Why the org_matters_shorter.jzt.2018sept25
•Download as PPTX, PDF•
1 like•184 views
Forrester Privacy & Summit 2018 at The Mayflower Hotel, D.C. Sept. 24-26, 2018 "Why the Org Matters: The Role of Privacy and Security in Organization Design"
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Why the org_matters_shorter.jzt.2018sept25
Similar to Why the org_matters_shorter.jzt.2018sept25 (20)
More from Julie Tsai
More from Julie Tsai (9)
Recently uploaded
Recently uploaded (20)
Why the org_matters_shorter.jzt.2018sept25
- 1. W H Y T H E O R G M A T T E R S T H E R O L E O F P R I V A C Y A N D S E C U R I T Y I N O R G A N I Z A T I O N D E S I G N J U L I E T S A I , I N F O S E C P R O F E S S I O N A L F O R R E S T E R ’ S P R I V A C Y & S E C U R I T Y 2 0 1 8 W A S H I N G T O N , D . C . S E P T E M B E R 2 5 - 2 6 , ‘ 1 8
- 2. T I M E L I N E A N D D I M E N S I O N 2 0 1 0 - 1 1 2 0 1 8 - N O W 2 0 1 0 O P E R A T I O N A U R O R A L A R G E - S C A L E , N O T U N D E R S T O O D B Y N O N - S E C U R I T Y 2 0 1 6 Y A H O O D I S C L O S E S 2 0 1 3 - 1 4 B R E A C H E S , S A L E P R I C E D R O P S $ 3 5 0 M 2 0 1 8 F A C E B O O K 2 0 1 6 E L E C T I O N E V E N T S Q U E S T I O N I N T E G R I T Y O F P R O C E S S A N D P R E S S 2 0 1 2 - 1 3 2 0 1 4 - 1 5 2 0 1 6 - 1 7 C L A S S O F C O M P R O M I S E I S 2 0 1 3 T A R G E T C C B R E A C H P L A Y S O U T O N C - S P A N - N O W U N D E R S T O O D 2 0 1 7 E Q U I F A X C O N S U M E R P R I V A T E V E R I F I C A T I O N D A T A L E A K E D A T N E W S C A L E
- 3. W I T H G R E A T K N O W L E D G E S H O U L D C O M E G R E A T P O W E R …
- 4. T H I S I S H O W I T S H O U L D L O O K R I S K C H I E F *T E C H C H I E F S E C U R I T Y * C E O , C O O , C A O , C G C , B O D ? ?
- 5. T H I S I S H O W I T M I G H T A L S O L O O K P R O D U C T * C E O , C O O , C A O , C G C , B O D ? ? L E G A L F I N A N C E C O M P L I A N C E A U D I T S A L E S M A R K E T I N G B U S . O P S H R T E C H C H I E F S E C U R I T Y R I S K C H I E F *
- 6. T H E S E C U R E O R G A N I Z A T I O N A L B O D Y C E N T R A L I Z E D I N T E L L I G E N C E S T R O N G B A C K B O N E D I S T R I B U T E D N E R V O U S S Y S T E M — D E V S E C O P S : A R E W E T H E R E Y E T ? D I D W E S T A R T ? D E P L O Y M E N T P I P E L I N E S ? C O N F I G M G M T ? B E L I E F S ?
- 7. I N V I S I B L E U N T I L I T ’ S * T H E * T H I N G • Emergent startups have been slipstreaming Sec into DevOps (or DevSecOps) pipelines - or ignoring it • Enterprise orgs have matrixes departments - with Sec being asked to report more frequently to the BoD • One of hardest tech/exec roles to fill (scarcity etc.) • Consequently…. all the movement pulling Sec up. W E A R E A L L S E C U R I T Y P E O P L E
- 8. S T A T S Huntsource: A 2015 Georgia Tech 40% of CISO’s were still reporting to CIO’s. K Logix study 2015 >+50% -> CIO "Makes sense for early stage" - could be CTO too 15% -> CEO + -> COO/Risk leader 50% predicted reporting to CEO "in the near future" In 2018, a PwC study concluded that this figure has dropped to around 24%, with But the Financial Services Information Sharing and Analysis Center (FS-ISAC) co Who’s pacesetting for this? Israel, in some cases mandating Security report to CEO. SOX can cite reporting s
- 9. T H E M O D E R N S E C U R I T Y L E A D E R 1. Be as technical as you can 2. And, build great teams 3. And, have partners throughout org 4. And, have friends outside 5. Paint the picture of where the technology is going and be *there* to lead it … I S A T E C H N O L O G Y L E A D E R
- 10. R E F E R E N C E S & I M A G E C R E D I T S REFERENCES https://securityintelligence.com/what-can-we-learn-from-the-global-state-of-information-security-survey- 2018/ https://www.cio.co.nz/article/600206/why-ciso-hardest-tech-role-fill/ https://www.darkreading.com/operations/top-infosec-execs-will-eventually-report-to-ceos-cisos-say/a/d- id/1321980 https://www.linkedin.com/pulse/cio-report-ciso-why-j-j-guy/ https://www.carbonblack.com/2017/07/31/cio-will-report-ciso-2/ https://huntsource.io/why-ciso-shouldnt-report-to-cio/ https://www.csoonline.com/article/3237675/data-protection/the-cio-should-report-to-the-ciso.html https://www.f5.com/labs/articles/cisotociso/who-should-the-ciso-report-to https://securityintelligence.com/is-the-ciso-reporting-structure-outdated/ IMAGE CREDITS chart gif - http://chiefmartec.com/2013/07/with-big-technology-budget-big-cmo-responsibility/ prodigy gif - https://www.pri.org/stories/2014-12-08/meet-hacking-prodigy-you-definitely-want-your-side cowboy - http://moziru.com/explore/Drawn%20cowboy/ prisoner - https://www.dreamstime.com/stock-illustration-cartoon-prisoner-behind-bar-illustration-image50839937 nervous system - https://www.takeda.com/newsroom/featured-topics/central-nervous-system-research--development-at-takeda/
Editor's Notes
- A. 2010 (2008-2009) - Operation Aurora - this is still more for the profess Goog, Adobe, Juniper, Rackspace, Yahoo, Symantec, Northrop Grumman, Morgan Stanley, Dow Chemical - codebases B. late 2013 - Target testifies in front of Congress $18.5M in damages to states C. September 2016 - Yahoo reporting breaches of 2013 and 2014 drops sale price to VZW from $350M to $4.48B, top-line exec changes D. Equinox now, this is personal - SSNs, driver’s IDs, verification information the internet can’t unsee this E. Now - Facebook Democracy turning point 2016? where is the Fourth Estate? Is there such a thing anymore? Walter Cronkite “a free press is not just essential for democracy. it *is* democracy.” Can we still get signal in widely universal mass media? If the means to publish is not understood, can it be trusted?
- With all of this, security professionals should be psyched/motivated/feeling valued, right? Right?!
- Centralized intelligence - one org Strong backbone - incentives, goals, workflow all reinforce the shared objective and authority Distributed nervous system - DevSecOps
- Stats Huntsource: A 2015 Georgia Tech 40% of CISO’s were still reporting to CIO’s. In 2018, a PwC study concluded that this figure has dropped to around 24%, with 40% of CISO’s now report directly to CEO’s, with another 27% reporting to the board of directors. But the Financial Services Information Sharing and Analysis Center (FS-ISAC) concluded that only 8% of CISO’s are reporting directly to a CEO. Who’s pacesetting for this? Israel. SOX can cite reporting structure as weakness. GDPR required Chief Data Protection Officer.
- 1. Be as technical as you can You can’t manage what you can’t understand. Tiny details can make or break a project. Consensus decisions can take years to arrive at and to back out again — too slow for yearly disruption markets. Tech is core, not peripheral. Why did you get into this in the first place?! 2. You must also build great teams Too many adversaries for SWAT team of heroes Talent is the differentiator - be human-centered Be able to truly manage, not just narrow down, the exceptions 3. You must also have partners throughout org. if you’re big enough, you need other groups to deliver and reinforce these priorities Understand where they’re coming from and be able to work across the org 4. You must also have friends outside. Circles of trust are even more important in this world. Reliant on landscape intel from many. And peers to sanity-check complex situations. 5. You must see where the technology is going and be there to meet it - and lead it. Have the vision, know what to say to whom when, relentlessly drive and support to get it done Run to where the ball is going. Help your org, partners, and customers see what they need to do and be before they do.