data and put it in business context (VA + Change + Config + Events = Priceless Has the metrics, scorecards and analytics that rollup and connect security efforts to business initiativesHas security peer benchmarks Has sophisticated asset management and risk scoring Deliver the SANS CSC First 5Has best-in-class vulnerability & configuration managementSolves the SANS 20 CSC “First Five” right out of the boxMost Scalable, Flexible solution for the EnterpriseHas enterprise scalability and integration delivery options: appliances, virtualized, cloud, agent and agentless or hybridCover everything: breadth & depth
- #41 As part of Tripwire’s risk-based security management, there is the broadest set of foundational security controls available in the market today:Continuous discovery and monitoring of your entire IT infrastructureBreadth – secure your entire infrastructure, including physical, virtual, web-based, database and network devices Completeness – configuration auditing and management, vulnerability management, file integrity monitoring and log and event managementComprehensive asset discovery and reconciliationHighly accurate and deep coverage in vulnerability and configuration discovery Research team providing up to date coverage in the ever changing threat environmentAutomates and assures regulatory and policy complianceFlexible deployment options including on premise and/or cloud-based and, agent or agentless monitoring One suite for Security configuration, hardware, software and integrity vulnerabilities
- #42 As part of Tripwire’s risk-based security management, there is the broadest set of foundational security controls available in the market today:Continuous discovery and monitoring of your entire IT infrastructureBreadth – secure your entire infrastructure, including physical, virtual, web-based, database and network devices Completeness – configuration auditing and management, vulnerability management, file integrity monitoring and log and event managementComprehensive asset discovery and reconciliationHighly accurate and deep coverage in vulnerability and configuration discovery Research team providing up to date coverage in the ever changing threat environmentAutomates and assures regulatory and policy complianceFlexible deployment options including on premise and/or cloud-based and, agent or agentless monitoring One suite for Security configuration, hardware, software and integrity vulnerabilities
- #43 Our solution…
- #44 Lead The Market Convergence of Critical Security Controls Enable Business-aligned & Risk-based Security Provide Flexible & ScalableDeployment Options