The CISO Guide – How Do You Spell CISO?

30
BARRY CAPLIN HOW DO YOU SPE LL CISO? WED. MAY 14, 2014, 11A Like what you hear? Tweet it using: #Sec360

description

I recently became a new CISO. Well, the CISO position is new to the org, as am I, but I am not new to the CISO role. I came in with a plan and am executing on that plan. This talk is targeted at: new CISOs, organizations considering a CISO position, any security professional looking to get to the “next level”, or anyone considering remaking their security program.

Transcript of The CISO Guide – How Do You Spell CISO?

Page 1: The CISO Guide – How Do You Spell CISO?

BARRY CAPL

IN

HOW D

O YOU S

PELL

CIS

O?

WED. M

AY 1

4, 2014, 1

1A

Like what you hear? Tweet it using: #Sec360

Page 2: The CISO Guide – How Do You Spell CISO?

How Do You Spell CISO?Secure360

Wed. May 14, 2014

[email protected]

[email protected] @bcaplin

http://about.me/barrycaplin

http://securityandcoffee.blogspot.com

Barry CaplinChief Information Security

OfficialFairview Health Services

Page 3: The CISO Guide – How Do You Spell CISO?

http://about.me/barrycaplin

securityandcoffee.blogspot.com

@bcaplin

Page 4: The CISO Guide – How Do You Spell CISO?

Fairview Overview

• Not-for-profit established in 1906

• Academic Health System since 1997 partnership with University of Minnesota

• >22K employees

• >3,300 aligned physicians

Employed, faculty, independent

• 7 hospitals/medical centers (>2,500 staffed beds)

• 40-plus primary care clinics

• 55-plus specialty clinics

• 47 senior housing locations

• 30-plus retail pharmacies

4

2012 data

•5.7 million outpatient encounters

•74,649 inpatient admissions

•$2.8 billion total assets

•$3.2 billion total revenue

Page 5: The CISO Guide – How Do You Spell CISO?

Who is Fairview?

A partnership of North Memorial and Fairview

Page 6: The CISO Guide – How Do You Spell CISO?

Did you ever think Did you ever think about…about…

Page 7: The CISO Guide – How Do You Spell CISO?

ChallengesChallenges• Keep it simple

• Keep it High Level

• Don’t let ‘em pull you in to the weeds

Page 8: The CISO Guide – How Do You Spell CISO?

Game Time!Game Time!

Page 9: The CISO Guide – How Do You Spell CISO?

First QuarterFirst Quarter

• Learn the Business

• Culture of Security

• Baseline the Organization

Page 10: The CISO Guide – How Do You Spell CISO?

Learn the BusinessLearn the BusinessBusiness/Ops lead – not Security or IT

•Do you know? Industry Niche Mission/Vision Why/What/How The Organization

Page 11: The CISO Guide – How Do You Spell CISO?

Learn the BusinessLearn the Business

• Ask Questions

• Org Charts

• Get Out of the Building!

• 1:1’s; Divisional meetings;

Leaders; C-suite

Page 12: The CISO Guide – How Do You Spell CISO?

Learn the BusinessLearn the Business

• Agenda Introduction learn about the business area, what works and what doesn't, partnership opportunities, what can I do for you?

• Establish your office; Create Champions

Page 13: The CISO Guide – How Do You Spell CISO?

A Culture of SecurityA Culture of Security

A journey of a thousand miles begins with a single step.

- Lao-tzu, The Way of Lao-tzuChinese philosopher (604 BC - 531 BC)

You gotta start somewhere.- Me

Page 14: The CISO Guide – How Do You Spell CISO?

A Culture of SecurityA Culture of Security

• Is there existing training?

• Train for Compliance

• Awareness to reinforce

• Create Evangelists

Page 15: The CISO Guide – How Do You Spell CISO?

A Culture of SecurityA Culture of Security

• Be Relevant

• Connect to the Business

• Seek out and Destroy controls that add no value

Page 16: The CISO Guide – How Do You Spell CISO?

Baseline the Baseline the OrganizationOrganization

Helps you:•Know where things stand

•Show progress

Page 17: The CISO Guide – How Do You Spell CISO?

Baseline the Baseline the OrganizationOrganizationMethods:•Compare against known standard

•Maturity Model

CObIT Security Baseline

CObIT Maturity Assessment Tool

Gartner IT Score

Homegrown

Page 18: The CISO Guide – How Do You Spell CISO?

In your spare time…In your spare time…

• Low hanging fruit

• Other duties as assigned

Page 19: The CISO Guide – How Do You Spell CISO?

Second QuarterSecond Quarter

• Strategic Planning

• Tactical Planning

• Roadmap

Page 20: The CISO Guide – How Do You Spell CISO?

Security is not a Project….

It’s a Lifestyle!

20

Page 21: The CISO Guide – How Do You Spell CISO?

Strategic PlanningStrategic Planning

Page 22: The CISO Guide – How Do You Spell CISO?

Strategic PlanningStrategic Planning• High-level

• Outcomes

• Framework NIST CObIT HITRUST ISO27001

Page 23: The CISO Guide – How Do You Spell CISO?

Strategic PlanningStrategic Planning

• Business info +

• Baseline analysis +

• Risk Assessment + Threat Assessment Assets; Actors; Actions

• Vision = Time Travel

Page 24: The CISO Guide – How Do You Spell CISO?

Threat Threat Modeling/AssessmentModeling/Assessment

• Elevation of Privilege http://www.microsoft.com/security/sdl/adopt/eop.aspx

• Cntl-Alt-Hack http://www.controlalthack.com/

• UW Security Cards http://securitycards.cs.washington.edu/

Page 25: The CISO Guide – How Do You Spell CISO?

Tactical PlanningTactical Planning

• Tactics are “How?” Support each strategy More granular Shorter timeframe (1-3 yrs.)

Page 26: The CISO Guide – How Do You Spell CISO?

Strategy/Tactics

Page 27: The CISO Guide – How Do You Spell CISO?

RoadmapRoadmap

Page 28: The CISO Guide – How Do You Spell CISO?

Third Quarter…Third Quarter…

• Execute!

• Metrics/KPIs/KRIs

• Communicating Risk

• BoD Reports

Page 29: The CISO Guide – How Do You Spell CISO?

……And BeyondAnd Beyond

The “game” never ends.

•Iterative processes

•Support the “bridges”

•Living documents

•Review and refine

Page 30: The CISO Guide – How Do You Spell CISO?