SlideShare uma empresa Scribd logo

Don't Get Left In The Dust How To Evolve From Ciso To Ciro

Priyanka Aash
Priyanka Aash

Don't Get Left In The Dust How To Evolve From Ciso To Ciro

Tecnologia
1 de 33
#RSAC SESSION ID: James Christiansen Bradley J. Schaufenbuel, CISSP Don’t Get Left in the Dust: How to Evolve from CISO to CIRO CXO-W04 Director of Information Security Midland States Bank bschaufenbuel@midlandsb.com VP – Information Risk Management Accuvant jchristiansen@accuvant.com JC-JC
#RSAC Agenda  The Evolution of the Role  Drivers of CIRO Emergence  What Makes the CIRO Different  Making the Transition  How to Apply  Summary JC-JC CIRO 2
#RSAC Introduction  The security landscape is changing.  There is a disconnect between the objectives of the traditional CISO and the businesses they serve.  It is time to evolve with the organizations we serve. JC-JC 3
#RSAC The Six Forces Require a Resilient Security Strategy Business Strategy Global Social and Political Forces Government and Industry Regulations Adversaries and Threats Organizational Culture IT Organization, Systems and Infrastructure JC-JC 4
#RSAC Progression of this Field… 1990-1998 IT Security 1999-2004 Info Sec 2005-2014 IT Risk Management 2015-??? Information Risk Management? JC-JC 5
#RSAC The Security Journey A business aligned strategy includes understanding the business and compliance objectives, threats, and risks AD HOC INFRASTRUCTURE BASED COMPLIANCE BASED THREAT BASED BUSINESS ALIGNED RISK BASED Shortcut = Failure to Pass INTEL DRIVEN JC-JC 6
#RSAC Guidance from the National Association of Corporate Directors (NACD) Executive Management / Board – NACD  Guidance includes specific questions about program maturity, breach notification, situational awareness, strategy and incident response PRINCIPLE 1: Cybersecurity is an enterprise- wide risk management issue, not just an IT issue PRINCIPLE 2: Understand Legal implications of cyber PRINCIPLE 3: Have regular updates and access to cyber security experts PRINCIPLE 4: Establish an enterprise- wide cyber-risk management framework with adequate staffing and budget PRINCIPLE 5: Discussion of which risks to avoid, accept, mitigate, or transfer through cyber insurance JC-BS 7
#RSAC Drivers of the Emergence of the CIRO – 1/2 Increase in outsourcing (greater emphasis on third party oversight) Changing threat landscape (need for risk based remediation) Greater expectations of boards and executive teams BS-BS 8
#RSAC Drivers of the Emergence of the CIRO – 2/2  Misalignment of security spending with business risk  Lack of support for taking calculated risks  Divergence amongst existing information governance functions BS-BS 9
#RSAC Where CISOs Fall Short – 1/2  Focus on information protection at the expense of other corporate goals. Information risk is a business problem with a shared budget responsibility  Focus on technology solutions in lieu of other controls (continual search for the next silver bullet) BS-BS 10
#RSAC  Emphasize risk elimination instead of risk optimization (‘no’ instead of ‘yes – if we …’)  Even “risk enlightened” leaders are fixated on technology risks (focus on ‘IT’ risk instead of ‘information’ risk) Where CISOs Fall Short – 2/2 BS-BS 11
#RSAC The Ideal CIRO  Traditional security knowledge (CISSP, CISM, etc.)  Business savvy (MBA)  Thinks like a lawyer and a hacker  Leader (comfortable in front of the board)  Understands risk management principles  Can implement project management fundamentals BS-JC 12
#RSAC The Successful Chief Information Risk Officer CIRO Information Driven Decision Making  Strategic and Operational Metrics / Dashboard  Information Risk Assessment and Management  Integration with Enterprise Risk Management Information Security is a Business Imperative  Enable Business to Securely Deliver Product and Services  Positive Interaction With Partners, Third-parties and Regulators Shared Budget Responsibility  Corporate and Business Unit - Balanced Risk and Cost  Prioritization With Other Strategic Business Projects JC-JC 13
#RSAC What Makes the CIRO Different?  Organizational profile – Executive team member with board access  Organizational alignment – Strategy dovetails with organization’s  Depth and breadth of skills  Business risk based approach  Leadership JC-JC 14
#RSAC Not Just Context, but Also Content Not just protection, but also: Timely destruction: What is the risk of keeping information too long or not long enough? Optimization of use: Are we extracting value from information? Collection practices: Do we even need to obtain the information? JC-JC 15
#RSAC What Functions Fall Under CIRO? May include parts of:  Traditional Information Security  Legal and Regulatory Compliance  Privacy  Third Party Oversight  Business Resilience  Physical Security JC-JC 16
#RSAC Reporting Structures, Old and New JC-BS 17
#RSAC Advantages of New Organizational Structure Aligns information risk with business priorities Visibility into organizational or product changes Supports shared responsibility for information risk Ensures that all types of information risk are addressed Able to address board, executive management and customers BS-BS 18
#RSAC Do We Need Another C-Level Position?  Value of information (and associated risk) rising.  Executive composition should parallel board’s fiduciary duties.  Consolidation of existing C-level positions (CPO, CISO / CSO, etc.) BS-BS 19
#RSAC Skills Required to Make the CIRO Transition Thorough understanding of risk management concepts  Factor Analysis of Information Risk (FAIR)1 1Source: Risk Management Insight (riskmanagementinsight.com) Executive level communication skills  Presentation Skills – Toastmasters  Written Skills – College & Editors / Colleagues Thorough understanding of your organization’s business, objectives and growth plans  Regular meetings with business executives BS-BS 20
#RSAC The Information Risk Transformation  Transition yourself from law enforcement / military mindset to that of a business risk manager  Add risk management skill set to staff (through training or hiring)  Don’t forget about information in non- electronic format BS-BS 21
#RSAC  Understanding Regulations:  Translate legal regulations to internal activities to meet spirit (legislative intent) and letter of the law. Establish a good working relationship with your attorneys. Participate in standard setting and regulatory rulemaking processes (i.e., help shape the rules).  Threat Landscape: Implement threat analytics maturity model  Understand the corporate culture: Risk aversion, rate of change, cultural differences, countries of operation How? BS-JC 22
#RSAC Evolution of the CISO to the CIRO Securing the Organization CISO Secure the internal organization Manage the risk of third parties Manage regulatory risks Communicate current status and risks to boardBusiness Acumen Regulatory Compliance Management Third-Party Risk Management Information Security CIRO JC-JC 23
#RSAC  Keep it short and concise – Typically they will want pre-materials  Never guess at an answer – They read people very well!  Information Risk Dashboard  Include areas of risk inside and outside the organization  Trends – What areas of risk are increasing and decreasing  New risk highlights  Overall goal – Demonstrate the effectiveness of your information risk management program over time. Executive Management / Board – Tips Source: NACD, Cyber-Risk Oversight, Directors Handbook 2014 JC-BS 24
#RSAC Using Existing Enterprise Risk Management (ERM) Program (or Create One)  Leverage the existing enterprise risk management (ERM) program (if one exists).  Information risk is a subset of enterprise risk.  If there isn’t an enterprise risk management program, sponsor one (position yourself to be CRO). BS-BS 25
#RSAC Leveraging Information Risk to Drive Value Concrete Examples:  Factoring in an information risk discount on an acquisition valuation / purchase price  Leveraging fraud and security data to improve customer experience BS-JC 26
#RSAC  Revenue Contribution  Enable Business Efficiency  Product Delivery  Brand Name Confidence  Earnings Contribution  Reduced Operating Expenses Related to Security Failure  Long Term Reduction of Security Program Costs  Circumvent Costs of Regulatory Non-compliance 27 Contributing to the Organization’s Success JC-JC
#RSAC Managing Information Risk 28 Ease of Doing Business Effective Compliance Information Technology GovernancePeople Information Security Regulatory Compliance Third Party Risk Information Risk Management JC-JC Enhanced Security Global Execution Process Improvement Third PartiesRegulations
#RSAC The Reward  Earned respect from organizational peers  Inclusion in your organization’s strategic decision making processes and forums  Perception shifts from marginal cost center to value adding unit JC-BS 29
#RSAC Summary We have established:  The current CISO role is not meeting organizational needs  CISO must adapt or go the way of the Dodo bird  A focus on managing information risk offers a superior alignment to the organization’s objectives  There are steps you can take to position yourself for this transition BS-BS 30
#RSAC Apply It TODAY Immediate actions: Assess you and your program’s readiness to make the CIRO transition Establish YOUR plan to gain and implement necessary skills 90 DAYS Take steps to realign skill sets, focus, and organizational structure to an information risk based approach +90 DAYS BS-BS 31
#RSAC Resources  The Evolution of the CISO (accuvant.com/resources/risk-and-the-ciso- role#sthash.TUMIWWV7.dpuf)  NACD – Cyber-Risk Oversight Handbook (nacdonline.org/cyber)  Introduction to Factor Analysis of Information Risk (FAIR) (riskmanagementinsight.com)  Six Forces of Security Strategy (accuvant.com/resources/accuvants-six- forces-of-security-strategy) 32 BS-BS
#RSAC Questions? jchristiansen@accuvant.com bschaufenbuel@midlandsb.com 33

Recomendados

Connecting L&D With Integrated Talent Management
Connecting L&D With Integrated Talent ManagementConnecting L&D With Integrated Talent Management
Connecting L&D With Integrated Talent Management
Human Capital Media
 
Characteristics Of Leader and Managerial Skills
Characteristics Of Leader and Managerial SkillsCharacteristics Of Leader and Managerial Skills
Characteristics Of Leader and Managerial Skills
Sameer Dhurat
 
Supervisory Skills
Supervisory SkillsSupervisory Skills
Supervisory Skills
Laurence Yap M.A. (UM) CHRM
 
The One on One Meeting Agenda
The One on One Meeting AgendaThe One on One Meeting Agenda
The One on One Meeting Agenda
ManagerFoundation
 
How to be a good manager
How to be a good managerHow to be a good manager
How to be a good manager
Alexandru Razvan
 
Presentation on succession planning
Presentation on succession planningPresentation on succession planning
Presentation on succession planning
Rehan Turki
 
Supervisory Management Skills
Supervisory Management SkillsSupervisory Management Skills
Supervisory Management Skills
Ranita Kaur
 
Sink or Swim: Supporting the Transition to New Manager
Sink or Swim: Supporting the Transition to New ManagerSink or Swim: Supporting the Transition to New Manager
Sink or Swim: Supporting the Transition to New Manager
BizLibrary
 

Recomendados

Connecting L&D With Integrated Talent Management
Connecting L&D With Integrated Talent ManagementConnecting L&D With Integrated Talent Management
Connecting L&D With Integrated Talent Management
Human Capital Media
 
Characteristics Of Leader and Managerial Skills
Characteristics Of Leader and Managerial SkillsCharacteristics Of Leader and Managerial Skills
Characteristics Of Leader and Managerial Skills
Sameer Dhurat
 
Supervisory Skills
Supervisory SkillsSupervisory Skills
Supervisory Skills
Laurence Yap M.A. (UM) CHRM
 
The One on One Meeting Agenda
The One on One Meeting AgendaThe One on One Meeting Agenda
The One on One Meeting Agenda
ManagerFoundation
 
How to be a good manager
How to be a good managerHow to be a good manager
How to be a good manager
Alexandru Razvan
 
Presentation on succession planning
Presentation on succession planningPresentation on succession planning
Presentation on succession planning
Rehan Turki
 
Supervisory Management Skills
Supervisory Management SkillsSupervisory Management Skills
Supervisory Management Skills
Ranita Kaur
 
Sink or Swim: Supporting the Transition to New Manager
Sink or Swim: Supporting the Transition to New ManagerSink or Swim: Supporting the Transition to New Manager
Sink or Swim: Supporting the Transition to New Manager
BizLibrary
 
[PM Shool] Delegation & people management
[PM Shool] Delegation & people management[PM Shool] Delegation & people management
[PM Shool] Delegation & people management
Natali Renska
 
Supervisory skill
Supervisory skillSupervisory skill
Supervisory skill
sudarshan jadwal
 
Effective supervisory skill trainig
Effective supervisory skill trainigEffective supervisory skill trainig
Effective supervisory skill trainig
Shaikh. Md. Shahinur Alam
 
Palestra sobre Gestão de Continuidade de Negócios
Palestra sobre Gestão de Continuidade de NegóciosPalestra sobre Gestão de Continuidade de Negócios
Palestra sobre Gestão de Continuidade de Negócios
GLM Consultoria
 
Supervisory Skills
Supervisory SkillsSupervisory Skills
Supervisory Skills
jakeandikory
 
Leadership skills (The New Manager's Coaching Guide)
Leadership skills (The New Manager's Coaching Guide)Leadership skills (The New Manager's Coaching Guide)
Leadership skills (The New Manager's Coaching Guide)
Austin Nway Aye Maung
 
People_Management_Emranul_Haque
People_Management_Emranul_HaquePeople_Management_Emranul_Haque
People_Management_Emranul_Haque
EMRANUL HAQUE
 
5 Solutions to Prevent Your HiPo Program From Failing
5 Solutions to Prevent Your HiPo Program From Failing 5 Solutions to Prevent Your HiPo Program From Failing
5 Solutions to Prevent Your HiPo Program From Failing
Mark Stuart - Leadership Trainer
 
The Carrot Principle — How the Best Managers Use Recognition to Engage Their ...
The Carrot Principle — How the Best Managers Use Recognition to Engage Their ...The Carrot Principle — How the Best Managers Use Recognition to Engage Their ...
The Carrot Principle — How the Best Managers Use Recognition to Engage Their ...
Human Capital Media
 
Finding a Strategic Voice - IBM CISO Study
Finding a Strategic Voice - IBM CISO StudyFinding a Strategic Voice - IBM CISO Study
Finding a Strategic Voice - IBM CISO Study
IBMGovernmentCA
 
The one minute manager
The one minute managerThe one minute manager
The one minute manager
Tania Aslam
 
Governance Risk and Compliance for SAP
Governance Risk and Compliance for SAPGovernance Risk and Compliance for SAP
Governance Risk and Compliance for SAP
PECB
 
Self-Motivation: Fly plane no hand
Self-Motivation: Fly plane no handSelf-Motivation: Fly plane no hand
Self-Motivation: Fly plane no hand
Dr.Arivalan Ramaiyah
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best Practices
Tony Moroney
 
The 7 Habits of Highly Effective People
The 7 Habits of Highly Effective PeopleThe 7 Habits of Highly Effective People
The 7 Habits of Highly Effective People
Tania Aslam
 
Crisis communication
Crisis communicationCrisis communication
Crisis communication
Dr.Arivalan Ramaiyah
 
Effective listening
Effective listeningEffective listening
Effective listening
Tania Aslam
 
Selling effective techniques that work!
Selling effective techniques that work!Selling effective techniques that work!
Selling effective techniques that work!
Tania Aslam
 
Improving Your Information Security Program
Improving Your Information Security ProgramImproving Your Information Security Program
Improving Your Information Security Program
Seccuris Inc.
 
Productivity Tips: Change Your Mood
Productivity Tips: Change Your MoodProductivity Tips: Change Your Mood
Productivity Tips: Change Your Mood
Muhammad Noer
 
Transformational leadership
Transformational leadershipTransformational leadership
Transformational leadership
Dr.Arivalan Ramaiyah
 
Super CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your JobSuper CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your Job
Priyanka Aash
 

Mais conteúdo relacionado

Mais procurados

The Carrot Principle — How the Best Managers Use Recognition to Engage Their ...
The Carrot Principle — How the Best Managers Use Recognition to Engage Their ...The Carrot Principle — How the Best Managers Use Recognition to Engage Their ...
The Carrot Principle — How the Best Managers Use Recognition to Engage Their ...
Human Capital Media
 

Mais procurados (9)

[PM Shool] Delegation & people management
[PM Shool] Delegation & people management[PM Shool] Delegation & people management
[PM Shool] Delegation & people management
 
Supervisory skill
Supervisory skillSupervisory skill
Supervisory skill
 
Effective supervisory skill trainig
Effective supervisory skill trainigEffective supervisory skill trainig
Effective supervisory skill trainig
 
Palestra sobre Gestão de Continuidade de Negócios
Palestra sobre Gestão de Continuidade de NegóciosPalestra sobre Gestão de Continuidade de Negócios
Palestra sobre Gestão de Continuidade de Negócios
 
Supervisory Skills
Supervisory SkillsSupervisory Skills
Supervisory Skills
 
Leadership skills (The New Manager's Coaching Guide)
Leadership skills (The New Manager's Coaching Guide)Leadership skills (The New Manager's Coaching Guide)
Leadership skills (The New Manager's Coaching Guide)
 
People_Management_Emranul_Haque
People_Management_Emranul_HaquePeople_Management_Emranul_Haque
People_Management_Emranul_Haque
 
5 Solutions to Prevent Your HiPo Program From Failing
5 Solutions to Prevent Your HiPo Program From Failing 5 Solutions to Prevent Your HiPo Program From Failing
5 Solutions to Prevent Your HiPo Program From Failing
 
The Carrot Principle — How the Best Managers Use Recognition to Engage Their ...
The Carrot Principle — How the Best Managers Use Recognition to Engage Their ...The Carrot Principle — How the Best Managers Use Recognition to Engage Their ...
The Carrot Principle — How the Best Managers Use Recognition to Engage Their ...
 

Destaque

The one minute manager
The one minute managerThe one minute manager
The one minute manager
Tania Aslam
 
Governance Risk and Compliance for SAP
Governance Risk and Compliance for SAPGovernance Risk and Compliance for SAP
Governance Risk and Compliance for SAP
PECB
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best Practices
Tony Moroney
 
Effective listening
Effective listeningEffective listening
Effective listening
Tania Aslam
 
Selling effective techniques that work!
Selling effective techniques that work!Selling effective techniques that work!
Selling effective techniques that work!
Tania Aslam
 
Advanced Communications Using NLP Methods
Advanced Communications Using NLP MethodsAdvanced Communications Using NLP Methods
Advanced Communications Using NLP Methods
Dr.Arivalan Ramaiyah
 

Destaque (20)

Finding a Strategic Voice - IBM CISO Study
Finding a Strategic Voice - IBM CISO StudyFinding a Strategic Voice - IBM CISO Study
Finding a Strategic Voice - IBM CISO Study
 
The one minute manager
The one minute managerThe one minute manager
The one minute manager
 
Governance Risk and Compliance for SAP
Governance Risk and Compliance for SAPGovernance Risk and Compliance for SAP
Governance Risk and Compliance for SAP
 
Self-Motivation: Fly plane no hand
Self-Motivation: Fly plane no handSelf-Motivation: Fly plane no hand
Self-Motivation: Fly plane no hand
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best Practices
 
The 7 Habits of Highly Effective People
The 7 Habits of Highly Effective PeopleThe 7 Habits of Highly Effective People
The 7 Habits of Highly Effective People
 
Crisis communication
Crisis communicationCrisis communication
Crisis communication
 
Effective listening
Effective listeningEffective listening
Effective listening
 
Selling effective techniques that work!
Selling effective techniques that work!Selling effective techniques that work!
Selling effective techniques that work!
 
Improving Your Information Security Program
Improving Your Information Security ProgramImproving Your Information Security Program
Improving Your Information Security Program
 
Productivity Tips: Change Your Mood
Productivity Tips: Change Your MoodProductivity Tips: Change Your Mood
Productivity Tips: Change Your Mood
 
Transformational leadership
Transformational leadershipTransformational leadership
Transformational leadership
 
Super CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your JobSuper CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your Job
 
What is Information Governance
What is Information GovernanceWhat is Information Governance
What is Information Governance
 
The 5 Dysfunctions of a Team
The 5 Dysfunctions of a TeamThe 5 Dysfunctions of a Team
The 5 Dysfunctions of a Team
 
Advanced Communications Using NLP Methods
Advanced Communications Using NLP MethodsAdvanced Communications Using NLP Methods
Advanced Communications Using NLP Methods
 
The 5 dysfunctions of a team Management Presentation
The 5 dysfunctions of a team Management PresentationThe 5 dysfunctions of a team Management Presentation
The 5 dysfunctions of a team Management Presentation
 
Presentasi Corporate Profile - Presentasi.net menggunakan template WOW Presen...
Presentasi Corporate Profile - Presentasi.net menggunakan template WOW Presen...Presentasi Corporate Profile - Presentasi.net menggunakan template WOW Presen...
Presentasi Corporate Profile - Presentasi.net menggunakan template WOW Presen...
 
From Zero to Hero
From Zero to HeroFrom Zero to Hero
From Zero to Hero
 
Top 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security DashboardTop 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security Dashboard
 

Semelhante a Don't Get Left In The Dust How To Evolve From Ciso To Ciro

A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
Daren Dunkel
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
John Budriss
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
Scott Smith
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
awish11
 
speaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperspeaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaper
Bilha Diaz
 
IREC165473PR RP 2017 Security Outlook
IREC165473PR RP 2017 Security OutlookIREC165473PR RP 2017 Security Outlook
IREC165473PR RP 2017 Security Outlook
Chris Cornillie
 

Semelhante a Don't Get Left In The Dust How To Evolve From Ciso To Ciro (20)

From Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIROFrom Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIRO
 
Partnership with a CFO: On the Front Line of Cybersecurity
Partnership with a CFO: On the Front Line of CybersecurityPartnership with a CFO: On the Front Line of Cybersecurity
Partnership with a CFO: On the Front Line of Cybersecurity
 
Top 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk programTop 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk program
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
Risk Product.pptx
Risk Product.pptxRisk Product.pptx
Risk Product.pptx
 
Briefing the board lessons learned from cisos and directors
Briefing the board lessons learned from cisos and directorsBriefing the board lessons learned from cisos and directors
Briefing the board lessons learned from cisos and directors
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworks
 
110.decision makers.cio.ciso
110.decision makers.cio.ciso110.decision makers.cio.ciso
110.decision makers.cio.ciso
 
NUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital ageNUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital age
 
No more security empires - The ciso as an individual contributor
No more security empires - The ciso as an individual contributorNo more security empires - The ciso as an individual contributor
No more security empires - The ciso as an individual contributor
 
Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022
 
The Business Of Identity, Access And Security V1.0
The Business Of Identity, Access And Security V1.0The Business Of Identity, Access And Security V1.0
The Business Of Identity, Access And Security V1.0
 
speaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperspeaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaper
 
CISO Executive Search - Matching Leadership to Cybersecurity Challenges.pdf
CISO Executive Search - Matching Leadership to Cybersecurity Challenges.pdfCISO Executive Search - Matching Leadership to Cybersecurity Challenges.pdf
CISO Executive Search - Matching Leadership to Cybersecurity Challenges.pdf
 
The 7 Factors of CISO Impact at RSA 2015
The 7 Factors of CISO Impact at RSA 2015The 7 Factors of CISO Impact at RSA 2015
The 7 Factors of CISO Impact at RSA 2015
 
IANS 2015 RSA Presentation
IANS 2015 RSA PresentationIANS 2015 RSA Presentation
IANS 2015 RSA Presentation
 
IREC165473PR RP 2017 Security Outlook
IREC165473PR RP 2017 Security OutlookIREC165473PR RP 2017 Security Outlook
IREC165473PR RP 2017 Security Outlook
 

Mais de Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

Mais de Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Último

Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Último (20)

AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 

Don't Get Left In The Dust How To Evolve From Ciso To Ciro

  • 1. #RSAC SESSION ID: James Christiansen Bradley J. Schaufenbuel, CISSP Don’t Get Left in the Dust: How to Evolve from CISO to CIRO CXO-W04 Director of Information Security Midland States Bank bschaufenbuel@midlandsb.com VP – Information Risk Management Accuvant jchristiansen@accuvant.com JC-JC
  • 2. #RSAC Agenda  The Evolution of the Role  Drivers of CIRO Emergence  What Makes the CIRO Different  Making the Transition  How to Apply  Summary JC-JC CIRO 2
  • 3. #RSAC Introduction  The security landscape is changing.  There is a disconnect between the objectives of the traditional CISO and the businesses they serve.  It is time to evolve with the organizations we serve. JC-JC 3
  • 4. #RSAC The Six Forces Require a Resilient Security Strategy Business Strategy Global Social and Political Forces Government and Industry Regulations Adversaries and Threats Organizational Culture IT Organization, Systems and Infrastructure JC-JC 4
  • 5. #RSAC Progression of this Field… 1990-1998 IT Security 1999-2004 Info Sec 2005-2014 IT Risk Management 2015-??? Information Risk Management? JC-JC 5
  • 6. #RSAC The Security Journey A business aligned strategy includes understanding the business and compliance objectives, threats, and risks AD HOC INFRASTRUCTURE BASED COMPLIANCE BASED THREAT BASED BUSINESS ALIGNED RISK BASED Shortcut = Failure to Pass INTEL DRIVEN JC-JC 6
  • 7. #RSAC Guidance from the National Association of Corporate Directors (NACD) Executive Management / Board – NACD  Guidance includes specific questions about program maturity, breach notification, situational awareness, strategy and incident response PRINCIPLE 1: Cybersecurity is an enterprise- wide risk management issue, not just an IT issue PRINCIPLE 2: Understand Legal implications of cyber PRINCIPLE 3: Have regular updates and access to cyber security experts PRINCIPLE 4: Establish an enterprise- wide cyber-risk management framework with adequate staffing and budget PRINCIPLE 5: Discussion of which risks to avoid, accept, mitigate, or transfer through cyber insurance JC-BS 7
  • 8. #RSAC Drivers of the Emergence of the CIRO – 1/2 Increase in outsourcing (greater emphasis on third party oversight) Changing threat landscape (need for risk based remediation) Greater expectations of boards and executive teams BS-BS 8
  • 9. #RSAC Drivers of the Emergence of the CIRO – 2/2  Misalignment of security spending with business risk  Lack of support for taking calculated risks  Divergence amongst existing information governance functions BS-BS 9
  • 10. #RSAC Where CISOs Fall Short – 1/2  Focus on information protection at the expense of other corporate goals. Information risk is a business problem with a shared budget responsibility  Focus on technology solutions in lieu of other controls (continual search for the next silver bullet) BS-BS 10
  • 11. #RSAC  Emphasize risk elimination instead of risk optimization (‘no’ instead of ‘yes – if we …’)  Even “risk enlightened” leaders are fixated on technology risks (focus on ‘IT’ risk instead of ‘information’ risk) Where CISOs Fall Short – 2/2 BS-BS 11
  • 12. #RSAC The Ideal CIRO  Traditional security knowledge (CISSP, CISM, etc.)  Business savvy (MBA)  Thinks like a lawyer and a hacker  Leader (comfortable in front of the board)  Understands risk management principles  Can implement project management fundamentals BS-JC 12
  • 13. #RSAC The Successful Chief Information Risk Officer CIRO Information Driven Decision Making  Strategic and Operational Metrics / Dashboard  Information Risk Assessment and Management  Integration with Enterprise Risk Management Information Security is a Business Imperative  Enable Business to Securely Deliver Product and Services  Positive Interaction With Partners, Third-parties and Regulators Shared Budget Responsibility  Corporate and Business Unit - Balanced Risk and Cost  Prioritization With Other Strategic Business Projects JC-JC 13
  • 14. #RSAC What Makes the CIRO Different?  Organizational profile – Executive team member with board access  Organizational alignment – Strategy dovetails with organization’s  Depth and breadth of skills  Business risk based approach  Leadership JC-JC 14
  • 15. #RSAC Not Just Context, but Also Content Not just protection, but also: Timely destruction: What is the risk of keeping information too long or not long enough? Optimization of use: Are we extracting value from information? Collection practices: Do we even need to obtain the information? JC-JC 15
  • 16. #RSAC What Functions Fall Under CIRO? May include parts of:  Traditional Information Security  Legal and Regulatory Compliance  Privacy  Third Party Oversight  Business Resilience  Physical Security JC-JC 16
  • 18. #RSAC Advantages of New Organizational Structure Aligns information risk with business priorities Visibility into organizational or product changes Supports shared responsibility for information risk Ensures that all types of information risk are addressed Able to address board, executive management and customers BS-BS 18
  • 19. #RSAC Do We Need Another C-Level Position?  Value of information (and associated risk) rising.  Executive composition should parallel board’s fiduciary duties.  Consolidation of existing C-level positions (CPO, CISO / CSO, etc.) BS-BS 19
  • 20. #RSAC Skills Required to Make the CIRO Transition Thorough understanding of risk management concepts  Factor Analysis of Information Risk (FAIR)1 1Source: Risk Management Insight (riskmanagementinsight.com) Executive level communication skills  Presentation Skills – Toastmasters  Written Skills – College & Editors / Colleagues Thorough understanding of your organization’s business, objectives and growth plans  Regular meetings with business executives BS-BS 20
  • 21. #RSAC The Information Risk Transformation  Transition yourself from law enforcement / military mindset to that of a business risk manager  Add risk management skill set to staff (through training or hiring)  Don’t forget about information in non- electronic format BS-BS 21
  • 22. #RSAC  Understanding Regulations:  Translate legal regulations to internal activities to meet spirit (legislative intent) and letter of the law. Establish a good working relationship with your attorneys. Participate in standard setting and regulatory rulemaking processes (i.e., help shape the rules).  Threat Landscape: Implement threat analytics maturity model  Understand the corporate culture: Risk aversion, rate of change, cultural differences, countries of operation How? BS-JC 22
  • 23. #RSAC Evolution of the CISO to the CIRO Securing the Organization CISO Secure the internal organization Manage the risk of third parties Manage regulatory risks Communicate current status and risks to boardBusiness Acumen Regulatory Compliance Management Third-Party Risk Management Information Security CIRO JC-JC 23
  • 24. #RSAC  Keep it short and concise – Typically they will want pre-materials  Never guess at an answer – They read people very well!  Information Risk Dashboard  Include areas of risk inside and outside the organization  Trends – What areas of risk are increasing and decreasing  New risk highlights  Overall goal – Demonstrate the effectiveness of your information risk management program over time. Executive Management / Board – Tips Source: NACD, Cyber-Risk Oversight, Directors Handbook 2014 JC-BS 24
  • 25. #RSAC Using Existing Enterprise Risk Management (ERM) Program (or Create One)  Leverage the existing enterprise risk management (ERM) program (if one exists).  Information risk is a subset of enterprise risk.  If there isn’t an enterprise risk management program, sponsor one (position yourself to be CRO). BS-BS 25
  • 26. #RSAC Leveraging Information Risk to Drive Value Concrete Examples:  Factoring in an information risk discount on an acquisition valuation / purchase price  Leveraging fraud and security data to improve customer experience BS-JC 26
  • 27. #RSAC  Revenue Contribution  Enable Business Efficiency  Product Delivery  Brand Name Confidence  Earnings Contribution  Reduced Operating Expenses Related to Security Failure  Long Term Reduction of Security Program Costs  Circumvent Costs of Regulatory Non-compliance 27 Contributing to the Organization’s Success JC-JC
  • 28. #RSAC Managing Information Risk 28 Ease of Doing Business Effective Compliance Information Technology GovernancePeople Information Security Regulatory Compliance Third Party Risk Information Risk Management JC-JC Enhanced Security Global Execution Process Improvement Third PartiesRegulations
  • 29. #RSAC The Reward  Earned respect from organizational peers  Inclusion in your organization’s strategic decision making processes and forums  Perception shifts from marginal cost center to value adding unit JC-BS 29
  • 30. #RSAC Summary We have established:  The current CISO role is not meeting organizational needs  CISO must adapt or go the way of the Dodo bird  A focus on managing information risk offers a superior alignment to the organization’s objectives  There are steps you can take to position yourself for this transition BS-BS 30
  • 31. #RSAC Apply It TODAY Immediate actions: Assess you and your program’s readiness to make the CIRO transition Establish YOUR plan to gain and implement necessary skills 90 DAYS Take steps to realign skill sets, focus, and organizational structure to an information risk based approach +90 DAYS BS-BS 31
  • 32. #RSAC Resources  The Evolution of the CISO (accuvant.com/resources/risk-and-the-ciso- role#sthash.TUMIWWV7.dpuf)  NACD – Cyber-Risk Oversight Handbook (nacdonline.org/cyber)  Introduction to Factor Analysis of Information Risk (FAIR) (riskmanagementinsight.com)  Six Forces of Security Strategy (accuvant.com/resources/accuvants-six- forces-of-security-strategy) 32 BS-BS