This document provides an overview of information security program development using the Gartner hype cycle as an illustrative model. It discusses business drivers for security programs such as regulatory requirements and data breaches. It also addresses the challenges of burnout faced by information security professionals and emphasizes the importance of resilience through maintaining perspective and self-care. The document advocates for an approach to security that focuses on enablement through people, process, and technology rather than technology alone.
A Hacking Inclusion workshop to help celebrate International Women's Day to help #pressforprogress. In this workshop, Daniele Fiandaca, co-founder of Token Man and Utopia, covered how small changes in a business can make a big difference to inclusion and diversity. All participants were challenged to become culture hackers within their own organizations and came up with their own hacks to help their business become a place where everyone can thrive equally. If you are interested in running a workshop for your own business, do get in touch
Featured Session: Voices Live Chicago Conference
Location: Aon
200 East Randolph
Chicago, IL USA
12-2pm CST
Panel: Cracking the Glass Ceiling: Growing Female Technology Professionals
Will be streamed on Spreecast and WebEx from 12-2pm CST on Friday, March 13th
Moderators:
Margaret Resce Milkint, Managing Partner, The Jacobson Group; WING Co-Founder; ITF Board Member
David Mendelsohn, Managing Partner, DLA Piper; WING Co-Founder
Panelists:
Danelle Kent, Consultant¸ SWC Technology Partners
Danelle is a Certified Project Management Professional (NU) with 4+ years of combined experience in detail oriented technical writing and quality assurance analysis. She currently supports full software lifecycle by facilitating different functional roles including quality assurance analyst, business analyst, and technical writer.
Arti Arora, Aon
Deanne Hettich, Vice President Practice Leadership, Aon Hewitt
Cynthia Clarke, CIO, Mesirow Financial
Jeff Hughes, Vice President Information Technology, CNA
Marisa Cabrera, IT Rotational Program Participant, CNA
Abstract: Despite the strides made recently for women in business, female tech professionals continue to be outpaced by their male counterparts. According to Silicon Valley Bank’s Innovation Economy Outlook survey, less than 50 percent of technology companies have women in the C-suite or serving on the board of directors. Only 19 percent of CIO positions for Fortune 250 companies are held by women.
In fact, the gender disparity among technology professionals seems to be increasing in spite of recent gains throughout the workplace. Fewer women are joining the tech workforce and the numbers of female students studying technology is in decline—today only 18 percent of computer science majors are women, compared to 37 percent in the mid-1980s. Add in a continued wage imbalance and a high turnover rate for female tech professionals mid-career and it is clear that there is work to be done. How can we encourage more women to join the technology field and insurance technology in particular? What can be done to break down the barriers to success as a female technology professional?
Aiming to eliminate the compromises in organizational life. Covering some interesting and provocative ideas, spanning human rights, complexity science, the death of heuristics, influence flows, personal knowledge mastery, social physics, trust, the digital nervous system, Web 3.0, performance and learning, public relations, collective intelligence, sociocracy, Holacracy, podularity, wirearchy, emergent civilization, self-organization, organized self, socioveillance, middleware corporate, bread incorporated and the Mozilla manifesto.
A Hacking Inclusion workshop to help celebrate International Women's Day to help #pressforprogress. In this workshop, Daniele Fiandaca, co-founder of Token Man and Utopia, covered how small changes in a business can make a big difference to inclusion and diversity. All participants were challenged to become culture hackers within their own organizations and came up with their own hacks to help their business become a place where everyone can thrive equally. If you are interested in running a workshop for your own business, do get in touch
Featured Session: Voices Live Chicago Conference
Location: Aon
200 East Randolph
Chicago, IL USA
12-2pm CST
Panel: Cracking the Glass Ceiling: Growing Female Technology Professionals
Will be streamed on Spreecast and WebEx from 12-2pm CST on Friday, March 13th
Moderators:
Margaret Resce Milkint, Managing Partner, The Jacobson Group; WING Co-Founder; ITF Board Member
David Mendelsohn, Managing Partner, DLA Piper; WING Co-Founder
Panelists:
Danelle Kent, Consultant¸ SWC Technology Partners
Danelle is a Certified Project Management Professional (NU) with 4+ years of combined experience in detail oriented technical writing and quality assurance analysis. She currently supports full software lifecycle by facilitating different functional roles including quality assurance analyst, business analyst, and technical writer.
Arti Arora, Aon
Deanne Hettich, Vice President Practice Leadership, Aon Hewitt
Cynthia Clarke, CIO, Mesirow Financial
Jeff Hughes, Vice President Information Technology, CNA
Marisa Cabrera, IT Rotational Program Participant, CNA
Abstract: Despite the strides made recently for women in business, female tech professionals continue to be outpaced by their male counterparts. According to Silicon Valley Bank’s Innovation Economy Outlook survey, less than 50 percent of technology companies have women in the C-suite or serving on the board of directors. Only 19 percent of CIO positions for Fortune 250 companies are held by women.
In fact, the gender disparity among technology professionals seems to be increasing in spite of recent gains throughout the workplace. Fewer women are joining the tech workforce and the numbers of female students studying technology is in decline—today only 18 percent of computer science majors are women, compared to 37 percent in the mid-1980s. Add in a continued wage imbalance and a high turnover rate for female tech professionals mid-career and it is clear that there is work to be done. How can we encourage more women to join the technology field and insurance technology in particular? What can be done to break down the barriers to success as a female technology professional?
Aiming to eliminate the compromises in organizational life. Covering some interesting and provocative ideas, spanning human rights, complexity science, the death of heuristics, influence flows, personal knowledge mastery, social physics, trust, the digital nervous system, Web 3.0, performance and learning, public relations, collective intelligence, sociocracy, Holacracy, podularity, wirearchy, emergent civilization, self-organization, organized self, socioveillance, middleware corporate, bread incorporated and the Mozilla manifesto.
Every decision we make is one made on behalf of your user. How do we know the decisions we make are the right ones? It is time we initiate a conversation: About where we are and where we want to go, about how we define and measure goodness and rightness in the digital realm, about responsibility, about decisions and consequences, about building something bigger than our own apps. It is time we talk about the ethics of web design. This talk introduces a method for ethical decision making in web design and tech. Rather than a wet moralistic blanket covering the fires of creativity, ethics can be the hearth that makes our creative fires burn brighter without burning down the house.
Presented at WordCamp Europe 2018: https://2018.europe.wordcamp.org/session/the-ethics-of-web-design/
Breaking down barriers_in_the_land_of_dinosaurs_sp_biz_hanley_june_2015Susan Hanley
You’ve heard the messages: the future of collaboration is all about enterprise social networks. It’s a future where you’d like to be, of course, but what if you work in a land of stodgy dinosaurs? Your dinosaurs might not find it so easy to let go of past paradigms and make the leap of faith to try something new and different. This presentation showcases several powerful social collaboration success stories from which you can draw insights and presents some proven approaches to break down the barriers that you might encounter.
This document shows why companies should hire people on the Autism Spectrum.
Written by Autism employment specialist and ClearWeave Careers founder - Ryan Casey - this elucidates the current issue facing the Neurodivergent population in terms of employment.
Solutions are offered.
Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdfStéphane Nappo
"One of the main Cyber risks is to think they don't exist. The other is to try to treat all risks".
Key cybersecurity quotes, key methodologies, and advanced risk management approches. Seeking for simplicity and efficiency in the complex realm... Do read.
Brunswick Intelligence - Building reputational resilience to cyber attackBrunswick Group
Cybersecurity is a business critical risk not just an IT issue. The reputational damage of a cyber breach is often less than the technical damage inflicted, the money lost, or the regulatory fines. With new threats proliferating at startling speed how companies respond to an attack can be more important than the attack itself. The good news is that companies can seize this challenge to differentiate themselves from the competition and earn a greater level of trust from stakeholders.
Learn more about the four steps companies can take to build their reputational resilience to cyber attack.
On 17 February 2015, Doing Something Good facilitated a half day Insights and Innovation Lab in partnership with Vicsport and VicHealth to explore the changing business of community sport, and how clubs, associations and other service providers might respond effectively to emerging trends and the needs of Victorians to engage them in sport.
Managing Online Reputation. How to Protect Your Company on Social MediaCharlie Pownall
Managing Online Reputation (Palgrave Macmillan, 2015) is a practical, common-sense guide to protecting and defending your company's name and image online.
ISACA talk - cybersecurity and security cultureCraig McGill
PwC's talented senior cybersecurity and infosec manager Ross Foley recently gave a great talk on the growing importance of security culture within infosec. Here are the slides to help raise awareness of this issue.
“We are currently preparing students for jobs and technologies that don’t yet exist… to solve problems that we don’t even know are problems yet.” — Richard Riley, former U.S. secretary of education
Corporate learning leaders have inherited one of the most difficult challenges of a changing world: Preparing a workforce for jobs that don’t yet exist. This webinar explores the vital skills and learning required to compete in the 21st century.
Charles Fadel, global lead for education at Cisco Systems and co-author of 21st Century Skills: Learning for Life in Our Times, and Michael E. Echols, Ph.D., executive vice president of Bellevue University and executive director of the university’s Human Capital Lab, bring their unique and complementary perspectives to what has been called the “most important conversation of our times.”
Our technology-oriented civilization tends to solve problems with technology-based solutions. This paper lays out the importance of the human aspects in information security in relation with technology used to mitigate the risk.
Statistics show that as many as 75 percent of the security incidents are caused by human error or ignorance. Whilst technology solutions can never be the panacea in information security one can increase the effectiveness by implementing a well- designed security awareness strategy.
Convince your management and launch your ideas in a comprehensive language for
your target audience!
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
More Related Content
Similar to Governance strategy and_performance_vs_culture_and_approach-v4
Every decision we make is one made on behalf of your user. How do we know the decisions we make are the right ones? It is time we initiate a conversation: About where we are and where we want to go, about how we define and measure goodness and rightness in the digital realm, about responsibility, about decisions and consequences, about building something bigger than our own apps. It is time we talk about the ethics of web design. This talk introduces a method for ethical decision making in web design and tech. Rather than a wet moralistic blanket covering the fires of creativity, ethics can be the hearth that makes our creative fires burn brighter without burning down the house.
Presented at WordCamp Europe 2018: https://2018.europe.wordcamp.org/session/the-ethics-of-web-design/
Breaking down barriers_in_the_land_of_dinosaurs_sp_biz_hanley_june_2015Susan Hanley
You’ve heard the messages: the future of collaboration is all about enterprise social networks. It’s a future where you’d like to be, of course, but what if you work in a land of stodgy dinosaurs? Your dinosaurs might not find it so easy to let go of past paradigms and make the leap of faith to try something new and different. This presentation showcases several powerful social collaboration success stories from which you can draw insights and presents some proven approaches to break down the barriers that you might encounter.
This document shows why companies should hire people on the Autism Spectrum.
Written by Autism employment specialist and ClearWeave Careers founder - Ryan Casey - this elucidates the current issue facing the Neurodivergent population in terms of employment.
Solutions are offered.
Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdfStéphane Nappo
"One of the main Cyber risks is to think they don't exist. The other is to try to treat all risks".
Key cybersecurity quotes, key methodologies, and advanced risk management approches. Seeking for simplicity and efficiency in the complex realm... Do read.
Brunswick Intelligence - Building reputational resilience to cyber attackBrunswick Group
Cybersecurity is a business critical risk not just an IT issue. The reputational damage of a cyber breach is often less than the technical damage inflicted, the money lost, or the regulatory fines. With new threats proliferating at startling speed how companies respond to an attack can be more important than the attack itself. The good news is that companies can seize this challenge to differentiate themselves from the competition and earn a greater level of trust from stakeholders.
Learn more about the four steps companies can take to build their reputational resilience to cyber attack.
On 17 February 2015, Doing Something Good facilitated a half day Insights and Innovation Lab in partnership with Vicsport and VicHealth to explore the changing business of community sport, and how clubs, associations and other service providers might respond effectively to emerging trends and the needs of Victorians to engage them in sport.
Managing Online Reputation. How to Protect Your Company on Social MediaCharlie Pownall
Managing Online Reputation (Palgrave Macmillan, 2015) is a practical, common-sense guide to protecting and defending your company's name and image online.
ISACA talk - cybersecurity and security cultureCraig McGill
PwC's talented senior cybersecurity and infosec manager Ross Foley recently gave a great talk on the growing importance of security culture within infosec. Here are the slides to help raise awareness of this issue.
“We are currently preparing students for jobs and technologies that don’t yet exist… to solve problems that we don’t even know are problems yet.” — Richard Riley, former U.S. secretary of education
Corporate learning leaders have inherited one of the most difficult challenges of a changing world: Preparing a workforce for jobs that don’t yet exist. This webinar explores the vital skills and learning required to compete in the 21st century.
Charles Fadel, global lead for education at Cisco Systems and co-author of 21st Century Skills: Learning for Life in Our Times, and Michael E. Echols, Ph.D., executive vice president of Bellevue University and executive director of the university’s Human Capital Lab, bring their unique and complementary perspectives to what has been called the “most important conversation of our times.”
Our technology-oriented civilization tends to solve problems with technology-based solutions. This paper lays out the importance of the human aspects in information security in relation with technology used to mitigate the risk.
Statistics show that as many as 75 percent of the security incidents are caused by human error or ignorance. Whilst technology solutions can never be the panacea in information security one can increase the effectiveness by implementing a well- designed security awareness strategy.
Convince your management and launch your ideas in a comprehensive language for
your target audience!
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Enhancing Performance with Globus and the Science DMZGlobus
ESnet has led the way in helping national facilities—and many other institutions in the research community—configure Science DMZs and troubleshoot network issues to maximize data transfer performance. In this talk we will present a summary of approaches and tips for getting the most out of your network infrastructure using Globus Connect Server.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
The Metaverse and AI: how can decision-makers harness the Metaverse for their...Jen Stirrup
The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives?
How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
1. governance, strategy
and performance
vs. culture and approach
information security risk management
program development & career resilience
chris r. rowland m.s. cissp cism
2. “all models are wrong,
but some are useful”
disclaimer
george e. p. box
3. “we have met the enemy and
he is us”
attribution
walt kelly, 1971
5. attribution
brian krebs will most likely not write an
article explicitly identifying a company’s
culture as culprit to a data breach
krebs on security
http://marketrealist.com/2015/06/rise-rise-cyber-security/
6. attribution
“the biggest issue was in layer eight of the
network: in other words, the difficulty in getting
ordinary people to use technology effectively and
the politics preventing that from happening”
edward snowden however…
9. orgs where the average
tenure of the employee is
15 years or more will have
neural pathways that are
well-worn with habits from
a relationship-based work
environment
culture
the tone of tenure
relationship-based work environments
10. governance, process and
workflow in these
organizations can be
viewed as a dark forest,
not a green field
culture
the tone of tenure
absence of good governance
11. change agents without a
strong champion will be a
foreign body surrounded
by white blood cells
strengthening an already
resilient immunity to
change
culture
the tone of tenure
resilience to change
12. dichotomy and distinction
discussions focus on…
• who is in power
• who has influence
• who you know
• effort on maintaining powerbase
• recognition with invitation to
exclusive happy hour
discussions focus on…
• identifying stakeholders
• understanding requirements
• execution and results
• effort toward continuous
improvement
• recognition with performance
awards
culture
relationship-based
cultures may have a dominant and subordinate behavior
with the distinction being set by the organizations leadership
governance model
13. Making targets
disappear…
“Bad organizations choose
to ‘forget’ less flattering
events of their institutional
history, especially those
that conflict with their
self-generated
mythologies. Sometimes
that process requires them
to create new unpersons
out of individuals
associated with those
events.”
culture
toxic behaviors in relationship-based
cultures are used to sustain a powerbase
deflecting strategies and tactics
https://newworkplace.wordpress.com/2015/10/05/workplace-bullying-strategies-and-tactics-an-updated-round-up/
14. culture
no amount of security awareness training will
address apathy, entitlement or the malcontent
entitlement entropy
16. culture
‘thriving in ambiguity’ is not a skill,
it is a coping mechanism
ambiguity
• the ‘dragon’ to governance
• out-of-band decision-making
• indeterminate accountability
• ad-hoc and reactive environment
17. culture
gallup before you walk
state of the global workplace
http://www.gallup.com/strategicconsulting/164735/state-global-workplace.aspx
18. culture
the vast majority of employed
people around the globe are
‘not-engaged’ or ‘actively
disengaged’ at work
gallup before you walk
state of the global workplace
http://www.gallup.com/strategicconsulting/164735/state-global-workplace.aspx
19. culture
24% percent of all
employees are what gallup
calls ‘actively disengaged.’
gallup before you walk
state of the global workplace
http://www.gallup.com/strategicconsulting/164735/state-global-workplace.aspx
22. culture
With more than a decade's worth of research,
David Dunning, a psychologist at Cornell University,
has demonstrated that humans find it ‘intrinsically
difficult to get a sense of what we don't know.’
Whether an individual lacks competence in logical
reasoning, emotional intelligence, humor or even
chess abilities, the person still tends to rate his or
her skills in that area as being above average.http://www.livescience.com/18678-incompetent-people-ignorant.htmlhttp://cornellpsych.org/sasi/index.php
and then there is
the dunning–kruger effect
23. if you have already placed yourself in
the top quartile, go back one slide
culture
http://www.livescience.com/18678-incompetent-people-ignorant.html
and then there is
the dunning–kruger effect
the bottom
quartile have
a tendency to
overestimate
their ability
the top
quartile have
a tendency to
overestimate
others
abilities
25. when it comes to getting
results, it’s not about you…
approach
26. approach
chicken little
uses fear, uncertainty and doubt
propeller-head
knows how to script in python and thought a.p.t. was about the
payload not the methodology
caveman
carries a big stick and leads every
response with ‘no’
snake-oil salesman
‘this widget will solve all our problems’
credibility killers
27. policy wonk
likes to discuss frameworks and uses big
words like ‘taxonomy’ shamelessly
cowboy
no governance in decision-making. successful
where ambiguity reigns and accountability is
an optional module in the performance
management tool
approach
credibility killers
not my circus
not my monkeys
polish proverb
29. • speak of risk in the context of business objectives
• know the “books” and speak the business language
• identify and understand the needs of your internal customers
and collaborators and partner with them
• use qualitative and quantitative data to support kpi’s, build
dashboards and create business cases
• integrate with established programs and organizational
initiatives versus bootstrapping a siloed infosec program
• be flexible and willing to ‘carry water’
credibility building
approach
“dialogue and protect” - me
30. approach
ciso in the c suite
• About 30 percent of Fortune 500 CEOs spent the first few
years of their careers developing a strong foundation in
finance; 20 percent in sales and marketing.
• [They] …understand the company culture, are familiar with
the key stakeholders, and are known to the board members
and other members of the executive team.
• 45 percent of CEOs served as non-executive directors on
public company boards before being named chief executive
of the Fortune 500 companies they lead today.
http://www.forbes.com/sites/ciocentral/2011/12/05/the-path-to-becoming-a-fortune-500-ceo/
31. approach
identify a foothold for governance
• publicly traded company
• regulated industry
• rigorous b2b and b2c requirements
• attorney-client privilege
• proprietary information or inventions
32. approach
• infosec role = change agent
• understand what is needed to be a successful change agent
• know when to ‘hide in the bushes’ and prepare for an
impactful event (or start looking for another job)
• in the meantime, feel free to adopt a “culture changing
methodology”
change
agents
change management
people don’t care
what you know until
they know you care
36. life finds a way
approach
solution development
https://youtu.be/oijEsqT2QKQ?t=10s
37. “the biggest issue was in layer eight of the
network: in other words, the difficulty in getting
ordinary people to use technology effectively and
the politics preventing that from happening”
approach
solution development
39. information security
program development
using the gartner hype cycle as illustrative of an information security program implementation
approach
BUSINESS
DRIVER
regulatory requirements
data breach remediation
b2c and b2b requirements
40. it security professionals are
experiencing extreme levels of stress
and burnout, but they have few places
to turn for help
rsa conference 2012
resiliency
stress and burnout in infosec careers
42. resiliency
see preceding slides and…
• scope: ‘aim small, miss small’
• get a hobby
• take a class/teach a class
• pray/meditate
• exercise
• take your medication
distributed operating environment
44. ● sergeant, usmc
● it operations in electronic prepress, higher ed & member services
● st. vincent health: 3k physicians / 16k employees – security engineer
● eli lilly: 43K employees, $11b – sr. security analyst
● ge healthcare: 45k employees, $17b – global security architect †
● cuna mutual group: 5k employees, $3.6b – sr. manager, security architecture†
● alliant techsystems: 12k employees, $4.5b – chief information security architect †
● consultant and practice lead: “chris making slides”
● thomson reuters: 60k employees, $13.1b – director, information security assurance †
about chris
experience
† organizational transformation
Editor's Notes
governance, strategy and performance vs. culture and approach: information security risk management program development & career resilience
I am not from here…
Malcolm Gladwell’s book: David and Goliath: Underdogs, Misfits, and the Art of Battling Giants
“Giants are not what we think they are. The same qualities that appear to give them strength are often the sources of great weakness.”
In the case of “David and Goliath,” it wasn’t a rogue sling shot that toppled the giant, rather it was a boy skilled not only in the art of the sling shot (a deadly weapon back in the day) but also in the knowledge that – to win – he had to fight on his own terms using the skills that he had
As you listen to my presentation keep this phrase in the back of your mind.
Statistician with UW-Madison
Rick Roy
CIO, CUNA Mutual Group
Rick Roy
CIO, CUNA Mutual Group
Rick Roy
CIO, CUNA Mutual Group
Rick Roy
CIO, CUNA Mutual Group
Rick Roy
CIO, CUNA Mutual Group
organizations where the average tenure of the employee is 15 years or more will have neural pathways that are well-worn with habits from a relationship-based work environment
like a virus surrounded by white blood cells
introducing governance programs is transformational in these organizations
cuna mutual example
Think of white blood cells as your immunity cells. In a sense, they are continually at war. They flow through your bloodstream to battle viruses, bacteria, and other foreign invaders that threaten your health. When your body is in distress and a particular area is under attack, white blood cells rush in to help destroy the harmful substance and prevent illness.
organizations where the average tenure of the employee is 15 years or more will have neural pathways that are well-worn with habits from a relationship-based work environment
like a virus surrounded by white blood cells
introducing governance programs is transformational in these organizations
cuna mutual example
Think of white blood cells as your immunity cells. In a sense, they are continually at war. They flow through your bloodstream to battle viruses, bacteria, and other foreign invaders that threaten your health. When your body is in distress and a particular area is under attack, white blood cells rush in to help destroy the harmful substance and prevent illness.
organizations where the average tenure of the employee is 15 years or more will have neural pathways that are well-worn with habits from a relationship-based work environment
like a virus surrounded by white blood cells
introducing governance programs is transformational in these organizations
cuna mutual example
Think of white blood cells as your immunity cells. In a sense, they are continually at war. They flow through your bloodstream to battle viruses, bacteria, and other foreign invaders that threaten your health. When your body is in distress and a particular area is under attack, white blood cells rush in to help destroy the harmful substance and prevent illness.
organizations where the average tenure of the employee is 15 years or more will have neural pathways that are well-worn with habits from a relationship-based work environment
like a virus surrounded by white blood cells
introducing governance programs is transformational in these organizations
cuna mutual example
Think of white blood cells as your immunity cells. In a sense, they are continually at war. They flow through your bloodstream to battle viruses, bacteria, and other foreign invaders that threaten your health. When your body is in distress and a particular area is under attack, white blood cells rush in to help destroy the harmful substance and prevent illness.
organizations where the average tenure of the employee is 15 years or more will have neural pathways that are well-worn with habits from a relationship-based work environment
like a virus surrounded by white blood cells
introducing governance programs is transformational in these organizations
cuna mutual example
Think of white blood cells as your immunity cells. In a sense, they are continually at war. They flow through your bloodstream to battle viruses, bacteria, and other foreign invaders that threaten your health. When your body is in distress and a particular area is under attack, white blood cells rush in to help destroy the harmful substance and prevent illness.
organizations where the average tenure of the employee is 15 years or more will have neural pathways that are well-worn with habits from a relationship-based work environment
like a virus surrounded by white blood cells
introducing governance programs is transformational in these organizations
cuna mutual example
Think of white blood cells as your immunity cells. In a sense, they are continually at war. They flow through your bloodstream to battle viruses, bacteria, and other foreign invaders that threaten your health. When your body is in distress and a particular area is under attack, white blood cells rush in to help destroy the harmful substance and prevent illness.
physicians, lawyers, professors, executives
decentralized versus centralized“our department is different” or “we need an exception”
ad-hoc, siloed, non-collaborative, resource intensive, costly
strategy and governance will compress under the weight of entitlement, and entropy
physicians, lawyers, professors, executives
decentralized versus centralized“our department is different” or “we need an exception”
ad-hoc, siloed, non-collaborative, resource intensive, costly
strategy and governance will compress under the weight of entitlement, and entropy
as an approach
roles and responsibilities
competing agendas
resistance to change
subterranean org charts
Let me be clear. These people are actually dangerous. They don't like you, and not only are they actively scheming against your company, organization, unit or group, you are paying them to do it.
As in Gallup’s 2009-2010 global study of employee engagement, "actively disengaged workers — i.e., those who are negative and potentially hostile to their organizations — continue to out number engaged employees at a rate of nearly 2-1."
And then you have something Gallup terms 'non-engaged workers.' They account for 64% of all workers. That's right, 64%. These are not bad people. They may even be good people. They are just not passionate about you, and your company or group. It's fair to say that they are most likely emotionally disconnected from their workplace.
You can make it your mission in life to move some of this 64% of non-engaged workers to the engaged worker category. Great. Good for you. I will do the same within my organization. But the actively disengaged workers, they can kill everything, and destroy the best of business plans and well laid strategic dreams.
Let me be clear. These people are actually dangerous. They don't like you, and not only are they actively scheming against your company, organization, unit or group, you are paying them to do it.
As in Gallup’s 2009-2010 global study of employee engagement, "actively disengaged workers — i.e., those who are negative and potentially hostile to their organizations — continue to out number engaged employees at a rate of nearly 2-1."
And then you have something Gallup terms 'non-engaged workers.' They account for 64% of all workers. That's right, 64%. These are not bad people. They may even be good people. They are just not passionate about you, and your company or group. It's fair to say that they are most likely emotionally disconnected from their workplace.
You can make it your mission in life to move some of this 64% of non-engaged workers to the engaged worker category. Great. Good for you. I will do the same within my organization. But the actively disengaged workers, they can kill everything, and destroy the best of business plans and well laid strategic dreams.
Let me be clear. These people are actually dangerous. They don't like you, and not only are they actively scheming against your company, organization, unit or group, you are paying them to do it.
As in Gallup’s 2009-2010 global study of employee engagement, "actively disengaged workers — i.e., those who are negative and potentially hostile to their organizations — continue to out number engaged employees at a rate of nearly 2-1."
And then you have something Gallup terms 'non-engaged workers.' They account for 64% of all workers. That's right, 64%. These are not bad people. They may even be good people. They are just not passionate about you, and your company or group. It's fair to say that they are most likely emotionally disconnected from their workplace.
You can make it your mission in life to move some of this 64% of non-engaged workers to the engaged worker category. Great. Good for you. I will do the same within my organization. But the actively disengaged workers, they can kill everything, and destroy the best of business plans and well laid strategic dreams.
Let me be clear. These people are actually dangerous. They don't like you, and not only are they actively scheming against your company, organization, unit or group, you are paying them to do it.
As in Gallup’s 2009-2010 global study of employee engagement, "actively disengaged workers — i.e., those who are negative and potentially hostile to their organizations — continue to out number engaged employees at a rate of nearly 2-1."
And then you have something Gallup terms 'non-engaged workers.' They account for 64% of all workers. That's right, 64%. These are not bad people. They may even be good people. They are just not passionate about you, and your company or group. It's fair to say that they are most likely emotionally disconnected from their workplace.
You can make it your mission in life to move some of this 64% of non-engaged workers to the engaged worker category. Great. Good for you. I will do the same within my organization. But the actively disengaged workers, they can kill everything, and destroy the best of business plans and well laid strategic dreams.
The Dunning–Kruger effect is a cognitive bias wherein unskilled individuals suffer from illusory superiority, mistakenly assessing their ability to be much higher than is accurate.
As David Dunning and Justin Kruger of Cornell University conclude: “The miscalibration of the incompetent stems from an error about the self, whereas the miscalibration of the highly competent stems from an error about others.”
https://youtu.be/m_MaJDK3VNE
rick roy and it transformation
Having coffee with one of our peers in infosec
Why don’t CSO’s sit at the table with business leaders?
Attend earnings calls and review the annual and quarterly reports
Attend earnings calls and review the annual and quarterly reports
otherwise you are just hiding in the bushes waiting for the next impactful event
understand what is needed to be a successful change agent
sponsors
champions
adapt approach in the absence of either
e.g., assess the culture and adjust your approach
know when to hide in the bushes and prepare for an impactful event
unless you have achieved enlightenment you probably lack the self-awareness to clearly understand your own development needs (see slide ##)
https://www.youtube.com/watch?v=SkWeMvrNiOM
Anonymous begins communications across ham radio networks
Anonymous develops secure data over ham radio scheme
http://www.theregister.co.uk/2014/05/01/anonymous_to_world_go_pirate_radio_for_datacomms/
Why Airchat? (GitHub)
Because we strongly believe communications should be free, Free as much as the air itself and all the waves should be. Free for everyone everywhere, free for those oppressed, free for the poor, free for the dissident, free for those living out of the boundaries of the infrastructure created for those who were lucky enough to have more than others. And free...well... because sometimes the non-free infrastructure itself fails.
technology enables people and process
Dave Dewalt interview on Risky Biz podcast #317
fatigued from alerts / five million per day
gartner hype cycle
about CISO turnaround
tends to languish here longer than “enabling” initiatives
this is to demonstrate that i have been around the block a couple times
every day at ge was a transformation
organizational transformations †