C I OS^

The New

Pradeep MenonExecutive Vice President and

DirectorQuadrant Risk Management

>

SECURITY

The 3rd Kuwait InfoSecurity ConferenceMay 26, 2011

AGENDA

2

The Evolving Role of the CISO

Selling Security Internally

The CISO

›The role of the Chief Information Security Officer (CISO) is

becoming very strategic in nature

›Some of the Key Drivers for this Strategic Visibility include:

C I OS^

3

Breaches that lead to impairment of organizational vision and mission

Regulatory Requirements

Attention on Risk Management in challenging economic climate

Evolution of the role for Information Security

5

Operational

Tactical

Strategic

9-12 years ago

5-8 years ago

Since last 2-3

years

Source: Forrester Research

New Responsibilities

›The emerging role of the CISO and information security office

calls for new skills and responsibilities to be undertaken

including:

›Marketing and selling of Information Security within the

organization

›Quantifying benefits

›Controller to Business Enabler

›Program Managing Security rather than Project Managing

›Representation in the Senior Management Decision Making

Bodies

6

The Major Roadblocks that still CISOs face

7

Road Blocks

Acceptance by Top Mgmt.

Shrinking IS Budgets

Feeling the need for IS Spending

Lack of Regulations

AGENDA

8

The Evolving Role of the CISO

Selling Security Internally

Tips for Enhancing CISO Value and Reach

9

Branding Security› Security could be branded as a

member of the organization

› Creating characters, voices and visuals

that represent security in a meaningful

way

› E.g. - Salim from aeCERT

Tips for Enhancing CISO Value and Reach

10

Branding Security

CEO Involvement

› Make the CEO sign important

Information Security policies

› Make the CEO speak about security

› Educate the CEO with important

news and reports through periodic

meetings

Tips for Enhancing CISO Value and Reach

11

Branding Security

CEO Involvement

› Organize quarterly meetings where

Business users and InfoSec teams

interact

› Let Business Users express their views

› Conduct white paper sessions to

demonstrate how security issues can

lead to loss of customers

Business Involvement

Business

Information Security

Total Security

Tips for Enhancing CISO Value and Reach

12

Branding Security

CEO Involvement

› Security should become a habit, not a

regulation

› Celebrate security practices and

achievements

› Place Kiosks, Stalls etc. to create

awareness about following security

practices

› Let the CEO inaugurate the

proceedings of the Day

› Involve people from business units

› Conduct contests

Business Involvement

Security Awareness Day

Tips for Enhancing CISO Value and Reach

13

Branding Security

CEO Involvement

› Form Information Security sub

committees in organization such as

KITS (if not already in place)

› Influence regulatory bodies and

excellence centers such as CAIT and

Central Banks

› e.g., SAMA regulation for Multi Factor

Authentication

› ADSIC – Information Security Program

Business Involvement

Security Awareness Day

‘External Agencies’

Tips for Enhancing CISO Value and Reach

14

Branding Security

CEO Involvement

› Publishing annual reports on IS activities

and developments for the year

› Creating a web portal for users to view

various reports on the metrics based on

which their contribution to IS initiatives are

rated

Business Involvement

Security Awareness Day

External Agencies

Annual ISMS Reporting

Tips for Enhancing CISO Value and Reach

15

Branding Security

CEO Involvement

› External consultancies are SMEs

› Their experience is wide and deep in

an area

› Utilizing consultancies for specific

programs might be easier to get a

management buy-in

› Organizational hierarchy could be a

bottleneck to express views and

concerns regarding security issues

› Look upon consultancies as partners or

change agents, not as vendors or

spenders

Business Involvement

Security Awareness Day

External Agencies

Annual ISMS Reporting

External Consultancies

Tips for Enhancing CISO Value and Reach

16

Branding Security

CEO Involvement

› Inviting CISOs from other companies

helps in knowledge exchange and gains

on both sides

› Forums such as LinkedIn and Facebook

have been instrumental in generating

“Networking”

› Involvement in joint research initiatives

through organizations such as CAIT

(The Central Agency for Information

technology) , KITS (Kuwait Information

Technology Society), aeCERT, OCERT

etc.

Business Involvement

Security Awareness Day

External Agencies

Annual ISMS Reporting

External Consultants

Other CISO Involvement

Tips for Enhancing CISO Value and Reach

17

Branding Security

CEO Involvement

› Incentives for your IS team members

to contribute and attend various

events such as conferences, trainings,

seminars etc.

› Encourage publishing of white papers

on popular websites and journals, on

behalf of the organization

Business Involvement

Security Awareness Day

External Agencies

Annual ISMS Reporting

External Consultants

Other CISO Involvement

External Involvement

Thank You

Pradeep MenonExecutive Vice President and DirectorQuadrant Risk Management

pradeep.menon@qrmi-me.comTel: +971-4-6091970Mob: +971-50-4815260