SlideShare a Scribd company logo

Security Program Guidance and Establishing a Culture of Security

Doug Copley
Doug Copley

Doug Copley and John Kelley present advice for new CISOs, applying a framework model for assessment and measurement, establishing executive support and establishing a culture of security.

1 of 55
Download to read offline
Making a Cultural Change for Information Security Presented by John Kelley and Doug Copley 25 MAR 2017 Note to Reviewer Much of this document is specific to Sequris Group information systems, policies, procedures, and IT security posture. As such, the contents of this presentation are classified as CONFIDENTIAL and cannot be copied, reused, or distributed without express written authorization from Sequris Group. Sequris Group, LLC Content All Rights Reserved 2011-2017
WWW.SEQURISGROUP.COM © 2017 | 2 Contact Information John Kelley Sequris Group, LLC (248) 837-1430 C-586-907-9751 jkelley@sequrisgroup.com Doug Copley CISO | CPO | Strategist | Advisor (517) 204-5701 douglas.copley@gmail.com https://linkedin.com/in/dcopley https://twitter.com/DouglasCopley
WWW.SEQURISGROUP.COM © 2017 | 4 Who is the CISO? 1. Security Leader? IT Leader? YES, Depends 2. Business-Savvy Executive? YES 3. Risk Leader? YES 4. Compliance Leader? Depends 5. Team Leader, Coach, Mentor? YES 6. Therapist? YES 7. McGyver? YES
WWW.SEQURISGROUP.COM © 2017 | 5 CISO – The Impossible Job? Or Just Thankless Data Network Databases Systems Endpoints Messaging & Content Application Infrastructure Policy definition Enforcement Monitoring & response Audit/Measurement Compliancemonitoring Firewall VPN Database encryption Database security and monitoring Storage security Firewall/Host IPS Web security gateway Antivirus/Antispyware Device control Firewall/Host IPS Hard drive encryption XML gateway Digital rights management Identity&AccessManagement Anti-spam AssetManagement Mobile device security Switch/Router Security Web security VulnerabilityManagementApplication Assessment DigitalInvestigation&Forensics Wireless monitoring SecurityIncidentManagement Patch management IDS/IPSNAC Application firewall Enterprise encryption & key management Data Leak Prevention Forensics Enterprise directory Web SSO Email content filtering Antivirus StrongAuthentication App encryption RiskManagement Basic Auditing
WWW.SEQURISGROUP.COM © 2017 | 6 Requires ability to work in uncertainty Day 1 You are here… Arranging deck chairs… What Some Days Felt Like http://www.workinginuncertainty.co.uk/
WWW.SEQURISGROUP.COM © 2017 | 7 CISO Priorities in 2017 • Managing information risk • Executive business partner (enable) • Successfully navigating the landscape (business, regulatory, threat) • Risk-based strategy & vision • Leadership (security, team, change) • Drive the culture of risk identification Primary Focus: Enable the business while managing risk & compliance
WWW.SEQURISGROUP.COM © 2017 | 8 KEEP THINGS SIMPLE
WWW.SEQURISGROUP.COM © 2017 | 9 Practical Steps for a CISO 1. Decide on a framework (ISO, NIST, HiTrust, etc.) 2. Build Relationships & Understand Business Priorities 3. Understand the technical environment, critical information and information flows 4. Identify & assess areas of risk 5. Governance Committee Prioritizes Actions 6. Implement controls 7. Measure control effectiveness
WWW.SEQURISGROUP.COM © 2017 | 10 Periodic Security Risk Assessment • Can provide a risk baseline • Can provide an estimated compliance baseline • Provides process to measure progress • Must consider all “reasonably foreseeable risks” • Should have close alignment to regulatory expectations and guidance • Make sure scope is complete so you don’t end up doing another one to catch areas • Will be primary input into security roadmap
WWW.SEQURISGROUP.COM © 2017 | 11 8. Evaluate the Risks • Determine which threats and vulnerabilities apply to each set of information • Ask yourself the worse case scenario. • Assess likelihood and impact • Do you have controls that mitigate some risk? • Use Finance to help measure risk in $$ • Rank risks – is there a documented tolerance? • Evaluate cost and effort of additional mitigating controls • Let governance committee decide actions
WWW.SEQURISGROUP.COM © 2017 | 12 Managing Cyber Risk • Key is appropriately managing the risks • Policies & procedures (administrative) • Technology tools (technical) • Control physical access (physical) • Risk/Cost decision: Do we need to: • Prevent it from happening? • Detect & respond when it happens? • Would it automatically get corrected? • Do we get cyber insurance? • Is there a strong culture of openness?
WWW.SEQURISGROUP.COM © 2017 | 13 Perspective: Users - Asset or Liability? Liability • Aren’t aware of policies • Careless; make mistakes • Contract malware • Steal company secrets • Sabotage systems • Falsify data • Steal identities Asset • Help educate others • Police their departments • Report risky behavior • Help improve policies • Help remediate events • Pilot new controls • Suggest new processes
WWW.SEQURISGROUP.COM © 2017 | 14 UNDERSTAND THE NEEDS OF EXECUTIVE LEADERSHIP
WWW.SEQURISGROUP.COM © 2017 | 15 Six Cybersecurity Questions Boards Should Ask 1. Does the organization use a security framework? 2. What are the top five risks the organization has related to cybersecurity? 3. How are employees made aware of their role related to cybersecurity? 4. Are external and internal threats considered when planning cybersecurity program activities? 5. How is security governance managed within the organization? 6. In the event of a serious breach, has management developed a robust response protocol? © 2014 The Institute of Internal Auditors Research Foundation
WWW.SEQURISGROUP.COM © 2017 | 16 ISO 27002:2013 Framework
WWW.SEQURISGROUP.COM © 2017 | 17 NIST Cybersecurity framework
WWW.SEQURISGROUP.COM © 2017 | 18 CIS Critical security controls (used to be Sans top 20)
WWW.SEQURISGROUP.COM © 2017 | 19 Be concise and transparent: 1. Asset Management 2. Network Access Control 3. Security Event Monitoring 4. User Education 5. Business Continuity Top Five Cybersecurity Risks
WWW.SEQURISGROUP.COM © 2017 | 20 Example: Initiatives To Change 2016 Risk Levels Asset Management (red to yellow) • Infrastructure – finish deployment of existing tools • Setup device discovery scans in Qualys • Establish inventory process for network medical devices Operations Management Security (red to yellow) • Scale SIEM platform for Beaumont Health • Greatly expand vulnerability management program • Mature anti-malware management practices (follow-up) • Implement web application scanning (already licensed) • Drive security planning into SDLC process
WWW.SEQURISGROUP.COM © 2017 | 21 Executive Dashboard • Intended to convey a high-level status of the program to C-level executives and the Board • Security Dashboard should convey: • Status of regulatory compliance • Capability, Maturity and Implementation level of program • Key areas of information risk to the organization • Current initiatives and future state posture • External ties and intelligence information • Must answer the question “Is our Information Security program effective?”
WWW.SEQURISGROUP.COM © 2017 | 22 InfoSec Management Program (IS) Access Control (AC) Human Resources Security (HR) Risk Management (RM) Security Policy (SP) Organization of Information Security (OI) Compliance (CO) Asset Management (AM) Physical Security (PS) Communication s Security (CS) Systems Acquisition, Development, and Maintenance (SD) Incident Management (IM) Business Continuity (BC) Information Security (ISO) Risk Dashboard Cryptography (CR) Operations Management (OM) Supplier Relationships (SR) 4 22 2 4 3 3 2 0 5 11 0 1 1 2 7 0
Risks and Efforts by Framework Area 23 Information Security Management Human Resource Security Access Control Security Policy Risk Management Compliance Organization of Information Security Asset Management 3 4 17 22 1 2 5 4 12 3 0 3 0 11 5 2 #Risk Items/#Open Initiatives
WWW.SEQURISGROUP.COM © 2017 | 24 RELATIONSHIPS AND COMMUNICATION
WWW.SEQURISGROUP.COM © 2017 | 25 Example Security Governance Organizational Structure • Information Security Officer reporting relationship to CIO & CCO IT Risk Register • Contains identified risks, deficiencies, control gaps and audit findings • Visible to Corporate Compliance and Internal Audit • 155 closed, 5 pending closure, and 75 open Committees • Information Access, Privacy and Security • Business Ethics and Corporate Compliance • Research Institute Compliance • Payment Systems Governance
WWW.SEQURISGROUP.COM © 2017 | 26 Culture – All Hands on Deck - Incident Response • Breaches are inevitable • Effective response requires engagement of senior stakeholders across the organization (relationships) • Have a well-documented process • How quickly will you recognize an incident? • Does everyone understand their role? • Practice incident response • Continuously improve based on exercises • Be prepared – it will happen
WWW.SEQURISGROUP.COM © 2017 | 28 Why Track Program Metrics? • Integral to a program’s governance • Keeps staff & stakeholders aligned • Supports continuous improvement • Can show resource gaps or shortages • Manage service provider SLAs • Provides assurance to executives & the Board • Provides basis for comparative benchmarking “You can’t manage what you can’t measure.” - W. Edwards Deming
WWW.SEQURISGROUP.COM © 2017 | 29 Building Security Without Boundaries • Resources are ALWAYS constrained • Reason for risk-based prioritization • Outsource if necessary, but commodity functions • Reward innovation (think like there is no box!) • May increase productivity • Can help improve morale • Look for external funding • Federal & State grants may be available • May be able to participate in outside initiatives
WWW.SEQURISGROUP.COM © 2017 | 30 Leverage Key Partnerships Build a culture of collaboration that actively engages those outside your organization for best practices In healthcare, key resources are: 1. Peer organizations – non-profit and for-profit 2. State - Dept. of Community Health 3. State - Health Information Exchanges 4. State - Health & Hospital Association 5. HiTrust & NH-ISAC 6. Federal – Health & Human Services 7. Federal – FBI & InfraGard 8. Federal – Homeland Security
WWW.SEQURISGROUP.COM © 2017 | 31
WWW.SEQURISGROUP.COM © 2017 | 32 © 2016
WWW.SEQURISGROUP.COM © 2017 | 33 Sequris Message Sequris Group is a full service Information Security Company with a Proven and Quantifiable IT Security Framework that allows our clients to achieve Measurable Results and a Guaranteed Increase to their Security Profile and Posture.
WWW.SEQURISGROUP.COM © 2017 | 34 Survey June 2016 by Dark Reading and Black Hat USA conference predominantly large companies with 60% working with 1,000+employees  IT professionals believe there is a 40% chance that a security breach will occur in the next 12 months  Too many rapidly evolving vulnerabilities  A rise in social engineering attacks directly at targeted organizations  What to do about Ransomware  Resources for organizations to deal with all of the cybersecurity concerns  IoT  Ransomware Current State of the Industry
WWW.SEQURISGROUP.COM © 2017 | 35 Top Executive Concerns  Attacks directly targeted at our organization  Effort to stay in compliance  Phishing social network exploits social engineering  Accidental data leaks by end-users  Effort to measure the organizations security posture  Data theft by insiders  Mistakes or attacks that cause organization to lose compliance with industry regulations  Espionage  Ransomware  Employee Training and Awareness  A Solid Security Plan Black Hat Survey 2016
WWW.SEQURISGROUP.COM © 2017 | 36  Established in 1996  More than 800 clients  Over 3,000 projects completed  National footprint  HQ in Royal Oak, Michigan  Sales and service offices  Royal Oak, Michigan  Denver, CO  Phoenix, Arizona  SOC – Royal Oak  Data Center – Phoenix About Sequris Group
WWW.SEQURISGROUP.COM © 2017 | 37 Technology Partners
WWW.SEQURISGROUP.COM © 2017 | 38 © 2017 THE SEQURIS APPROACH
WWW.SEQURISGROUP.COM © 2017 | 39 Making a Cultural Change Baseline Metrics and Gap Analysis A Roadmap to Success Aligning Metrics with Program Goals: People, Process and Technology Program Improvement Reporting and Display Participate and Share with Comparative Analytics A Comprehensive Suite of Security Services
WWW.SEQURISGROUP.COM © 2017 | 40 Where do you stand now? Opportunity for Improvement Explicit Risk Tolerance & Security Policy (Requirements) Ambiguous Reactive Proactive Security Operations (People, process, technology) Chaos Predictive Optimize
WWW.SEQURISGROUP.COM © 2017 | 41  Q|Frame TM is a holistic and proven information security framework that aligns risk tolerance with security operations.  Q|Frame TM provides the foundation for identifying metrics, measurements, and reporting.  Q|Frame involves an IT security gap analysis, allowing your organization to consider it’s current level of maturity and improve it’s security profile  Q|Frame TM is a proprietary model that allows us to ‘insert’ relevant security controls for any client environment and regulatory posture.  Q|Frame is based upon 4 recurring phases.  Determine Baseline  Priority Action Map  Engage People, Processes, Technology  Measure Effectiveness Quantifiable Information Security Framework to improve your Information Security posture.
WWW.SEQURISGROUP.COM © 2017 | 42 Q|FrameTM Dashboard Inventory of Authorized Devices Inventory of Authorized Software Secure Configurations for Computers Secure Configurations for Network Devices Boundary Defenses Analysis of Security Audit Logs Application Software Security Controlled Use of Administrative Privileges Controlled Access Based on Need to Know Vulnerability Assessment and Remediation Account Monitoring and Control Malware Defenses Network Access Control Wireless Device Control Data Loss Prevention Secure Network Engineering Penetration Tests and Red Team Exercises Incident Response Capability Data Recovery Capability Security Skills Assessment 100% 90 80 70 60 50 40 30 20 10 0 % COEFFICIENT CAPABILITY MATURITY 20 Critical Cyber Security Controls
WWW.SEQURISGROUP.COM © 2017 | 43 What are your Regulatory or Business Drivers ?  HIPAA - Health Insurance Portability and Accountability Act  GLBA - Gramm-Leach-Bliley Act  PCI DSS - Payment Card Industry Data Security Standard  SOX - Sarbanes-Oxley (SOX 404)  HITRUST – Health Information Trust Alliance CSF Controls  SANS – Information Security Technology Institute and Training  CJIS – Criminal Justice Information Services Security Policy  ISO/QS – International Organization for Standardization  NIST – National Institute of Standards Technology US Department of Commerce
WWW.SEQURISGROUP.COM © 2017 | 44 Initial Managed Defined Quantitatively Managed Optimizing Focus on incremental process improvement. Process overall is measured and controlled. Processes are characterized for the organization and generally proactive with defined goals. (Projects tailor their process from organization’s standard) Process is characterized for only a few projects and is most often reactive. Processes are unpredictable, poorly controlled and highly reactive. Characteristics of Maturity Levels in Security Software Engineering Institute (SEI) CMMI® for Services, Version 1.3 CMMI-SVC, V1.3 CMMI Product Team Improving processes for providing better services November 2010 Software Engineering Process Management Program Unlimited distribution subject to the copyright. http://www.sei.cmu.edu/reports/10tr034.pdf
WWW.SEQURISGROUP.COM © 2017 | 45 Q|FrameTM Applied to Critical Controls
WWW.SEQURISGROUP.COM © 2017 | 46 Priority Action Map Jan Feb Mar Apr May June July  The timeline outlines successive security enhancements across the organization.  Some projects will overlap because of general information gathering, etc.  Timelines are estimates; however, a .8 confidence factor is applied. Security Task Force Meeting Calibrate Next Twelve Months InfoSec Procedure Creation Wireless Security & PCI Review End-user Computing Security Organizational Security Remote/Mobile Security Incident Response Plan Network Security Asset Classification/Mgmt
WWW.SEQURISGROUP.COM © 2017 | 47 Wireless Network Security Enhancements (Example) Project Narrative: Wireless networks extend the traditional boundaries of local area networks. With that in mind, it is the goal of this project to identify and implement essential wireless security standards for both private and public wireless network connectivity for XXXX Corp. Essential wireless security practices will be discussed, with enhancements agreed upon and implemented. Estimated Duration: 4 weeks Estimated Effort (days/$): 12 - $16,800 Milestones / Schedule: Date* Milestone 6/15 All current wireless network hardware & software reviewed for security feature sets; security gaps identified and documented. 6/20 Hardware/software options required for wireless security enhancements are agreed upon. 6/29 First phase (testing) of wireless security enhancements complete. 7/7 Deployment plan of wireless security enhancements completed; implementation begins. 7/14 Wireless security enhancements implementation complete. Team Leader: Team Members: Deliverables: • Secure wireless network for employee access, based on role • Secure wireless network for public access, based off of essential security standards • Wireless security procedure (written, as part of organization InfoSec procedure) Q|FRAME ISMS Confidential: Do Not Copy Or Distribute Without Approval
WWW.SEQURISGROUP.COM © 2017 | 48 Best Practices: Steps to Optimization • Increase Efficiency • Reduce Cycle Time • Clear Next Actions • Optimal Resource Allocation • Business Drivers • Client Requirements 3. Measure Effectiveness 2. Engage Priority Action Map 1. Establish Control Objectives
WWW.SEQURISGROUP.COM © 2017 | 49 Q|VUE Company Dashboard
WWW.SEQURISGROUP.COM © 2017 | 50
WWW.SEQURISGROUP.COM © 2017 | 51
WWW.SEQURISGROUP.COM © 2017 | 52
WWW.SEQURISGROUP.COM © 2017 | 53
WWW.SEQURISGROUP.COM © 2017 | 54 SUMMARY Determine Baseline Priority Action Map Engage People, Process, Technology Measure Effectiveness • Conduct staff interviews • Align control objectives with client requirements • Perform gap analysis • Clear tactics • Commitment to timeline and action • Visibility & attribution • Roles & responsibilities • Document processes • Align metrics with program goals • Reduce cycle time • Increase efficiency • Objective reprioritization • Dashboard • Contract ready Comparative Analytics • Data Capture • Resource Optimization • Comparison and Participation • Performance Certainty • Cycle Time
WWW.SEQURISGROUP.COM © 2017 | 55 Benefits  Informed Choices – Know what you don’t know  Proven Methodology – It works & we guarantee results  Interoperability – w/existing business processes  Establishes Due Diligence – We provide the job of asking, analyzing & measuring overall IT security effectiveness  Regulatory Umbrella – Framework applied to your organizations specific regulatory requirements  Enables Efficiency – Constantly making improvement  Market Differentiator – No breaches is a good thing  Financial Alignment – You will know why, what and how much you are spending over 12, 24 and 36 months and how effective you are at reducing the risks to your organization Quantifiable Information Security Framework to improve your Information Security posture.
WWW.SEQURISGROUP.COM © 2017 | 56 Discussion / Q & A ?
WWW.SEQURISGROUP.COM © 2017 | 57 Contact Information John Kelley Sequris Group, LLC (248) 837-1430 C-586-907-9751 jkelley@sequrisgroup.com Doug Copley CISO | CPO | Strategist | Advisor (517) 204-5701 douglas.copley@gmail.com https://linkedin.com/in/dcopley https://twitter.com/DouglasCopley

Recommended

Demonstrating Information Security Program Effectiveness
Demonstrating Information Security Program EffectivenessDemonstrating Information Security Program Effectiveness
Demonstrating Information Security Program Effectiveness
Doug Copley
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
Priyanka Aash
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017
Doug Copley
 
Building Human Intelligence – Pun Intended
Building Human Intelligence – Pun IntendedBuilding Human Intelligence – Pun Intended
Building Human Intelligence – Pun Intended
EnergySec
 
Achieving Compliance Through Security
Achieving Compliance Through SecurityAchieving Compliance Through Security
Achieving Compliance Through Security
EnergySec
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
EnergySec
 
Bob West - Educating the Board of Directors
Bob West - Educating the Board of DirectorsBob West - Educating the Board of Directors
Bob West - Educating the Board of Directors
centralohioissa
 
Vendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and OftenVendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and Often
Priyanka Aash
 

Recommended

Demonstrating Information Security Program Effectiveness
Demonstrating Information Security Program EffectivenessDemonstrating Information Security Program Effectiveness
Demonstrating Information Security Program Effectiveness
Doug Copley
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
Priyanka Aash
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017
Doug Copley
 
Building Human Intelligence – Pun Intended
Building Human Intelligence – Pun IntendedBuilding Human Intelligence – Pun Intended
Building Human Intelligence – Pun Intended
EnergySec
 
Achieving Compliance Through Security
Achieving Compliance Through SecurityAchieving Compliance Through Security
Achieving Compliance Through Security
EnergySec
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
EnergySec
 
Bob West - Educating the Board of Directors
Bob West - Educating the Board of DirectorsBob West - Educating the Board of Directors
Bob West - Educating the Board of Directors
centralohioissa
 
Vendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and OftenVendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and Often
Priyanka Aash
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber Defense
EnergySec
 
NESCO Town Hall Workforce Development Presentation
NESCO Town Hall Workforce Development PresentationNESCO Town Hall Workforce Development Presentation
NESCO Town Hall Workforce Development Presentation
EnergySec
 
Impacts cloud remote_workforce
Impacts cloud remote_workforceImpacts cloud remote_workforce
Impacts cloud remote_workforce
Rodrigo Varas
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
Marcelo Martins
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
FireEye, Inc.
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
Karyl Scott
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
Elliott Franklin
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attention
Ramón Gómez de Olea y Bustinza
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
Sarah Clarke
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve Howse
CGTI
 
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye, Inc.
 
Endpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesEndpoint Detection and Response for Dummies
Endpoint Detection and Response for Dummies
Liberteks
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
centralohioissa
 
Cyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its AnalysisCyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its Analysis
Rahul Neel Mani
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
Paul Feldman
 
Security Program Development for the Hipster Company
Security Program Development for the Hipster CompanySecurity Program Development for the Hipster Company
Security Program Development for the Hipster Company
Priyanka Aash
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
AdilsonSuende
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Shawn Tuma
 
Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanning
Vladimir Jirasek
 
Data Driven Risk Assessment
Data Driven Risk AssessmentData Driven Risk Assessment
Data Driven Risk Assessment
Resolver Inc.
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
Joseph Wynn
 
CISO's first 100 days
CISO's first 100 daysCISO's first 100 days
CISO's first 100 days
MichaelSadeghiPhDABD
 

More Related Content

What's hot

Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber Defense
EnergySec
 
NESCO Town Hall Workforce Development Presentation
NESCO Town Hall Workforce Development PresentationNESCO Town Hall Workforce Development Presentation
NESCO Town Hall Workforce Development Presentation
EnergySec
 
Impacts cloud remote_workforce
Impacts cloud remote_workforceImpacts cloud remote_workforce
Impacts cloud remote_workforce
Rodrigo Varas
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
Marcelo Martins
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
FireEye, Inc.
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
Karyl Scott
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
Elliott Franklin
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attention
Ramón Gómez de Olea y Bustinza
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
Sarah Clarke
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve Howse
CGTI
 
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye, Inc.
 
Endpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesEndpoint Detection and Response for Dummies
Endpoint Detection and Response for Dummies
Liberteks
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
centralohioissa
 
Cyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its AnalysisCyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its Analysis
Rahul Neel Mani
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
Paul Feldman
 
Security Program Development for the Hipster Company
Security Program Development for the Hipster CompanySecurity Program Development for the Hipster Company
Security Program Development for the Hipster Company
Priyanka Aash
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
AdilsonSuende
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Shawn Tuma
 
Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanning
Vladimir Jirasek
 
Data Driven Risk Assessment
Data Driven Risk AssessmentData Driven Risk Assessment
Data Driven Risk Assessment
Resolver Inc.
 

What's hot (20)

Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber Defense
 
NESCO Town Hall Workforce Development Presentation
NESCO Town Hall Workforce Development PresentationNESCO Town Hall Workforce Development Presentation
NESCO Town Hall Workforce Development Presentation
 
Impacts cloud remote_workforce
Impacts cloud remote_workforceImpacts cloud remote_workforce
Impacts cloud remote_workforce
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attention
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve Howse
 
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
 
Endpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesEndpoint Detection and Response for Dummies
Endpoint Detection and Response for Dummies
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
 
Cyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its AnalysisCyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its Analysis
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
 
Security Program Development for the Hipster Company
Security Program Development for the Hipster CompanySecurity Program Development for the Hipster Company
Security Program Development for the Hipster Company
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
 
Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanning
 
Data Driven Risk Assessment
Data Driven Risk AssessmentData Driven Risk Assessment
Data Driven Risk Assessment
 

Similar to Security Program Guidance and Establishing a Culture of Security

Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
Joseph Wynn
 
CISO's first 100 days
CISO's first 100 daysCISO's first 100 days
CISO's first 100 days
MichaelSadeghiPhDABD
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
EC-Council
 
GDPR | Cyber security process resilience
GDPR | Cyber security process resilienceGDPR | Cyber security process resilience
GDPR | Cyber security process resilience
Rishi Kant
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
sdfghj21
 
Information security governance
Information security governanceInformation security governance
Information security governance
Koen Maris
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
John D. Johnson
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
Fahmi Albaheth
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015
Accounting_Whitepapers
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016
Prime Infoserv
 
Cloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor RiskCloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor Risk
Health Catalyst
 
Insight into Security Leader Success Part 2
Insight into Security Leader Success Part 2Insight into Security Leader Success Part 2
Insight into Security Leader Success Part 2
Security Executive Council
 
Jisc's cyber security posture survey - how secure are you?
Jisc's cyber security posture survey - how secure are you?Jisc's cyber security posture survey - how secure are you?
Jisc's cyber security posture survey - how secure are you?
Jisc
 
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Puneet Kukreja
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Software Integrity Group
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
CISSO Certification | CISSO Training | CISSO
CISSO Certification | CISSO Training | CISSOCISSO Certification | CISSO Training | CISSO
CISSO Certification | CISSO Training | CISSO
SagarNegi10
 
Role of the virtual ciso
Role of the virtual cisoRole of the virtual ciso
Role of the virtual ciso
Michael Ball
 
Top 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk programTop 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk program
Priyanka Aash
 

Similar to Security Program Guidance and Establishing a Culture of Security (20)

Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
 
CISO's first 100 days
CISO's first 100 daysCISO's first 100 days
CISO's first 100 days
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
 
GDPR | Cyber security process resilience
GDPR | Cyber security process resilienceGDPR | Cyber security process resilience
GDPR | Cyber security process resilience
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
 
Information security governance
Information security governanceInformation security governance
Information security governance
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016
 
Cloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor RiskCloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor Risk
 
Insight into Security Leader Success Part 2
Insight into Security Leader Success Part 2Insight into Security Leader Success Part 2
Insight into Security Leader Success Part 2
 
S Rod Simpson Resume
S Rod Simpson ResumeS Rod Simpson Resume
S Rod Simpson Resume
 
Jisc's cyber security posture survey - how secure are you?
Jisc's cyber security posture survey - how secure are you?Jisc's cyber security posture survey - how secure are you?
Jisc's cyber security posture survey - how secure are you?
 
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 
CISSO Certification | CISSO Training | CISSO
CISSO Certification | CISSO Training | CISSOCISSO Certification | CISSO Training | CISSO
CISSO Certification | CISSO Training | CISSO
 
Role of the virtual ciso
Role of the virtual cisoRole of the virtual ciso
Role of the virtual ciso
 
Top 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk programTop 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk program
 

Recently uploaded

Training- integrated management system (iso)
Training- integrated management system (iso)Training- integrated management system (iso)
Training- integrated management system (iso)
akaash13
 
Leadership Ethics and Change, Purpose to Impact Plan
Leadership Ethics and Change, Purpose to Impact PlanLeadership Ethics and Change, Purpose to Impact Plan
Leadership Ethics and Change, Purpose to Impact Plan
Muhammad Adil Jamil
 
Oprah Winfrey: A Leader in Media, Philanthropy, and Empowerment | CIO Women M...
Oprah Winfrey: A Leader in Media, Philanthropy, and Empowerment | CIO Women M...Oprah Winfrey: A Leader in Media, Philanthropy, and Empowerment | CIO Women M...
Oprah Winfrey: A Leader in Media, Philanthropy, and Empowerment | CIO Women M...
CIOWomenMagazine
 
TCS AI for Business Study – Key Findings
TCS AI for Business Study – Key FindingsTCS AI for Business Study – Key Findings
TCS AI for Business Study – Key Findings
Tata Consultancy Services
 
SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....
SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....
SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....
juniourjohnstone
 
W.H.Bender Quote 65 - The Team Member and Guest Experience
W.H.Bender Quote 65 - The Team Member and Guest ExperienceW.H.Bender Quote 65 - The Team Member and Guest Experience
W.H.Bender Quote 65 - The Team Member and Guest Experience
William (Bill) H. Bender, FCSI
 
Modern Database Management 12th Global Edition by Hoffer solution manual.docx
Modern Database Management 12th Global Edition by Hoffer solution manual.docxModern Database Management 12th Global Edition by Hoffer solution manual.docx
Modern Database Management 12th Global Edition by Hoffer solution manual.docx
ssuserf63bd7
 
Founder-Game Director Workshop (Session 1)
Founder-Game Director Workshop (Session 1)Founder-Game Director Workshop (Session 1)
Founder-Game Director Workshop (Session 1)
Amir H. Fassihi
 
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
gcljeuzdu
 

Recently uploaded (9)

Training- integrated management system (iso)
Training- integrated management system (iso)Training- integrated management system (iso)
Training- integrated management system (iso)
 
Leadership Ethics and Change, Purpose to Impact Plan
Leadership Ethics and Change, Purpose to Impact PlanLeadership Ethics and Change, Purpose to Impact Plan
Leadership Ethics and Change, Purpose to Impact Plan
 
Oprah Winfrey: A Leader in Media, Philanthropy, and Empowerment | CIO Women M...
Oprah Winfrey: A Leader in Media, Philanthropy, and Empowerment | CIO Women M...Oprah Winfrey: A Leader in Media, Philanthropy, and Empowerment | CIO Women M...
Oprah Winfrey: A Leader in Media, Philanthropy, and Empowerment | CIO Women M...
 
TCS AI for Business Study – Key Findings
TCS AI for Business Study – Key FindingsTCS AI for Business Study – Key Findings
TCS AI for Business Study – Key Findings
 
SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....
SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....
SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....
 
W.H.Bender Quote 65 - The Team Member and Guest Experience
W.H.Bender Quote 65 - The Team Member and Guest ExperienceW.H.Bender Quote 65 - The Team Member and Guest Experience
W.H.Bender Quote 65 - The Team Member and Guest Experience
 
Modern Database Management 12th Global Edition by Hoffer solution manual.docx
Modern Database Management 12th Global Edition by Hoffer solution manual.docxModern Database Management 12th Global Edition by Hoffer solution manual.docx
Modern Database Management 12th Global Edition by Hoffer solution manual.docx
 
Founder-Game Director Workshop (Session 1)
Founder-Game Director Workshop (Session 1)Founder-Game Director Workshop (Session 1)
Founder-Game Director Workshop (Session 1)
 
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
 

Security Program Guidance and Establishing a Culture of Security

  • 1. Making a Cultural Change for Information Security Presented by John Kelley and Doug Copley 25 MAR 2017 Note to Reviewer Much of this document is specific to Sequris Group information systems, policies, procedures, and IT security posture. As such, the contents of this presentation are classified as CONFIDENTIAL and cannot be copied, reused, or distributed without express written authorization from Sequris Group. Sequris Group, LLC Content All Rights Reserved 2011-2017
  • 2. WWW.SEQURISGROUP.COM © 2017 | 2 Contact Information John Kelley Sequris Group, LLC (248) 837-1430 C-586-907-9751 jkelley@sequrisgroup.com Doug Copley CISO | CPO | Strategist | Advisor (517) 204-5701 douglas.copley@gmail.com https://linkedin.com/in/dcopley https://twitter.com/DouglasCopley
  • 3. WWW.SEQURISGROUP.COM © 2017 | 4 Who is the CISO? 1. Security Leader? IT Leader? YES, Depends 2. Business-Savvy Executive? YES 3. Risk Leader? YES 4. Compliance Leader? Depends 5. Team Leader, Coach, Mentor? YES 6. Therapist? YES 7. McGyver? YES
  • 4. WWW.SEQURISGROUP.COM © 2017 | 5 CISO – The Impossible Job? Or Just Thankless Data Network Databases Systems Endpoints Messaging & Content Application Infrastructure Policy definition Enforcement Monitoring & response Audit/Measurement Compliancemonitoring Firewall VPN Database encryption Database security and monitoring Storage security Firewall/Host IPS Web security gateway Antivirus/Antispyware Device control Firewall/Host IPS Hard drive encryption XML gateway Digital rights management Identity&AccessManagement Anti-spam AssetManagement Mobile device security Switch/Router Security Web security VulnerabilityManagementApplication Assessment DigitalInvestigation&Forensics Wireless monitoring SecurityIncidentManagement Patch management IDS/IPSNAC Application firewall Enterprise encryption & key management Data Leak Prevention Forensics Enterprise directory Web SSO Email content filtering Antivirus StrongAuthentication App encryption RiskManagement Basic Auditing
  • 5. WWW.SEQURISGROUP.COM © 2017 | 6 Requires ability to work in uncertainty Day 1 You are here… Arranging deck chairs… What Some Days Felt Like http://www.workinginuncertainty.co.uk/
  • 6. WWW.SEQURISGROUP.COM © 2017 | 7 CISO Priorities in 2017 • Managing information risk • Executive business partner (enable) • Successfully navigating the landscape (business, regulatory, threat) • Risk-based strategy & vision • Leadership (security, team, change) • Drive the culture of risk identification Primary Focus: Enable the business while managing risk & compliance
  • 7. WWW.SEQURISGROUP.COM © 2017 | 8 KEEP THINGS SIMPLE
  • 8. WWW.SEQURISGROUP.COM © 2017 | 9 Practical Steps for a CISO 1. Decide on a framework (ISO, NIST, HiTrust, etc.) 2. Build Relationships & Understand Business Priorities 3. Understand the technical environment, critical information and information flows 4. Identify & assess areas of risk 5. Governance Committee Prioritizes Actions 6. Implement controls 7. Measure control effectiveness
  • 9. WWW.SEQURISGROUP.COM © 2017 | 10 Periodic Security Risk Assessment • Can provide a risk baseline • Can provide an estimated compliance baseline • Provides process to measure progress • Must consider all “reasonably foreseeable risks” • Should have close alignment to regulatory expectations and guidance • Make sure scope is complete so you don’t end up doing another one to catch areas • Will be primary input into security roadmap
  • 10. WWW.SEQURISGROUP.COM © 2017 | 11 8. Evaluate the Risks • Determine which threats and vulnerabilities apply to each set of information • Ask yourself the worse case scenario. • Assess likelihood and impact • Do you have controls that mitigate some risk? • Use Finance to help measure risk in $$ • Rank risks – is there a documented tolerance? • Evaluate cost and effort of additional mitigating controls • Let governance committee decide actions
  • 11. WWW.SEQURISGROUP.COM © 2017 | 12 Managing Cyber Risk • Key is appropriately managing the risks • Policies & procedures (administrative) • Technology tools (technical) • Control physical access (physical) • Risk/Cost decision: Do we need to: • Prevent it from happening? • Detect & respond when it happens? • Would it automatically get corrected? • Do we get cyber insurance? • Is there a strong culture of openness?
  • 12. WWW.SEQURISGROUP.COM © 2017 | 13 Perspective: Users - Asset or Liability? Liability • Aren’t aware of policies • Careless; make mistakes • Contract malware • Steal company secrets • Sabotage systems • Falsify data • Steal identities Asset • Help educate others • Police their departments • Report risky behavior • Help improve policies • Help remediate events • Pilot new controls • Suggest new processes
  • 13. WWW.SEQURISGROUP.COM © 2017 | 14 UNDERSTAND THE NEEDS OF EXECUTIVE LEADERSHIP
  • 14. WWW.SEQURISGROUP.COM © 2017 | 15 Six Cybersecurity Questions Boards Should Ask 1. Does the organization use a security framework? 2. What are the top five risks the organization has related to cybersecurity? 3. How are employees made aware of their role related to cybersecurity? 4. Are external and internal threats considered when planning cybersecurity program activities? 5. How is security governance managed within the organization? 6. In the event of a serious breach, has management developed a robust response protocol? © 2014 The Institute of Internal Auditors Research Foundation
  • 15. WWW.SEQURISGROUP.COM © 2017 | 16 ISO 27002:2013 Framework
  • 16. WWW.SEQURISGROUP.COM © 2017 | 17 NIST Cybersecurity framework
  • 17. WWW.SEQURISGROUP.COM © 2017 | 18 CIS Critical security controls (used to be Sans top 20)
  • 18. WWW.SEQURISGROUP.COM © 2017 | 19 Be concise and transparent: 1. Asset Management 2. Network Access Control 3. Security Event Monitoring 4. User Education 5. Business Continuity Top Five Cybersecurity Risks
  • 19. WWW.SEQURISGROUP.COM © 2017 | 20 Example: Initiatives To Change 2016 Risk Levels Asset Management (red to yellow) • Infrastructure – finish deployment of existing tools • Setup device discovery scans in Qualys • Establish inventory process for network medical devices Operations Management Security (red to yellow) • Scale SIEM platform for Beaumont Health • Greatly expand vulnerability management program • Mature anti-malware management practices (follow-up) • Implement web application scanning (already licensed) • Drive security planning into SDLC process
  • 20. WWW.SEQURISGROUP.COM © 2017 | 21 Executive Dashboard • Intended to convey a high-level status of the program to C-level executives and the Board • Security Dashboard should convey: • Status of regulatory compliance • Capability, Maturity and Implementation level of program • Key areas of information risk to the organization • Current initiatives and future state posture • External ties and intelligence information • Must answer the question “Is our Information Security program effective?”
  • 21. WWW.SEQURISGROUP.COM © 2017 | 22 InfoSec Management Program (IS) Access Control (AC) Human Resources Security (HR) Risk Management (RM) Security Policy (SP) Organization of Information Security (OI) Compliance (CO) Asset Management (AM) Physical Security (PS) Communication s Security (CS) Systems Acquisition, Development, and Maintenance (SD) Incident Management (IM) Business Continuity (BC) Information Security (ISO) Risk Dashboard Cryptography (CR) Operations Management (OM) Supplier Relationships (SR) 4 22 2 4 3 3 2 0 5 11 0 1 1 2 7 0
  • 22. Risks and Efforts by Framework Area 23 Information Security Management Human Resource Security Access Control Security Policy Risk Management Compliance Organization of Information Security Asset Management 3 4 17 22 1 2 5 4 12 3 0 3 0 11 5 2 #Risk Items/#Open Initiatives
  • 23. WWW.SEQURISGROUP.COM © 2017 | 24 RELATIONSHIPS AND COMMUNICATION
  • 24. WWW.SEQURISGROUP.COM © 2017 | 25 Example Security Governance Organizational Structure • Information Security Officer reporting relationship to CIO & CCO IT Risk Register • Contains identified risks, deficiencies, control gaps and audit findings • Visible to Corporate Compliance and Internal Audit • 155 closed, 5 pending closure, and 75 open Committees • Information Access, Privacy and Security • Business Ethics and Corporate Compliance • Research Institute Compliance • Payment Systems Governance
  • 25. WWW.SEQURISGROUP.COM © 2017 | 26 Culture – All Hands on Deck - Incident Response • Breaches are inevitable • Effective response requires engagement of senior stakeholders across the organization (relationships) • Have a well-documented process • How quickly will you recognize an incident? • Does everyone understand their role? • Practice incident response • Continuously improve based on exercises • Be prepared – it will happen
  • 26. WWW.SEQURISGROUP.COM © 2017 | 28 Why Track Program Metrics? • Integral to a program’s governance • Keeps staff & stakeholders aligned • Supports continuous improvement • Can show resource gaps or shortages • Manage service provider SLAs • Provides assurance to executives & the Board • Provides basis for comparative benchmarking “You can’t manage what you can’t measure.” - W. Edwards Deming
  • 27. WWW.SEQURISGROUP.COM © 2017 | 29 Building Security Without Boundaries • Resources are ALWAYS constrained • Reason for risk-based prioritization • Outsource if necessary, but commodity functions • Reward innovation (think like there is no box!) • May increase productivity • Can help improve morale • Look for external funding • Federal & State grants may be available • May be able to participate in outside initiatives
  • 28. WWW.SEQURISGROUP.COM © 2017 | 30 Leverage Key Partnerships Build a culture of collaboration that actively engages those outside your organization for best practices In healthcare, key resources are: 1. Peer organizations – non-profit and for-profit 2. State - Dept. of Community Health 3. State - Health Information Exchanges 4. State - Health & Hospital Association 5. HiTrust & NH-ISAC 6. Federal – Health & Human Services 7. Federal – FBI & InfraGard 8. Federal – Homeland Security
  • 31. WWW.SEQURISGROUP.COM © 2017 | 33 Sequris Message Sequris Group is a full service Information Security Company with a Proven and Quantifiable IT Security Framework that allows our clients to achieve Measurable Results and a Guaranteed Increase to their Security Profile and Posture.
  • 32. WWW.SEQURISGROUP.COM © 2017 | 34 Survey June 2016 by Dark Reading and Black Hat USA conference predominantly large companies with 60% working with 1,000+employees  IT professionals believe there is a 40% chance that a security breach will occur in the next 12 months  Too many rapidly evolving vulnerabilities  A rise in social engineering attacks directly at targeted organizations  What to do about Ransomware  Resources for organizations to deal with all of the cybersecurity concerns  IoT  Ransomware Current State of the Industry
  • 33. WWW.SEQURISGROUP.COM © 2017 | 35 Top Executive Concerns  Attacks directly targeted at our organization  Effort to stay in compliance  Phishing social network exploits social engineering  Accidental data leaks by end-users  Effort to measure the organizations security posture  Data theft by insiders  Mistakes or attacks that cause organization to lose compliance with industry regulations  Espionage  Ransomware  Employee Training and Awareness  A Solid Security Plan Black Hat Survey 2016
  • 34. WWW.SEQURISGROUP.COM © 2017 | 36  Established in 1996  More than 800 clients  Over 3,000 projects completed  National footprint  HQ in Royal Oak, Michigan  Sales and service offices  Royal Oak, Michigan  Denver, CO  Phoenix, Arizona  SOC – Royal Oak  Data Center – Phoenix About Sequris Group
  • 35. WWW.SEQURISGROUP.COM © 2017 | 37 Technology Partners
  • 36. WWW.SEQURISGROUP.COM © 2017 | 38 © 2017 THE SEQURIS APPROACH
  • 37. WWW.SEQURISGROUP.COM © 2017 | 39 Making a Cultural Change Baseline Metrics and Gap Analysis A Roadmap to Success Aligning Metrics with Program Goals: People, Process and Technology Program Improvement Reporting and Display Participate and Share with Comparative Analytics A Comprehensive Suite of Security Services
  • 38. WWW.SEQURISGROUP.COM © 2017 | 40 Where do you stand now? Opportunity for Improvement Explicit Risk Tolerance & Security Policy (Requirements) Ambiguous Reactive Proactive Security Operations (People, process, technology) Chaos Predictive Optimize
  • 39. WWW.SEQURISGROUP.COM © 2017 | 41  Q|Frame TM is a holistic and proven information security framework that aligns risk tolerance with security operations.  Q|Frame TM provides the foundation for identifying metrics, measurements, and reporting.  Q|Frame involves an IT security gap analysis, allowing your organization to consider it’s current level of maturity and improve it’s security profile  Q|Frame TM is a proprietary model that allows us to ‘insert’ relevant security controls for any client environment and regulatory posture.  Q|Frame is based upon 4 recurring phases.  Determine Baseline  Priority Action Map  Engage People, Processes, Technology  Measure Effectiveness Quantifiable Information Security Framework to improve your Information Security posture.
  • 40. WWW.SEQURISGROUP.COM © 2017 | 42 Q|FrameTM Dashboard Inventory of Authorized Devices Inventory of Authorized Software Secure Configurations for Computers Secure Configurations for Network Devices Boundary Defenses Analysis of Security Audit Logs Application Software Security Controlled Use of Administrative Privileges Controlled Access Based on Need to Know Vulnerability Assessment and Remediation Account Monitoring and Control Malware Defenses Network Access Control Wireless Device Control Data Loss Prevention Secure Network Engineering Penetration Tests and Red Team Exercises Incident Response Capability Data Recovery Capability Security Skills Assessment 100% 90 80 70 60 50 40 30 20 10 0 % COEFFICIENT CAPABILITY MATURITY 20 Critical Cyber Security Controls
  • 41. WWW.SEQURISGROUP.COM © 2017 | 43 What are your Regulatory or Business Drivers ?  HIPAA - Health Insurance Portability and Accountability Act  GLBA - Gramm-Leach-Bliley Act  PCI DSS - Payment Card Industry Data Security Standard  SOX - Sarbanes-Oxley (SOX 404)  HITRUST – Health Information Trust Alliance CSF Controls  SANS – Information Security Technology Institute and Training  CJIS – Criminal Justice Information Services Security Policy  ISO/QS – International Organization for Standardization  NIST – National Institute of Standards Technology US Department of Commerce
  • 42. WWW.SEQURISGROUP.COM © 2017 | 44 Initial Managed Defined Quantitatively Managed Optimizing Focus on incremental process improvement. Process overall is measured and controlled. Processes are characterized for the organization and generally proactive with defined goals. (Projects tailor their process from organization’s standard) Process is characterized for only a few projects and is most often reactive. Processes are unpredictable, poorly controlled and highly reactive. Characteristics of Maturity Levels in Security Software Engineering Institute (SEI) CMMI® for Services, Version 1.3 CMMI-SVC, V1.3 CMMI Product Team Improving processes for providing better services November 2010 Software Engineering Process Management Program Unlimited distribution subject to the copyright. http://www.sei.cmu.edu/reports/10tr034.pdf
  • 43. WWW.SEQURISGROUP.COM © 2017 | 45 Q|FrameTM Applied to Critical Controls
  • 44. WWW.SEQURISGROUP.COM © 2017 | 46 Priority Action Map Jan Feb Mar Apr May June July  The timeline outlines successive security enhancements across the organization.  Some projects will overlap because of general information gathering, etc.  Timelines are estimates; however, a .8 confidence factor is applied. Security Task Force Meeting Calibrate Next Twelve Months InfoSec Procedure Creation Wireless Security & PCI Review End-user Computing Security Organizational Security Remote/Mobile Security Incident Response Plan Network Security Asset Classification/Mgmt
  • 45. WWW.SEQURISGROUP.COM © 2017 | 47 Wireless Network Security Enhancements (Example) Project Narrative: Wireless networks extend the traditional boundaries of local area networks. With that in mind, it is the goal of this project to identify and implement essential wireless security standards for both private and public wireless network connectivity for XXXX Corp. Essential wireless security practices will be discussed, with enhancements agreed upon and implemented. Estimated Duration: 4 weeks Estimated Effort (days/$): 12 - $16,800 Milestones / Schedule: Date* Milestone 6/15 All current wireless network hardware & software reviewed for security feature sets; security gaps identified and documented. 6/20 Hardware/software options required for wireless security enhancements are agreed upon. 6/29 First phase (testing) of wireless security enhancements complete. 7/7 Deployment plan of wireless security enhancements completed; implementation begins. 7/14 Wireless security enhancements implementation complete. Team Leader: Team Members: Deliverables: • Secure wireless network for employee access, based on role • Secure wireless network for public access, based off of essential security standards • Wireless security procedure (written, as part of organization InfoSec procedure) Q|FRAME ISMS Confidential: Do Not Copy Or Distribute Without Approval
  • 46. WWW.SEQURISGROUP.COM © 2017 | 48 Best Practices: Steps to Optimization • Increase Efficiency • Reduce Cycle Time • Clear Next Actions • Optimal Resource Allocation • Business Drivers • Client Requirements 3. Measure Effectiveness 2. Engage Priority Action Map 1. Establish Control Objectives
  • 47. WWW.SEQURISGROUP.COM © 2017 | 49 Q|VUE Company Dashboard
  • 52. WWW.SEQURISGROUP.COM © 2017 | 54 SUMMARY Determine Baseline Priority Action Map Engage People, Process, Technology Measure Effectiveness • Conduct staff interviews • Align control objectives with client requirements • Perform gap analysis • Clear tactics • Commitment to timeline and action • Visibility & attribution • Roles & responsibilities • Document processes • Align metrics with program goals • Reduce cycle time • Increase efficiency • Objective reprioritization • Dashboard • Contract ready Comparative Analytics • Data Capture • Resource Optimization • Comparison and Participation • Performance Certainty • Cycle Time
  • 53. WWW.SEQURISGROUP.COM © 2017 | 55 Benefits  Informed Choices – Know what you don’t know  Proven Methodology – It works & we guarantee results  Interoperability – w/existing business processes  Establishes Due Diligence – We provide the job of asking, analyzing & measuring overall IT security effectiveness  Regulatory Umbrella – Framework applied to your organizations specific regulatory requirements  Enables Efficiency – Constantly making improvement  Market Differentiator – No breaches is a good thing  Financial Alignment – You will know why, what and how much you are spending over 12, 24 and 36 months and how effective you are at reducing the risks to your organization Quantifiable Information Security Framework to improve your Information Security posture.
  • 54. WWW.SEQURISGROUP.COM © 2017 | 56 Discussion / Q & A ?
  • 55. WWW.SEQURISGROUP.COM © 2017 | 57 Contact Information John Kelley Sequris Group, LLC (248) 837-1430 C-586-907-9751 jkelley@sequrisgroup.com Doug Copley CISO | CPO | Strategist | Advisor (517) 204-5701 douglas.copley@gmail.com https://linkedin.com/in/dcopley https://twitter.com/DouglasCopley