Forrester Privacy & Summit 2018 at The Mayflower Hotel, D.C. Sept. 24-26, 2018
"Why the Org Matters: The Role of Privacy and Security in Organization Design"
1. W H Y T H E O R G
M A T T E R S
T H E R O L E O F P R I V A C Y A N D S E C U R I T Y I N O R G A N I Z A T I O N
D E S I G N
J U L I E T S A I , I N F O S E C P R O F E S S I O N A L
F O R R E S T E R ’ S P R I V A C Y & S E C U R I T Y 2 0 1 8
W A S H I N G T O N , D . C . S E P T E M B E R 2 5 - 2 6 , ‘ 1 8
2. T I M E L I N E A N D D I M E N S I O N
2 0 1 0 - 1 1
2 0 1 8 - N O W
2 0 1 0
O P E R A T I O N
A U R O R A
L A R G E -
S C A L E , N O T
U N D E R S T O O D
B Y N O N -
S E C U R I T Y
2 0 1 6 Y A H O O
D I S C L O S E S 2 0 1 3 -
1 4 B R E A C H E S ,
S A L E P R I C E
D R O P S $ 3 5 0 M
2 0 1 8 F A C E B O O K
2 0 1 6 E L E C T I O N
E V E N T S Q U E S T I O N
I N T E G R I T Y O F
P R O C E S S A N D
P R E S S
2 0 1 2 - 1 3 2 0 1 4 - 1 5 2 0 1 6 - 1 7
C L A S S O F C O M P R O M I S E I S
2 0 1 3
T A R G E T C C
B R E A C H
P L A Y S O U T O N
C - S P A N - N O W
U N D E R S T O O D
2 0 1 7 E Q U I F A X
C O N S U M E R P R I V A T E
V E R I F I C A T I O N D A T A
L E A K E D A T N E W
S C A L E
3. W I T H G R E A T K N O W L E D G E S H O U L D
C O M E G R E A T P O W E R …
4. T H I S I S H O W I T S H O U L D L O O K
R I S K C H I E F *T E C H C H I E F
S E C U R I T Y
* C E O , C O O , C A O ,
C G C , B O D ? ?
5. T H I S I S H O W I T M I G H T A L S O
L O O K
P R O D U
C T
* C E O , C O O , C A O ,
C G C , B O D ? ?
L E G A L
F I N A N
C E
C O M P L
I A N C E
A U D I T
S A L E S
M A R K E
T I N G
B U S .
O P S
H R
T E C H C H I E F
S E C U R I T Y
R I S K C H I E F *
6. T H E S E C U R E O R G A N I Z A T I O N A L
B O D Y
C E N T R A L I Z E D
I N T E L L I G E N C E
S T R O N G B A C K B O N E
D I S T R I B U T E D N E R V O U S
S Y S T E M — D E V S E C O P S :
A R E W E T H E R E Y E T ? D I D
W E S T A R T ? D E P L O Y M E N T
P I P E L I N E S ? C O N F I G M G M T ?
B E L I E F S ?
7. I N V I S I B L E U N T I L I T ’ S * T H E *
T H I N G
• Emergent startups have been slipstreaming Sec into
DevOps (or DevSecOps) pipelines - or ignoring it
• Enterprise orgs have matrixes departments - with Sec
being asked to report more frequently to the BoD
• One of hardest tech/exec roles to fill (scarcity etc.)
• Consequently…. all the movement pulling Sec up.
W E A R E A L L S E C U R I T Y P E O P L E
8. S T A T S
Huntsource: A 2015 Georgia Tech 40% of CISO’s were still reporting to CIO’s.
K Logix study 2015
>+50% -> CIO "Makes sense for early stage" - could be CTO too
15% -> CEO
+ -> COO/Risk leader
50% predicted reporting to CEO "in the near future"
In 2018, a PwC study concluded that this figure has dropped to around 24%, with
But the Financial Services Information Sharing and Analysis Center (FS-ISAC) co
Who’s pacesetting for this?
Israel, in some cases mandating Security report to CEO. SOX can cite reporting s
9. T H E M O D E R N S E C U R I T Y
L E A D E R
1. Be as technical as you can
2. And, build great teams
3. And, have partners throughout org
4. And, have friends outside
5. Paint the picture of where the technology is going and
be *there* to lead it
… I S A T E C H N O L O G Y L E A D E R
10. R E F E R E N C E S & I M A G E C R E D I T S
REFERENCES
https://securityintelligence.com/what-can-we-learn-from-the-global-state-of-information-security-survey-
2018/
https://www.cio.co.nz/article/600206/why-ciso-hardest-tech-role-fill/
https://www.darkreading.com/operations/top-infosec-execs-will-eventually-report-to-ceos-cisos-say/a/d-
id/1321980
https://www.linkedin.com/pulse/cio-report-ciso-why-j-j-guy/
https://www.carbonblack.com/2017/07/31/cio-will-report-ciso-2/
https://huntsource.io/why-ciso-shouldnt-report-to-cio/
https://www.csoonline.com/article/3237675/data-protection/the-cio-should-report-to-the-ciso.html
https://www.f5.com/labs/articles/cisotociso/who-should-the-ciso-report-to
https://securityintelligence.com/is-the-ciso-reporting-structure-outdated/
IMAGE CREDITS
chart gif - http://chiefmartec.com/2013/07/with-big-technology-budget-big-cmo-responsibility/
prodigy gif - https://www.pri.org/stories/2014-12-08/meet-hacking-prodigy-you-definitely-want-your-side
cowboy - http://moziru.com/explore/Drawn%20cowboy/
prisoner - https://www.dreamstime.com/stock-illustration-cartoon-prisoner-behind-bar-illustration-image50839937
nervous system - https://www.takeda.com/newsroom/featured-topics/central-nervous-system-research--development-at-takeda/
Editor's Notes
A. 2010 (2008-2009) - Operation Aurora - this is still more for the profess
Goog, Adobe, Juniper, Rackspace, Yahoo, Symantec, Northrop Grumman, Morgan Stanley, Dow Chemical - codebases
B. late 2013 - Target
testifies in front of Congress
$18.5M in damages to states
C. September 2016 - Yahoo
reporting breaches of 2013 and 2014
drops sale price to VZW from $350M to $4.48B, top-line exec changes
D. Equinox
now, this is personal - SSNs, driver’s IDs, verification information
the internet can’t unsee this
E. Now - Facebook
Democracy turning point 2016? where is the Fourth Estate? Is there such a thing anymore?
Walter Cronkite “a free press is not just essential for democracy. it *is* democracy.” Can we still get signal in widely universal mass media? If the means to publish is not understood, can it be trusted?
With all of this, security professionals should be psyched/motivated/feeling valued, right?
Right?!
Centralized intelligence - one org
Strong backbone - incentives, goals, workflow all reinforce the shared objective and authority
Distributed nervous system - DevSecOps
Stats
Huntsource: A 2015 Georgia Tech 40% of CISO’s were still reporting to CIO’s.
In 2018, a PwC study concluded that this figure has dropped to around 24%, with 40% of CISO’s now report directly to CEO’s, with another 27% reporting to the board of directors.
But the Financial Services Information Sharing and Analysis Center (FS-ISAC) concluded that only 8% of CISO’s are reporting directly to a CEO.
Who’s pacesetting for this?
Israel. SOX can cite reporting structure as weakness. GDPR required Chief Data Protection Officer.
1. Be as technical as you can
You can’t manage what you can’t understand.
Tiny details can make or break a project.
Consensus decisions can take years to arrive at and to back out again — too slow for yearly disruption markets.
Tech is core, not peripheral.
Why did you get into this in the first place?!
2. You must also build great teams
Too many adversaries for SWAT team of heroes
Talent is the differentiator - be human-centered
Be able to truly manage, not just narrow down, the exceptions
3. You must also have partners throughout org.
if you’re big enough, you need other groups to deliver and reinforce these priorities
Understand where they’re coming from and be able to work across the org
4. You must also have friends outside.
Circles of trust are even more important in this world. Reliant on landscape intel from many. And peers to sanity-check complex situations.
5. You must see where the technology is going and be there to meet it - and lead it.
Have the vision, know what to say to whom when, relentlessly drive and support to get it done
Run to where the ball is going.
Help your org, partners, and customers see what they need to do and be before they do.