Quali&es of an Effec&ve CISO - SF ISACA · CISO Resume 6 Ideally, a CISO should have a combinaon...
Transcript of Quali&es of an Effec&ve CISO - SF ISACA · CISO Resume 6 Ideally, a CISO should have a combinaon...
2015FallConference–“CyberSizeIT”November9–11,2015
Quali&esofanEffec&veCISO
Miguel(Mike)O.VillegasCISA,CISSP,GSEC,CEH,PCIQSA,[email protected]
November10,2015
1
2015FallConference–“CyberSizeIT”November9–11,2015
AbstractHiringaChiefInformaHonSecurityOfficer(CISO)isalaudablegoal.ItimpliesexecuHve management realizes the value of having an execuHve levelposiHonforinformaHonsecurity.The CISO is an execuHve who provides expert guidance to other c-levelexecuHvesonmaUersofrisk,complianceandinformaHonprotecHonfromastrategic and tacHcal business objecHves perspecHve. Security pracHHonersare typically technical in nature but donot generally have access to c-levelexecuHves,sotheCISOposiHoncanhelpfillinthisgap.This session will discuss the qualiHes of an effecHve CISO. This includeseducaHon, background, reporHng structure, focus, responsibiliHes, personalqualiHes,vision,leadershipcapabiliHes,andtechnicalbackground.
2
2015FallConference–“CyberSizeIT”November9–11,2015
TableofContents
v CISOResumev Repor&ngStructurev CISOVisionandResponsibili&esv PersonalQuali&esv LeadershipQuali&es
3
2015FallConference–“CyberSizeIT”November9–11,2015
CISORESUME
4
2015FallConference–“CyberSizeIT”November9–11,2015
CISOSurvey
5
AsurveyconductedinJuly2014,203US-basedC-levelexecuHvesfoundastartlinglackofrespectforCISOsintheenterprise.BelowaresomeinteresHngstaHsHcs:• 74%saidtheydonotbelieveCISOsdeserveaseatatthetable
andshouldnotbepartofanorganizaHon'sleadershipteam.• 54%believeCISOsshouldnotberesponsibleforcybersecurity
purchasing.• 44%believeCISOsshouldbeaccountableforanyorganizaHonal
databreaches.• 28%saidtheirCISOhasmadecybersecuritydecisionsthat
negaHvelyimpactedtheorganizaHon'sfinancialhealth.
Source:hUp://www.threaUracksecurity.com/resources/the-role-of-the-ciso.aspx
2015FallConference–“CyberSizeIT”November9–11,2015
CISOResume
6
Ideally,aCISOshouldhaveacombinaHonofbusinessandtechnicalskillsthatallowforcompetentcontribuHonsandguidancewithbothITandexecuHvemanagement.AsuccessfulCISOwillbeabletoincisivelytranslatetechnicalchallengesandstrategiesintobusinessterms.SomespecificrecommendedqualificaHonsforaCISOinclude:• DegreeinaccounHngorMBA,degreeinCISorInformaHon
Security;• CPA,CISSP,CISM,CISA,PMPcerHficaHons;• CFE,CEH,GPEN,CRISCspecializedcerHficaHons;• TenyearsminimumexperienceasaCISO,informaHonsecurity
engineer,orsecurityconsultant.Big4seniormanagersorpartnersfromthesystemsassurancewouldbeanaddedplus
• ISSA,ISACA,(ISC)2,OWASP,orCISOforummemberships.
2015FallConference–“CyberSizeIT”November9–11,2015
Cer&fica&onsvsExperience
7
ManyofushaveknownthosethattouttechnicalexperHsebecauseoftheirlonglistofcerHficaHonsyetoncehired,itdoesnottakelongbeforerealizaHonsitsin.HiringaCISO…• Cer&fica&onsgethimthroughthedoor.• Theinterviewgiveshimaseat.• The90-dayproba&onaryperiodassureshecanstay• Histechnicalabili&esdeterminewhatkindofworkhe
canmanage• Hiscommunica&onskillsdeterminewhetherhe
deservesa“seatatthetable”(Board)
2015FallConference–“CyberSizeIT”November9–11,2015
Whynothirewithin?
8
Securityprofessionalswhoworkwithintheenterprisehavegreatadvantages.• TheyknowtheITenvironment• Theyknowthebusiness• TheyhaveearnedcerHficaHonsthataretheenvyof
many• Theyhaveestablishedacompetentrapportwith
networkengineersandsystemadministratorsHowever,manyHmesthePeterPrinciplemightapplysuchthatthesecurityprofessionalhasgoneasfarasheiscapableof.
2015FallConference–“CyberSizeIT”November9–11,2015
GoodCISOCandidates
9
TherewillalwaysbeexcepHonsandeachcandidateshouldstandontheirown.However,belowisalistofgoodcandidatesforCISO.• DirectorofInformaHonSecurity• Internalsecurityprofessionals• ITAuditManager• ITRiskManager• ExternalCISOhire• Big4SeniorManagerorPartner• Sr.SecurityConsultant
Aprophetisnotacceptedinhisowncountry
2015FallConference–“CyberSizeIT”November9–11,2015
REPORTINGSTRUCTURE
10
2015FallConference–“CyberSizeIT”November9–11,2015
Repor&ngStructure
11
TherearefourbasicquesHonsinthisdebate.(1) ShouldtherebeaCISOposiHon?(2) WhoshouldtheCISOreportto?(3) WhataretheprosandconsforCISOreporHng
structure?(4) Whodecides?
2015FallConference–“CyberSizeIT”November9–11,2015
ShouldtherebeaCISOposi&on?
12
ThekeystomakingtheCISOrolesuccessfulareindependence,empowermentandposiHon.TheCISOneedstobe:• Independentofinfluenceorpressurefrom
thoseaffectedintheprotecHonofcorporateassets;
• EmpoweredtodeployallproperlevelsofprotecHon;and
• Posi&onedwithintheorganizaHontoembedinformaHonsecurityintothebusinessculture.
2015FallConference–“CyberSizeIT”November9–11,2015
WhoshouldtheCISOreportto?
13
ThesurveyconductedinJuly2014byThreatTrackSecurityreportedfoundthat:• 47%ofCISOsreporttotheirCEOorpresident• 45%reporttotheCIO,• 4%totheChiefComplianceOfficer,and• lessthan2%totheCOOorCFO.
Source:hUp://www.threaUracksecurity.com/resources/the-role-of-the-ciso.aspx
2015FallConference–“CyberSizeIT”November9–11,2015
ProsandConsforCISORepor&ngStructure
14
Pros:• C-levelexecuHvethatsupports,understandsandchampions
theinformaHonsecurityfuncHonandCISO• ThisprovidestheCISOindependence,abilitytodisagreeand
empowermenttodeploytheinformaHonsecurityprogramCons:• WheretheCISOreportstoissituaHonal• Hemightlosecontact,credibility,cooperaHonand
empowermenttocontrolthesecurityofcorporateassets.• C-levelexecuHvedoesnothavesufficientappreciaHonor
influencetosupporttheCISO.• Conversely,reporHngtotheCIOcouldbejustasrepressive• ItcomesdowntowhotheCISOwouldulHmatelyreportto.
2015FallConference–“CyberSizeIT”November9–11,2015
Whodecides?
15
DespitetheendlessdebatesandopinionsvoicedwhethertheCISOshouldreporttotheCIOoranotherC-levelexecuHve,theulHmatequesHonis“Whodecides?”• ItclearlywillnotbethenewlyhiredCISO.• ItwillnotbetheexisHngDirectorofInformaHonSecurity.
• TheCIOmightrecommendhiringaCISObutverylikelyreporHngtotheCIO.
• TheCEOandboardmembersshouldulHmatelydecidebuttypicallythequesHonisnotaconsideraHonunHltheyhaveexperiencedabreachoramajorsecurityincident.
2015FallConference–“CyberSizeIT”November9–11,2015
CISOVISIONANDRESPONSIBILITIES
16
2015FallConference–“CyberSizeIT”November9–11,2015
CISOVisionandResponsibili&es
17
TheCISOsvisionistoaligntheinformaHonsecurityprogramwiththeenterprisestrategicbusinessobjecHves.TheCISOsresponsibilityistoensuretheinformaHonsecurityprogrammeetsthoseobjecHvesandgrowscommensuratewiththeenterprisegoals.ExecuHvemanagementlookstotheCISOto:• DefineandmanagetheinformaHonsecurityprogram• ProvideeducaHonandguidancetotheexecuHveteam• PresentopHonsandinformaHontoenabledecision
making• ActasaninformaHonsecurityadvisor
2015FallConference–“CyberSizeIT”November9–11,2015
CISOVisionandResponsibili&es
18
Thisincludes,isnotlimitedto:
• ExecuHveManagementReporHng• Riskandcompliance• InformaHonSecurityAdministraHon• Competentandskilledstaff• CSIRTProgram• InformaHonProtecHon• SecurityMonitoring• SecurityPoliciesandProcedures• VendorSecurity• WirelessSecurity
• MobileDeviceSecurity• WebApplicaHonSecurity• VulnerabilityTesHng• SecurityTools• NetworkSecurity• ApplicaHonSecurity• PersonnelSecurity• DatabaseSecurity• CloudSecurity• SecurityAwarenessProgram
2015FallConference–“CyberSizeIT”November9–11,2015
WhattheCISOshoulddotoearnrespect• Usethe"threeC's"toemphasizetheimportanceofinformaHonsecurity
withinanorganizaHon:– CooperaHonprecludespernicioussilos;– CommunicaHoniscriHcalbutitmustbeincisive,relevantanddonewith
aplomb;and– CounterbalanceensurescontribuHonsarecommensuratewithbusiness
objecHves.• IdenHfyaC-levelteammemberwhocanchampiontheCISO's
contribuHonsandparHcipaHon.Befriend,educate,earntrustandprovidehimorherwithinsighqulinformaHonthatwillalsoelevatehisorhervisibilityandcredibility.
• SchedulemonthlyexecuHvemanagementreportsonthestateofinformaHonsecurityforyourenterprise.Usegraphics,red-yellow-greeniconstohighlightareastofocus,andcommunicateyourmessageinbusinesstermsrelatedtocost,ROI,risk,growthandcompliance.
• Stayinformedofcurrenteventsandnewtechnologies,especiallyastheyrelatetoyourenterpriseindustry.
19
2015FallConference–“CyberSizeIT”November9–11,2015
WhattheCISOshoulddotoearnrespect• Givebusinessmanagersreasontopraiseyoureffortsandvalue.Meet
withkeybusinessmanagerstobeUerunderstandtheirpainpointsasitrelatestoinformaHonsecurity,riskandcompliance.Beatrustedbusinessadvisor.
• EmbedinformaHonsecurityintheprojectmanagementcycle,changethemanagementlifecycleandtheinformaHongovernanceprocess.
• HireorbuildanexemplarystaffwithpassionforinformaHonsecurity.• BealuminaryinyourfieldsoexecuHvemanagementisawareofyour
endeavors,notonlyfromwithin,butfromothersoutsideyourorganizaHon.WritearHcles.GivelecturesoninformaHonsecurity.ParHcipateinprofessionalorganizaHonstogaininsightofwhatworksandwhatdoesn't.
• Useaprovenandindustryacceptedframework,suchasISO-27001orNISTCybersecurityFramework(usedbyCybersecurityNexusCSX)
20
2015FallConference–“CyberSizeIT”November9–11,2015
21
2015FallConference–“CyberSizeIT”November9–11,2015
PERSONALQUALITIES
22
2015FallConference–“CyberSizeIT”November9–11,2015
PersonalQuali&es
23
• TrustedBusinessAdvisor-haveabusinesssenseonenterprisestrategicgoals
• SecurityEngineer-Technicallycompetentsuchthathecanstandtoe-to-toewithIT
• Leader-Leadsstaffbyexample• Manager–managesprojectstocompleHon• Presence-GoodpresencewithexecuHvemanagement
demandingaUenHonandrespect• Communicator–abilitytocommunicatetechnicaltopicsto
Boardintermstheyunderstandandsupport• AsserHve–notaggressive;doesnothavetorightorwinan
argumentalltheHme• Ethical–doesnotoccultbadnewstosaveface• Manageable–CISOcannotmanageifheisnotmanageable
2015FallConference–“CyberSizeIT”November9–11,2015
PersonalQuali&es
24
• CISOneedstobe• Incisive,• DiplomaHc,and• Confident
• CISOshouldhavehightechnicalacumen• CISOshouldbepassionateaboutinformaHonsecurity• butnotsoquixoHcordogmaHcthatitwouldcalltheir
credibilityintoquesHon• CISOshouldbeanagentofchange
• Notacop• Notanauditor
• CISOshouldbetoughskinned
2015FallConference–“CyberSizeIT”November9–11,2015
LEADERSHIPQUALITIES
25
2015FallConference–“CyberSizeIT”November9–11,2015
LeadershipQuali&es
26
• Cybersecurityispredominantlydefensiveinnature.• EnterprisesaresubjecttoaconstantbarrageofaUacks
frominadvertentandadvertentunauthorizedaccessbyinternalandexternalsources.
• EachdaytheinformaHonsecurityprofessionalischallengedwithnewaUackvectorsandexploits.
• ItisnowonderhowprotecHonmeasures,monitoringandremediaHoneffortsseemfuHleandSisyphean.
TheCISOneedsto:• Leadbyexample• Developandgrowthestaff• RecognizestaffcontribuHons
2015FallConference–“CyberSizeIT”November9–11,2015
LeadbyExample
27
• Infectyourstaffwithyourpassion• Hireorbuildexemplarystaffthatsharesyourpassion
forinformaHonsecurity• Letthemseeyourinterest,resolveandmoHvefor
informaHonsecurity• Inculcatethemaximofbeinganagentofchange• StandforprofessionalethicsintheeventtheCISO
reporHngexecuHveinstructsotherwise• DonotinstructstafforITtoonlyprovideauditorsand
assessorswhattheyaskforandnothingmore• ThissaysthathalftruthsareOK• StaffwillfeelhalftruthsareOKwithCISO• UlHmatelyhurtstheenterprise
2015FallConference–“CyberSizeIT”November9–11,2015
DevelopandGrowtheStaff
28
• ThereisanabundanceofcybersecuritytrainingthatisnotexpensivesuchasISACA,ISSA,OWASPorOJT
• assigningspecialprojectsto• developorupdatesecuritypolicies,• securityawarenessprogram,• incidentmonitoringandreporHng,• vulnerabilityremediaHonefforts,• controlstesHng,• compliancetesHng,and• proofofconcepts(POC)forsecuritysoluHons,
whetheryoupurchasethemornot• cerHficaHontrainingfor• CISSP,CISMandCISA• SANScourses,E-Council
2015FallConference–“CyberSizeIT”November9–11,2015
RecognizeStaffContribu&ons
29
• Recognizethempubliclythrough• newsleUers,• personallynamed,whenappropriate,in
managementmeeHngs,• allowthemtoparHcipateinvisibleprojects,and• givecredittothosethathadadirecthandinspecial
projectachievements.• TheCISOmanyHmeswillgetalltheglorybutwillalso
getalltheblame.StaffmembersneedtobelievetheCISOistheretobuild,protectandchampiontheirefforts.
ThedynamicsinthisapproachwillrealizestaffwillingtoexceedexpectaHons.
2015FallConference–“CyberSizeIT”November9–11,2015
Summary
v CISOResumev Repor&ngStructurev CISOVisionandResponsibili&esv PersonalQuali&esv LeadershipQuali&es
30
2015FallConference–“CyberSizeIT”November9–11,2015
Miguel (Mike)O.Villegas isaVicePresident forK3DESLLC. HeperformsandQA’sPCI-DSSandPA-DSSassessmentsforK3DESclients. HealsomanagestheK3DESISO/IEC 27001:2005 program. Mike was previously Director of InformaHon Security atNewegg, Inc. forfiveyears.MikecurrentlyaContribuHngWriter forSearchSecurity-TechTarget.Mikehasover30yearsofInformaHonSystemssecurityandITauditexperience.Mikewas previously Vice President & Technology RiskManager forWells Fargo Servicesresponsible for IT Regulatory Compliance and was previously a partner at ArthurAndersenandErnst&YoungfortheirinformaHonsystemssecurityandISauditgroupsoveraspanofnineyears.MikeisaCISA,CISSP,GSECandCEH. HeisalsoaQSA,PA-QSAandASVasVPforK3DES.MikewaspresidentoftheLAISACAChapterduring2010-2012andpresidentoftheSFISACAChapterduring2005-2006.HewastheSFFallConferenceCo-Chairfrom2002–2007 and also served for two years as Vice President on theBoard ofDirectors forISACAInternaHonal.MikehastaughtCISAreviewcoursesforover18years.
BIO
31