1. S
The New
C
I
O
^
SECURITY
The 3rd Kuwait InfoSecurityConference
May 26, 2011
Pradeep Menon
Executive Vice President and Director
Quadrant Risk Management
>

2. AGENDA
The Evolving Role of the CISO
Selling Security Internally
2
3. The CISO

The role of the Chief Information Security Officer (CISO) is becomingvery strategic in nature

4. Some of the Key Drivers for this Strategic Visibility include:S
C
I
O
^
3
5. Why should organizations have a CISO?
Fraud
Insider Theft
Lack of single source of truth
Third party exposure
?
S
Rate of Adoption of New Technologies
C
I
O
Hacking
^
Evolving Technologies
Lack of monitoring and controls
4
6. Evolution of the role for Information Security
Since last 2-3 years
5-8 years ago
9-12 years ago
Source: Forrester Research
5
7. New Responsibilities

The emerging role of the CISO and information security office calls for new skills and responsibilities to be undertaken including:

8. Marketing and selling of Information Security within the organization 9. Quantifying benefits 10. Controller to Business Enabler 11. Program Managing Security rather than Project Managing 12. Representation in the Senior Management Decision Making Bodies6
13. The Major Roadblocks that still CISOs face
7
14. AGENDA
The Evolving Role of the CISO
Selling Security Internally
8
15. Tips for Enhancing CISO Value and Reach
Branding Security

Security could be branded as a member of the organization

16. Creating characters, voices and visuals that represent security in a meaningful way 17. E.g. - Salim from aeCERT9
18. Tips for Enhancing CISO Value and Reach
Branding Security

Make the CEO sign important Information Security policies

19. Make the CEO speak about security 20. Educate the CEO with important news and reports through periodic meetingsCEO Involvement
10
21. Tips for Enhancing CISO Value and Reach
Branding Security

Organize quarterly meetings where Business users and InfoSec teams interact

22. Let Business Users express their views 23. Conduct white paper sessions to demonstrate how security issues can lead to loss of customers CEO Involvement
Business Involvement
11
24. Tips for Enhancing CISO Value and Reach
Branding Security

Security should become a habit, not a regulation

25. Celebrate security practices and achievements 26. Place Kiosks, Stalls etc. to create awareness about following security practices 27. Let the CEO inaugurate the proceedings of the Day 28. Involve people from business units 29. Conduct contestsCEO Involvement
Business Involvement
Security Awareness Day
12
30. Tips for Enhancing CISO Value and Reach
Branding Security

Form Information Security sub committees in organization such as KITS (if not already in place)

31. Influence regulatory bodies and excellence centers such as CAIT and Central Banks 32. e.g., SAMA regulation for Multi Factor Authentication 33. ADSIC Information Security ProgramCEO Involvement
Business Involvement
Security Awareness Day
External Agencies
13
34. Tips for Enhancing CISO Value and Reach
Branding Security

Publishing annual reports on IS activities and developments for the year

35. Creating a web portal for users to view various reports on the metrics based on which their contribution to IS initiatives are rated CEO Involvement
Business Involvement
Security Awareness Day
External Agencies
Annual ISMS Reporting
14
36. Tips for Enhancing CISO Value and Reach
Branding Security

External consultancies are SMEs

37. Their experience is wide and deep in an area 38. Utilizing consultancies for specific programs might be easier to get a management buy-in 39. Organizational hierarchy could be a bottleneck to express views and concerns regarding security issues 40. Look upon consultancies as partners or change agents, not as vendors or spendersCEO Involvement
Business Involvement
Security Awareness Day
External Agencies
Annual ISMS Reporting
External Consultancies
15
41. Tips for Enhancing CISO Value and Reach
Branding Security

Inviting CISOs from other companies helps in knowledge exchange and gains on both sides

42. Forums such as LinkedIn and Facebook have been instrumental in generating Networking 43. Involvement in joint research initiatives through organizations such as CAIT (The Central Agency for Information technology) , KITS (Kuwait Information Technology Society), aeCERT, OCERT etc.CEO Involvement
Business Involvement
Security Awareness Day
External Agencies
Annual ISMS Reporting
External Consultants
Other CISO Involvement
16
44. Tips for Enhancing CISO Value and Reach
Branding Security

Incentives for your IS team members to contribute and attend various eventssuch as conferences, trainings, seminars etc.

45. Encourage publishing of white papers on popular websites and journals, on behalf of the organizationCEO Involvement
Business Involvement
Security Awareness Day
External Agencies
Annual ISMS Reporting
External Consultants
Other CISO Involvement
External Involvement
17
46. Thank You
Pradeep Menon
Executive Vice President and Director
Quadrant Risk Management
pradeep.menon@qrmi-me.com
Tel: +971-4-6091970
Mob: +971-50-4815260