SlideShare a Scribd company logo

my experience as ciso

Marc Vael
Marc Vael

The document discusses the author's experience as a CISO and provides information on how to become a CISO, including through self-analysis, education, career path, and certifications. It also outlines the key responsibilities of a CISO in areas like information security governance, risk management, program development and management, and incident management. The document shares the author's contact information and a quote on the success formula for a CISO.

1 of 13
Download to read offline
My experience as CISO @marcvael March 2021 My experience as CISO managing information security Marc Vael Tuesday 23rd of March 2021 How to become a CISO 1. Self-analysis
My experience as CISO @marcvael March 2021 How to become a CISO 1. Self-analysis How to become a CISO 2. Education
My experience as CISO @marcvael March 2021 How to become a CISO 2. Education How to become a CISO 3. Career path
My experience as CISO @marcvael March 2021 How to become a CISO 4. Professional certifications
My experience as CISO @marcvael March 2021 How to become a CISO 4. Professional certifications 2004 2003 1994
My experience as CISO @marcvael March 2021 Information Security Governance Establish and/or maintain an information security governance framework & supporting processes to ensure that the information security strategy is aligned with organizational goals & objectives. Information Risk Management Manage information risk to an acceptable level based on risk appetite in order to meet organizational goals & objectives.
My experience as CISO @marcvael March 2021 Information Security Program Development & Management Develop & maintain an information security program that identifies, manages and protects the organization’s assets while aligning to information security strategy & business goals, thereby supporting an effective security posture. Information Security Incident Management Plan, establish and manage the capability to detect, investigate, respond to and recover from information security incidents to minimize business impact.
My experience as CISO @marcvael March 2021 Information Security Management Security Operations Security Governance / Risk Security Business Support IT Compliance Implement & improve foundational principles for securing Esko IT infrastructure Implement & improve processes for mature information security governance & risk within Esko Create & improve standard work for Esko business security Integrate Esko IT compliance by design in terms of Information Security (& Privacy) Security Innovation Integrate Information Security into new innovative Esko (IT) solutions Security Incidents Identify, Protect, Detect, Respond to and Recover from Information Security Incidents How to become a CISO 5. Keep current
My experience as CISO @marcvael March 2021 Chief Information Security Officer Success formula: 4C x 3I x 2S x O 4C = Complexity + Culture + Communication + Collaboration 3I = Information + Interconnectiveness + Initiative 2S = Strategy + Security O = Optimization Stephane Nappo, VP & Global CISO, Groupe SEB
My experience as CISO @marcvael March 2021 Contact details Mr. Marc Vael, CISM, CISSP, CRISC, CGEIT, ITIL SM, Guberna Certified Director CISO President Esko SAI marc.vael@sai.be http://www.linkedin.com/in/marcvael @marcvael
My experience as CISO @marcvael March 2021 Backup Slides CISM Information Security Governance 1) Establish and/or maintain an information security strategy in alignment with organizational goals and objectives to guide the establishment and/or ongoing management of the information security program. 2) Establish and/or maintain an information security governance framework to guide activities that support the information security strategy. 3) Integrate information security governance into corporate governance to ensure that organizational goals and objectives are supported by the information security program. 4) Establish and maintain information security policies to guide the development of standards, procedures and guidelines in alignment with enterprise goals and objectives. 5) Develop business cases to support investments in information security. 6) Identify internal and external influences to the organization (e.g., emerging technologies, social media, business environment, risk tolerance, regulatory requirements, third-party considerations, threat landscape) to ensure that these factors are continually addressed by the information security strategy. 7) Gain ongoing commitment from senior leadership and other stakeholders to support the successful implementation of the information security strategy. 8) Define, communicate, and monitor information security responsibilities throughout the organization (e.g., data owners, data custodians, end-users, privileged or high-risk users) and lines of authority. 9) Establish, monitor, evaluate and report key information security metrics to provide management with accurate and meaningful information regarding the effectiveness of the information security strategy.
My experience as CISO @marcvael March 2021 Information Risk Management 1) Establish and/or maintain a process for information asset classification to ensure that measures taken to protect assets are proportional to their business value. 2) Identify legal, regulatory, organizational and other applicable requirements to manage the risk of noncompliance to acceptable levels. 3) Ensure that risk assessments, vulnerability assessments and threat analyses are conducted consistently, at appropriate times, and to identify and assess risk to the organization’s information. 4) Identify, recommend or implement appropriate risk treatment/response options to manage risk to acceptable levels based on organizational risk appetite. 5) Determine whether information security controls are appropriate and effectively manage risk to an acceptable level. 6) Facilitate the integration of information risk management into business and IT processes (e.g., systems development, procurement, project management) to enable a consistent and comprehensive information risk management program across the organization. 7) Monitor for internal and external factors (e.g., key risk indicators [KRIs], threat landscape, geopolitical, regulatory change) that may require reassessment of risk to ensure that changes to existing, or new, risk scenarios are identified and managed appropriately. 8) Report noncompliance and other changes in information risk to facilitate the risk management decision- making process. 9) Ensure that information security risk is reported to senior management to support an understanding of potential impact on the organizational goals and objectives. Information Security Program Development & Management 1) Establish and/or maintain the information security program in alignment with the information security strategy. 2) Align the information security program with the operational objectives of other business functions (e.g., human resources [HR], accounting, procurement and IT) to ensure that the information security program adds value to and protects the business. 3) Identify, acquire and manage requirements for internal and external resources to execute the information security program. 4) Establish and maintain information security processes and resources (including people and technologies) to execute the information security program in alignment with the organization’s business goals. 5) Establish, communicate and maintain organizational information security standards, guidelines, procedures and other documentation to guide and enforce compliance with information security policies. 6) Establish, promote and maintain a program for information security awareness and training to foster an effective security culture. 7) Integrate information security requirements into organizational processes (e.g., change control, mergers and acquisitions, system development, business continuity, disaster recovery) to maintain the organization’s security strategy. 8) Integrate information security requirements into contracts and activities of third parties (e.g., joint ventures, outsourced providers, business partners, customers) and monitor adherence to established requirements in order to maintain the organization’s security strategy. 9) Establish, monitor and analyze program management and operational metrics to evaluate the effectiveness and efficiency of the information security program. 10) Compile and present reports to key stakeholders on the activities, trends and overall effectiveness of the IS program and the underlying business processes in order to communicate security performance.
My experience as CISO @marcvael March 2021 Information Security Incident Management 1) Establish and maintain an organizational definition of, and severity hierarchy for, information security incidents to allow accurate classification and categorization of and response to incidents. 2) Establish and maintain an incident response plan to ensure an effective and timely response to information security incidents. 3) Develop and implement processes to ensure the timely identification of information security incidents that could impact the business. 4) Establish and maintain processes to investigate and document information security incidents in order to determine the appropriate response and cause while adhering to legal, regulatory and organizational requirements. 5) Establish and maintain incident notification and escalation processes to ensure that the appropriate stakeholders are involved in incident response management. 6) Organize, train and equip incident response teams to respond to information security incidents in an effective and timely manner. 7) Test, review and revise (as applicable) the incident response plan periodically to ensure an effective response to information security incidents and to improve response capabilities. 8) Establish and maintain communication plans and processes to manage communication with internal and external entities. 9) Conduct post-incident reviews to determine the root cause of information security incidents, develop corrective actions, reassess risk, evaluate response effectiveness and take appropriate remedial actions. 10) Establish and maintain integration among the incident response plan, business continuity plan and disaster recovery plan.

Recommended

Zlatibor risk based balancing of organizational and technical controls for ...
Zlatibor risk based balancing of organizational and technical controls for ...Zlatibor risk based balancing of organizational and technical controls for ...
Zlatibor risk based balancing of organizational and technical controls for ...
Dejan Jeremic
 
Information security management (bel g. ragad)
Information security management (bel g. ragad)Information security management (bel g. ragad)
Information security management (bel g. ragad)
Rois Solihin
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
OxfordCambridge
 
Security-Brochure
Security-BrochureSecurity-Brochure
Security-Brochure
Tyler Carlson
 
Security-Brochure
Security-BrochureSecurity-Brochure
Security-Brochure
Prahlad Reddy
 
information security management
information security managementinformation security management
information security management
Gurpreetkaur838
 
Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...
Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...
Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...
360 BSI
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & Strategy
Tony Hauxwell
 

Recommended

Zlatibor risk based balancing of organizational and technical controls for ...
Zlatibor risk based balancing of organizational and technical controls for ...Zlatibor risk based balancing of organizational and technical controls for ...
Zlatibor risk based balancing of organizational and technical controls for ...
Dejan Jeremic
 
Information security management (bel g. ragad)
Information security management (bel g. ragad)Information security management (bel g. ragad)
Information security management (bel g. ragad)
Rois Solihin
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
OxfordCambridge
 
Security-Brochure
Security-BrochureSecurity-Brochure
Security-Brochure
Tyler Carlson
 
Security-Brochure
Security-BrochureSecurity-Brochure
Security-Brochure
Prahlad Reddy
 
information security management
information security managementinformation security management
information security management
Gurpreetkaur838
 
Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...
Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...
Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...
360 BSI
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & Strategy
Tony Hauxwell
 
Pindad iso27000 2016 smki
Pindad iso27000 2016 smkiPindad iso27000 2016 smki
Pindad iso27000 2016 smki
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
Agiliance Wp Hipaa
Agiliance Wp HipaaAgiliance Wp Hipaa
Agiliance Wp Hipaa
agiliancecommunity
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09
Tammy Clark
 
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAEIT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
360 BSI
 
Implementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren LiImplementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren Li
DaneWarren
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
festival ICT 2016
 
Information security
Information securityInformation security
Information security
Praveen Minz
 
Connection can help keep your business secure!
Connection can help keep your business secure!Connection can help keep your business secure!
Connection can help keep your business secure!
Heather Salmons Newswanger
 
ISO.IEC_27001-27002-2013 Topology
ISO.IEC_27001-27002-2013 TopologyISO.IEC_27001-27002-2013 Topology
ISO.IEC_27001-27002-2013 Topology
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
IT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAE
IT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAEIT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAE
IT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAE
360 BSI
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security Program
Tammy Clark
 
INFOSECFORCE llc security services
INFOSECFORCE llc security servicesINFOSECFORCE llc security services
INFOSECFORCE llc security services
Bill Ross
 
Infosecforce security services
Infosecforce security servicesInfosecforce security services
Infosecforce security services
Bill Ross
 
Winning the war on data breaches in a changing data landscape
Winning the war on data breaches in a changing data landscapeWinning the war on data breaches in a changing data landscape
Winning the war on data breaches in a changing data landscape
Avinash Ramineni
 
Preparing for the Inevitable
Preparing for the InevitablePreparing for the Inevitable
Preparing for the Inevitable
OmoniyiAnimasaun
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
Information Technology Society Nepal
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
sdfghj21
 
CCISO_Certification_Training_Course-Outline.pdf
CCISO_Certification_Training_Course-Outline.pdfCCISO_Certification_Training_Course-Outline.pdf
CCISO_Certification_Training_Course-Outline.pdf
priyanshamadhwal2
 
PB CV v0.4
PB CV v0.4PB CV v0.4
PB CV v0.4
Pedro Borracha
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit process
Divya Tiwari
 
Mastering Cybersecurity Risk Management: Strategies to Safeguard Your Digital...
Mastering Cybersecurity Risk Management: Strategies to Safeguard Your Digital...Mastering Cybersecurity Risk Management: Strategies to Safeguard Your Digital...
Mastering Cybersecurity Risk Management: Strategies to Safeguard Your Digital...
cyberprosocial
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 

More Related Content

What's hot

Pindad iso27000 2016 smki
Pindad iso27000 2016 smkiPindad iso27000 2016 smki
Pindad iso27000 2016 smki
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
Agiliance Wp Hipaa
Agiliance Wp HipaaAgiliance Wp Hipaa
Agiliance Wp Hipaa
agiliancecommunity
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09
Tammy Clark
 
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAEIT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
360 BSI
 
Implementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren LiImplementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren Li
DaneWarren
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
festival ICT 2016
 
Information security
Information securityInformation security
Information security
Praveen Minz
 
Connection can help keep your business secure!
Connection can help keep your business secure!Connection can help keep your business secure!
Connection can help keep your business secure!
Heather Salmons Newswanger
 
ISO.IEC_27001-27002-2013 Topology
ISO.IEC_27001-27002-2013 TopologyISO.IEC_27001-27002-2013 Topology
ISO.IEC_27001-27002-2013 Topology
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
IT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAE
IT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAEIT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAE
IT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAE
360 BSI
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security Program
Tammy Clark
 
INFOSECFORCE llc security services
INFOSECFORCE llc security servicesINFOSECFORCE llc security services
INFOSECFORCE llc security services
Bill Ross
 
Infosecforce security services
Infosecforce security servicesInfosecforce security services
Infosecforce security services
Bill Ross
 
Winning the war on data breaches in a changing data landscape
Winning the war on data breaches in a changing data landscapeWinning the war on data breaches in a changing data landscape
Winning the war on data breaches in a changing data landscape
Avinash Ramineni
 
Preparing for the Inevitable
Preparing for the InevitablePreparing for the Inevitable
Preparing for the Inevitable
OmoniyiAnimasaun
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
Information Technology Society Nepal
 

What's hot (16)

Pindad iso27000 2016 smki
Pindad iso27000 2016 smkiPindad iso27000 2016 smki
Pindad iso27000 2016 smki
 
Agiliance Wp Hipaa
Agiliance Wp HipaaAgiliance Wp Hipaa
Agiliance Wp Hipaa
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09
 
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAEIT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
 
Implementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren LiImplementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren Li
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
 
Information security
Information securityInformation security
Information security
 
Connection can help keep your business secure!
Connection can help keep your business secure!Connection can help keep your business secure!
Connection can help keep your business secure!
 
ISO.IEC_27001-27002-2013 Topology
ISO.IEC_27001-27002-2013 TopologyISO.IEC_27001-27002-2013 Topology
ISO.IEC_27001-27002-2013 Topology
 
IT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAE
IT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAEIT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAE
IT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAE
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security Program
 
INFOSECFORCE llc security services
INFOSECFORCE llc security servicesINFOSECFORCE llc security services
INFOSECFORCE llc security services
 
Infosecforce security services
Infosecforce security servicesInfosecforce security services
Infosecforce security services
 
Winning the war on data breaches in a changing data landscape
Winning the war on data breaches in a changing data landscapeWinning the war on data breaches in a changing data landscape
Winning the war on data breaches in a changing data landscape
 
Preparing for the Inevitable
Preparing for the InevitablePreparing for the Inevitable
Preparing for the Inevitable
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
 

Similar to my experience as ciso

Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
sdfghj21
 
CCISO_Certification_Training_Course-Outline.pdf
CCISO_Certification_Training_Course-Outline.pdfCCISO_Certification_Training_Course-Outline.pdf
CCISO_Certification_Training_Course-Outline.pdf
priyanshamadhwal2
 
PB CV v0.4
PB CV v0.4PB CV v0.4
PB CV v0.4
Pedro Borracha
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit process
Divya Tiwari
 
Mastering Cybersecurity Risk Management: Strategies to Safeguard Your Digital...
Mastering Cybersecurity Risk Management: Strategies to Safeguard Your Digital...Mastering Cybersecurity Risk Management: Strategies to Safeguard Your Digital...
Mastering Cybersecurity Risk Management: Strategies to Safeguard Your Digital...
cyberprosocial
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
Improving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity FrameworkImproving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity Framework
William McBorrough
 
Bim tek 15 juni 2017 konsep iso27000-2016 smki
Bim tek 15 juni 2017 konsep iso27000-2016 smkiBim tek 15 juni 2017 konsep iso27000-2016 smki
Bim tek 15 juni 2017 konsep iso27000-2016 smki
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security Program
Shauna_Cox
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
360 BSI
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
Hamed Moghaddam
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
Andrew Byers
 
Chapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdfChapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdf
kimangeloullero
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...
IT-Toolkits.org
 
Build and Information Security Strategy
Build and Information Security StrategyBuild and Information Security Strategy
Build and Information Security Strategy
Info-Tech Research Group
 
Fissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingFissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-training
Swati Gupta
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptx
Infosectrain3
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020
Manuel Guillen
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
Joseph Wynn
 
Challenges in implementing effective data security practices
Challenges in implementing effective data security practicesChallenges in implementing effective data security practices
Challenges in implementing effective data security practices
wacasr
 

Similar to my experience as ciso (20)

Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
 
CCISO_Certification_Training_Course-Outline.pdf
CCISO_Certification_Training_Course-Outline.pdfCCISO_Certification_Training_Course-Outline.pdf
CCISO_Certification_Training_Course-Outline.pdf
 
PB CV v0.4
PB CV v0.4PB CV v0.4
PB CV v0.4
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit process
 
Mastering Cybersecurity Risk Management: Strategies to Safeguard Your Digital...
Mastering Cybersecurity Risk Management: Strategies to Safeguard Your Digital...Mastering Cybersecurity Risk Management: Strategies to Safeguard Your Digital...
Mastering Cybersecurity Risk Management: Strategies to Safeguard Your Digital...
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
Improving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity FrameworkImproving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity Framework
 
Bim tek 15 juni 2017 konsep iso27000-2016 smki
Bim tek 15 juni 2017 konsep iso27000-2016 smkiBim tek 15 juni 2017 konsep iso27000-2016 smki
Bim tek 15 juni 2017 konsep iso27000-2016 smki
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security Program
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
 
Chapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdfChapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdf
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...
 
Build and Information Security Strategy
Build and Information Security StrategyBuild and Information Security Strategy
Build and Information Security Strategy
 
Fissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingFissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-training
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptx
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
 
Challenges in implementing effective data security practices
Challenges in implementing effective data security practicesChallenges in implementing effective data security practices
Challenges in implementing effective data security practices
 

More from Marc Vael

How secure are chat and webconf tools
How secure are chat and webconf toolsHow secure are chat and webconf tools
How secure are chat and webconf tools
Marc Vael
 
Advantages of privacy by design in IoE
Advantages of privacy by design in IoEAdvantages of privacy by design in IoE
Advantages of privacy by design in IoE
Marc Vael
 
Cybersecurity governance existing frameworks (nov 2015)
Cybersecurity governance existing frameworks (nov 2015)Cybersecurity governance existing frameworks (nov 2015)
Cybersecurity governance existing frameworks (nov 2015)
Marc Vael
 
Cybersecurity nexus vision
Cybersecurity nexus visionCybersecurity nexus vision
Cybersecurity nexus vision
Marc Vael
 
ISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholders
Marc Vael
 
Cloud security lessons learned and audit
Cloud security lessons learned and auditCloud security lessons learned and audit
Cloud security lessons learned and audit
Marc Vael
 
Value-added it auditing
Value-added it auditingValue-added it auditing
Value-added it auditing
Marc Vael
 
ISACA Internet of Things open forum presentation
ISACA Internet of Things open forum presentationISACA Internet of Things open forum presentation
ISACA Internet of Things open forum presentation
Marc Vael
 
hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?
hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?
hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?
Marc Vael
 
The value of big data analytics
The value of big data analyticsThe value of big data analytics
The value of big data analytics
Marc Vael
 
Social media risks and controls
Social media risks and controlsSocial media risks and controls
Social media risks and controls
Marc Vael
 
The view of auditor on cybercrime
The view of auditor on cybercrimeThe view of auditor on cybercrime
The view of auditor on cybercrime
Marc Vael
 
ISACA Mobile Payments Forum presentation
ISACA Mobile Payments Forum presentationISACA Mobile Payments Forum presentation
ISACA Mobile Payments Forum presentation
Marc Vael
 
Belgian Data Protection Commission's new audit programme
Belgian Data Protection Commission's new audit programmeBelgian Data Protection Commission's new audit programme
Belgian Data Protection Commission's new audit programme
Marc Vael
 
ISACA Cloud Computing Risks
ISACA Cloud Computing RisksISACA Cloud Computing Risks
ISACA Cloud Computing Risks
Marc Vael
 
Information security awareness (sept 2012) bis handout
Information security awareness (sept 2012) bis handoutInformation security awareness (sept 2012) bis handout
Information security awareness (sept 2012) bis handout
Marc Vael
 
ISACA smart security for smart devices
ISACA smart security for smart devicesISACA smart security for smart devices
ISACA smart security for smart devices
Marc Vael
 
Securing big data (july 2012)
Securing big data (july 2012)Securing big data (july 2012)
Securing big data (july 2012)
Marc Vael
 
Valuendo cyberwar and security (jan 2012) handout
Valuendo cyberwar and security (jan 2012) handoutValuendo cyberwar and security (jan 2012) handout
Valuendo cyberwar and security (jan 2012) handout
Marc Vael
 
How to handle multilayered IT security today
How to handle multilayered IT security todayHow to handle multilayered IT security today
How to handle multilayered IT security today
Marc Vael
 

More from Marc Vael (20)

How secure are chat and webconf tools
How secure are chat and webconf toolsHow secure are chat and webconf tools
How secure are chat and webconf tools
 
Advantages of privacy by design in IoE
Advantages of privacy by design in IoEAdvantages of privacy by design in IoE
Advantages of privacy by design in IoE
 
Cybersecurity governance existing frameworks (nov 2015)
Cybersecurity governance existing frameworks (nov 2015)Cybersecurity governance existing frameworks (nov 2015)
Cybersecurity governance existing frameworks (nov 2015)
 
Cybersecurity nexus vision
Cybersecurity nexus visionCybersecurity nexus vision
Cybersecurity nexus vision
 
ISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholders
 
Cloud security lessons learned and audit
Cloud security lessons learned and auditCloud security lessons learned and audit
Cloud security lessons learned and audit
 
Value-added it auditing
Value-added it auditingValue-added it auditing
Value-added it auditing
 
ISACA Internet of Things open forum presentation
ISACA Internet of Things open forum presentationISACA Internet of Things open forum presentation
ISACA Internet of Things open forum presentation
 
hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?
hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?
hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?
 
The value of big data analytics
The value of big data analyticsThe value of big data analytics
The value of big data analytics
 
Social media risks and controls
Social media risks and controlsSocial media risks and controls
Social media risks and controls
 
The view of auditor on cybercrime
The view of auditor on cybercrimeThe view of auditor on cybercrime
The view of auditor on cybercrime
 
ISACA Mobile Payments Forum presentation
ISACA Mobile Payments Forum presentationISACA Mobile Payments Forum presentation
ISACA Mobile Payments Forum presentation
 
Belgian Data Protection Commission's new audit programme
Belgian Data Protection Commission's new audit programmeBelgian Data Protection Commission's new audit programme
Belgian Data Protection Commission's new audit programme
 
ISACA Cloud Computing Risks
ISACA Cloud Computing RisksISACA Cloud Computing Risks
ISACA Cloud Computing Risks
 
Information security awareness (sept 2012) bis handout
Information security awareness (sept 2012) bis handoutInformation security awareness (sept 2012) bis handout
Information security awareness (sept 2012) bis handout
 
ISACA smart security for smart devices
ISACA smart security for smart devicesISACA smart security for smart devices
ISACA smart security for smart devices
 
Securing big data (july 2012)
Securing big data (july 2012)Securing big data (july 2012)
Securing big data (july 2012)
 
Valuendo cyberwar and security (jan 2012) handout
Valuendo cyberwar and security (jan 2012) handoutValuendo cyberwar and security (jan 2012) handout
Valuendo cyberwar and security (jan 2012) handout
 
How to handle multilayered IT security today
How to handle multilayered IT security todayHow to handle multilayered IT security today
How to handle multilayered IT security today
 

Recently uploaded

PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 

Recently uploaded (20)

PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 

my experience as ciso

  • 1. My experience as CISO @marcvael March 2021 My experience as CISO managing information security Marc Vael Tuesday 23rd of March 2021 How to become a CISO 1. Self-analysis
  • 2. My experience as CISO @marcvael March 2021 How to become a CISO 1. Self-analysis How to become a CISO 2. Education
  • 3. My experience as CISO @marcvael March 2021 How to become a CISO 2. Education How to become a CISO 3. Career path
  • 4. My experience as CISO @marcvael March 2021 How to become a CISO 4. Professional certifications
  • 5. My experience as CISO @marcvael March 2021 How to become a CISO 4. Professional certifications 2004 2003 1994
  • 6. My experience as CISO @marcvael March 2021 Information Security Governance Establish and/or maintain an information security governance framework & supporting processes to ensure that the information security strategy is aligned with organizational goals & objectives. Information Risk Management Manage information risk to an acceptable level based on risk appetite in order to meet organizational goals & objectives.
  • 7. My experience as CISO @marcvael March 2021 Information Security Program Development & Management Develop & maintain an information security program that identifies, manages and protects the organization’s assets while aligning to information security strategy & business goals, thereby supporting an effective security posture. Information Security Incident Management Plan, establish and manage the capability to detect, investigate, respond to and recover from information security incidents to minimize business impact.
  • 8. My experience as CISO @marcvael March 2021 Information Security Management Security Operations Security Governance / Risk Security Business Support IT Compliance Implement & improve foundational principles for securing Esko IT infrastructure Implement & improve processes for mature information security governance & risk within Esko Create & improve standard work for Esko business security Integrate Esko IT compliance by design in terms of Information Security (& Privacy) Security Innovation Integrate Information Security into new innovative Esko (IT) solutions Security Incidents Identify, Protect, Detect, Respond to and Recover from Information Security Incidents How to become a CISO 5. Keep current
  • 9. My experience as CISO @marcvael March 2021 Chief Information Security Officer Success formula: 4C x 3I x 2S x O 4C = Complexity + Culture + Communication + Collaboration 3I = Information + Interconnectiveness + Initiative 2S = Strategy + Security O = Optimization Stephane Nappo, VP & Global CISO, Groupe SEB
  • 10. My experience as CISO @marcvael March 2021 Contact details Mr. Marc Vael, CISM, CISSP, CRISC, CGEIT, ITIL SM, Guberna Certified Director CISO President Esko SAI marc.vael@sai.be http://www.linkedin.com/in/marcvael @marcvael
  • 11. My experience as CISO @marcvael March 2021 Backup Slides CISM Information Security Governance 1) Establish and/or maintain an information security strategy in alignment with organizational goals and objectives to guide the establishment and/or ongoing management of the information security program. 2) Establish and/or maintain an information security governance framework to guide activities that support the information security strategy. 3) Integrate information security governance into corporate governance to ensure that organizational goals and objectives are supported by the information security program. 4) Establish and maintain information security policies to guide the development of standards, procedures and guidelines in alignment with enterprise goals and objectives. 5) Develop business cases to support investments in information security. 6) Identify internal and external influences to the organization (e.g., emerging technologies, social media, business environment, risk tolerance, regulatory requirements, third-party considerations, threat landscape) to ensure that these factors are continually addressed by the information security strategy. 7) Gain ongoing commitment from senior leadership and other stakeholders to support the successful implementation of the information security strategy. 8) Define, communicate, and monitor information security responsibilities throughout the organization (e.g., data owners, data custodians, end-users, privileged or high-risk users) and lines of authority. 9) Establish, monitor, evaluate and report key information security metrics to provide management with accurate and meaningful information regarding the effectiveness of the information security strategy.
  • 12. My experience as CISO @marcvael March 2021 Information Risk Management 1) Establish and/or maintain a process for information asset classification to ensure that measures taken to protect assets are proportional to their business value. 2) Identify legal, regulatory, organizational and other applicable requirements to manage the risk of noncompliance to acceptable levels. 3) Ensure that risk assessments, vulnerability assessments and threat analyses are conducted consistently, at appropriate times, and to identify and assess risk to the organization’s information. 4) Identify, recommend or implement appropriate risk treatment/response options to manage risk to acceptable levels based on organizational risk appetite. 5) Determine whether information security controls are appropriate and effectively manage risk to an acceptable level. 6) Facilitate the integration of information risk management into business and IT processes (e.g., systems development, procurement, project management) to enable a consistent and comprehensive information risk management program across the organization. 7) Monitor for internal and external factors (e.g., key risk indicators [KRIs], threat landscape, geopolitical, regulatory change) that may require reassessment of risk to ensure that changes to existing, or new, risk scenarios are identified and managed appropriately. 8) Report noncompliance and other changes in information risk to facilitate the risk management decision- making process. 9) Ensure that information security risk is reported to senior management to support an understanding of potential impact on the organizational goals and objectives. Information Security Program Development & Management 1) Establish and/or maintain the information security program in alignment with the information security strategy. 2) Align the information security program with the operational objectives of other business functions (e.g., human resources [HR], accounting, procurement and IT) to ensure that the information security program adds value to and protects the business. 3) Identify, acquire and manage requirements for internal and external resources to execute the information security program. 4) Establish and maintain information security processes and resources (including people and technologies) to execute the information security program in alignment with the organization’s business goals. 5) Establish, communicate and maintain organizational information security standards, guidelines, procedures and other documentation to guide and enforce compliance with information security policies. 6) Establish, promote and maintain a program for information security awareness and training to foster an effective security culture. 7) Integrate information security requirements into organizational processes (e.g., change control, mergers and acquisitions, system development, business continuity, disaster recovery) to maintain the organization’s security strategy. 8) Integrate information security requirements into contracts and activities of third parties (e.g., joint ventures, outsourced providers, business partners, customers) and monitor adherence to established requirements in order to maintain the organization’s security strategy. 9) Establish, monitor and analyze program management and operational metrics to evaluate the effectiveness and efficiency of the information security program. 10) Compile and present reports to key stakeholders on the activities, trends and overall effectiveness of the IS program and the underlying business processes in order to communicate security performance.
  • 13. My experience as CISO @marcvael March 2021 Information Security Incident Management 1) Establish and maintain an organizational definition of, and severity hierarchy for, information security incidents to allow accurate classification and categorization of and response to incidents. 2) Establish and maintain an incident response plan to ensure an effective and timely response to information security incidents. 3) Develop and implement processes to ensure the timely identification of information security incidents that could impact the business. 4) Establish and maintain processes to investigate and document information security incidents in order to determine the appropriate response and cause while adhering to legal, regulatory and organizational requirements. 5) Establish and maintain incident notification and escalation processes to ensure that the appropriate stakeholders are involved in incident response management. 6) Organize, train and equip incident response teams to respond to information security incidents in an effective and timely manner. 7) Test, review and revise (as applicable) the incident response plan periodically to ensure an effective response to information security incidents and to improve response capabilities. 8) Establish and maintain communication plans and processes to manage communication with internal and external entities. 9) Conduct post-incident reviews to determine the root cause of information security incidents, develop corrective actions, reassess risk, evaluate response effectiveness and take appropriate remedial actions. 10) Establish and maintain integration among the incident response plan, business continuity plan and disaster recovery plan.