Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshaping the Cybersecurity Battlespace"
1. 1 | CONFIDENTIAL AND PRIVILEGED
Evolving Role of the CISO:
Reshaping the Cybersecurity Battlespace
Anthony G. Dupree CISO/CIO
2. 2 | CONFIDENTIAL AND PRIVILEGED
My Background
A technology industry
veteran with over
two decades of
infrastructure and
security experience
Masters of Technology
- Stevens Institute of
Technology
Retired Lieutenant
Colonel Army Reserve
Officer - OEF/OIF
Bronze Star Recipient
Certified Information
Security Manager
& Certified Chief
Information Security
Officer
3. 3 | CONFIDENTIAL AND PRIVILEGED
Problem Statement
Information Security
is a business risk, not just
an information technology
problem
The long information
security war
Which frameworks to use
for the present and future
(Perimeter Security vs
Borderless Security)
Effective information
security program –
What are the requirements?
Hiring the right type of
Chief Information
Security Officer
How to hire the right person
for your security team
Use of Artificial Intelligence
Foe or Friend?
4. 4 | CONFIDENTIAL AND PRIVILEGED
Our World
Data Breaches
"There are only two types of companies –
firms that were hacked and those that will be.”
Former FBI Director Robert Mueller
5. 5 | CONFIDENTIAL AND PRIVILEGED
Current CISO Role
The information security leader for an organization.
The CISO must equip to have ‘awareness’ of the infrastructure as a whole – to feel the problems,
to detect the symptoms. We must understand weaknesses, threats and risks.
We must strengthen defense capabilities, have the means to carry out further analysis in case of doubt,
to inoculate or provide other remediation, and even to containment in the event of the spread of deadly
malware or viruses .
CISOs are coordinators and facilitators across teams to advise and assist in the problem resolution. The
ability to effectively lead the technical experts.
Executive presence and skills to effectively lead, develop, communicate and sell the security program.
A deep technical awareness of the security ecosystem.
Chief Information Security Officer is rapidly becoming indispensable for an organization’s survival.
6. 6 | CONFIDENTIAL AND PRIVILEGED
Our Responsibilities
To protect your organization’s brand, reputation and customer confidential information
through an Information Security Program
Ensure customer and employee information
is classified as an asset!!!
Define security requirements, establish baselines
and measure compliance, based on applicable
laws, regulations and best practices.
Develop processes, procedures and policies
required for the protection of confidential
information.
• Collaborate with key stakeholders, administrators and
technical staff to develop the information security
strategy and architecture.
• Ensure incident response and disaster recovery plans
are developed and implemented.
• Respond to and recover from disruptive and
destructive information security events.
• Increase awareness of information security through
training and communication.
7. 7 | CONFIDENTIAL AND PRIVILEGED
Information Security Basics
https://www.opentext.com/products-and-solutions/business-needs/information-governance/ensure-compliance/information-security-and-privacy
Information
Security
ConfidentialityIntegrity
Availability
Protecting the Data Protecting the Infrastructure Protecting the People / Organization
Through innovation and agility = Drive Enterprise Growth
Taking data protection personallyAdding Value to IT Infrastructure
Security Risk
8. 8 | CONFIDENTIAL AND PRIVILEGED8 |
Information Security Methodology
Information
Security Program
Incident Management
& Response
Training, Awareness
& Communications
Information Security Governance,
Risk & Compliance
Policy, Standards & Baselines
Technical Controls
Operational Controls
9. 9 | CONFIDENTIAL AND PRIVILEGED
Types of CISO for today
and tomorrow
Key skills needed
as a CISO
CISO reporting
Hiring the Right CISO
• That depends on your
organization
• Key is independence
authority
• Effective communication
and leadership
• Metrics-based approach
• Technical savvy –
experience
• Check the box CISO
• The house is on fire CISO
• Risk and Measured Based
CISO
10. 10 | CONFIDENTIAL AND PRIVILEGED
Tomorrow CISO
http://www.typargeosynthetics.com/products/geocells/defencell---military-and-security-geocell.html
11. 11 | CONFIDENTIAL AND PRIVILEGED
Evolving Cybersecurity Environment
CISOs now must be a business enabler and must keep
the various lines of business and departments focused,
functioning and moving forward on a day-to-day basis.
Key business areas which CISO must be able to address:
• How can information security help generate, protect and
ensure revenue?
• How can information security help retain existing customers?
• How can information security help differentiate
against competitors?
• How can information security drive operational efficiencies
and effectiveness?
Compliance regulations like General Data Protection
Regulation (GDPR), is challenging the status quo of IT
operations, especially considering how much regulated
data is entrenched in normal business operations.
We must analyze, predict and prepare for the future
strengths, weaknesses, opportunities and threats - SWOT
We must ensure that the organization is disciplined in the
day to day operations
Become proficient in addressing today’s more
expansive expectations
How do CISO measure success? Risk based
13. 13 | CONFIDENTIAL AND PRIVILEGED
Security Evolution
Drivers
• Application and users
are everywhere
• Borders are leaky
• Mobile and IOT
• Use of public cloud, private cloud,
hybrid cloud or combination of all
• Transporting of sensitive data
Borderless Security
Secure
Connectivity
General
Cloud
Security
Data Loss
Prevention
Threat
Response and
Containment
Context –
Aware
Access
Control
Think Outside the Box
Stay in the Circle
14. 14 | CONFIDENTIAL AND PRIVILEGED
Information Security Frameworks / Standards
Security Model – Business Drives Security
http://www.jirasekonsecurity.com/2011/10/security-model-business-oriented.html
ISO 27001
NIST
COBIT
GDPR
FEDRAMP
SSAE-18
SANS
PCI – DSS
FISMA
HIPAA
HITRUST
IRS PUB 1075
Security
threats
International
security
standards
Laws
& regulations
Compliance
requirements
Business
objectives
Risks &
Compliance
CEO & Board
Governance
Line
Management
Product
Management
Auditors
Security
Professionals
Program
Management
Managing Risk
Drivers Rules Measure
Security Management
Correction of Security Processes
Policy Framework Process Framework Metrics Framework
Information Security
Policies
Information Security
Standards
Information Security
Artefacts
Security Intelligence
Information Security
Processes
People
Technology
Information Security
Metrics Objectives
Security Metrics Portal
Define security controls Execute security controls
Measure security controls
maturity
Inform
External
Security Metrics
Define
15. 15 | CONFIDENTIAL AND PRIVILEGED
Information Security Frameworks/Models to Consider
Zero Trust
• This is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its
perimeters and instead must verify anything and everything trying to connect to its systems before granting access. (tactical)
NIST Cyber Security
Framework
• This framework provides the company the ability to establish policy framework and guidance to identify, protect, detect,
respond and recover from cyber attacks. (strategic)
Defense in Depth
Approach
• The model is based on the military principle that it is more difficult for an enemy to defeat a complex and multi-layered
defense system than to penetrate a single This layered methodology leverages people, technology and operational processes
to meet the most rigorous standards of data confidentiality, integrity and availability, supporting the ongoing security of mission-
critical data. It requires identifying and applying controls to all of the different possible means by which a bad actor can access
data from. (operational)
16. 16 | CONFIDENTIAL AND PRIVILEGED
Hiring the Right Team Members
Bridging the skills gap
Defining the exact skills that you need
Consider flexing your educational requirements
Ask the right questions during the interview
Do a hands-on interview
Business understanding
Culture fit
Information security team member traits
• Attention to detail
• Think like a hacker
• Analytical
• Minimum supervision
• Follow up and close the loop
• Continuous learner
• Persistence
• Curious and perceptive
• Instinctive
• Having a well-rounded skill set
17. 17 | CONFIDENTIAL AND PRIVILEGED
AI - Information Security
https://www.cso.com.au/article/624361/security-ai-explodes-lack-efficacy-comparisons-leaves-csos-flying-blind/
“AI and machine learning (ML) technologies has grown significantly,
fueled by companies’ increasing desire for sustainable tools that detect and
classify security threats based on behavior that often has never been seen before.
Continued dependence on antiquated legacy systems is not sustainable.”
18. 18 | CONFIDENTIAL AND PRIVILEGED
Tomorrow’s CISO
You must be a business enabler and strategic leader.
To be successful, CISOs must speak the language of business.
Must be able to understand how my company operates and how I can make it grow.
It's important to achieve alignment between IT security and lines of business.
Building visibility
• Understanding and secure the environment
• Understanding attack vectors – use of AI and machine learning
• Being surgical in purchasing tools / services
Must have strong moral compass. If I see something wrong, I fix it, without looking for credit.
Resolving security issues and gaps
• Use of different frameworks will assist in the your remediation roadmap
Application Centric
Must have opportunities to regularly report to the CEO and board of directors
Reducing Risk
• Understand your risk profile – created risk register
• Outside audits
19. 19 | CONFIDENTIAL AND PRIVILEGED
Information Security as a Continuous Process
Plan Build Run
Identify Risk
Analyze/Synthesize Risk
Build
Execute
External
Customers
Vendors
Partners
Incidents
Internal
Projects
Observation
Requests
Incidents
Audits, Compliance Tools Implement Controls
Report Finalization
Recommendations
Requirements
Data Gathering
Assess Risks
Best Practices
Regulations Policies
Compliance
Protect
the Company
Brand
20. 20 | CONFIDENTIAL AND PRIVILEGED
Conclusion
• Proper management of this industry can only be achieved by the cooperation among
industry vendors, policymakers, regulators and organizations while encouraging open
and transparent processes.
• Information security is a topic that has and will become even more critical in the future,
as technology continues to evolve and become integrated into our lives in ways that we
can’t even imagine.
• Use several frameworks and model (no one framework fits all), integrated security
(people, process and technology), and view information security as a continuous
process.
• Use of advisory and managed services is important - increases your credibility
and confirms validation.
• Use of Scorecards for the board - must be risk based
• Use of soft skill – keep it simple.
• YOU ARE IMPORTANT!!!
21. 21 | CONFIDENTIAL AND PRIVILEGED
Evolving Role of the CISO:
Reshaping the Cybersecurity Battlespace
Anthony G. Dupree CISO/CIO