1. The document provides an overview of Joe Wynn and his company WynnSecure which focuses on information security strategy and security management frameworks.
2. It outlines an agenda for improving security programs which includes explaining why security programs need to be explained, identifying issues, problems, and solutions.
3. The document describes how to build a security management framework using the NIST Cybersecurity Framework as an example, with services, processes, and attributes to organize and manage a security program.
2. Joe Wynn
• Founded WynnSecure, LLC in 2016
• Cofounded Seiso, LLC in 2017
• Held positions of CISO in higher education and energy sectors
• Consulted in healthcare in a security leadership position
• Built business-aligned security programs from ground up
• Leads the delivery of executive-level information security strategy
• Over 25 years experience in information technology
• Over 20 years specializing in information security
• Education
• BS of Computer Science Degree from Duquesne University
• Master’s Degree from Carnegie Mellon University
• Earned CISSP and other certifications
• Cofounder of BSidesPGH information security conference in 2011
10. What’s the Issue?
Discussion
Can anyone share why they think their program is successful?
What did you do to make it successful?
Does your management think your program runs well?
Are they aware of which parts of the program are well managed?
What happens when the primary resource is out?
Who does the mandatory daily tasks?
11. What’s the Issue?
1. Sometimes…
2. Explaining your information security
program to executives
Which parts are well managed?
Which parts run ad hoc?
Easily calculate number of resources for a
successful program?
Explain what risks are inherently being
accepted?
Explain residual risks?
3. Not operationalizing the security
program
12. What’s the Problem?
Discussion
Does anyone have a story about “someone you
know” who doesn’t complete all of the mandatory
processes each day?
What kinds of risks can this cause in ‘their” program?
Do you have to fight for your budget and resources
or does management just give it to you?
13. What’s the
Problem?
• Skipped processes
increase organizational
information security
risks
• Management can’t
make informed
decisions on
undocumented risks
• Management doesn’t
invest in
undocumented
programs
14. What can you do?
Discussion
• What are program
metrics?
Anyone track those?
• Who formally tracks risk
appetite?
15. What can you do?
• Organize your program so it can be managed and
communicated
• Track your program’s metrics
Not talking about technical metrics, like number of spam email or
viruses seen.
Note: I looked it up… plural of virus is viruses, not viri.
I’m talking about how well your processes are operating.
And if you have the right processes and they are working, then you will be on your
path to good security.
• Ensure your program operates within risk appetite tolerance
• Request program investment for areas of unacceptable risk
17. How?
• Get organized
• Organize program into a framework
… to manage security
Maybe call it … a “Security Management Framework”
• Allows it to be managed
• Provides ability to explain it
• Shows gaps in program
• Report on program health
21. What do you need to start?
A Security Framework
and a Spreadsheet
Start Simple
1. Pick a security standard /
framework to align to
NIST CSF will do
2. Choose what services you
will perform
3. Define some processes you
will follow to manage
controls that are important
to you.
Who’s familiar with the NIST CSF?
“The way to get started is to quit
talking and begin doing.”
-- Walt Disney
24. Improving Critical Infrastructure Cybersecurity
“It is the policy of the United States to enhance the security and
resilience of the Nation’s critical infrastructure and to maintain a
cyber environment that encourages efficiency, innovation, and
economic prosperity while promoting safety, security, business
confidentiality, privacy, and civil liberties”
Executive Order 13636
February 12, 2013
Slide Credit: “Cybersecurity Framework Overview” virtual event - https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events
25. The Cybersecurity Framework...
Includes a set of standards, methodologies, procedures, and processes
that align policy, business, and technological approaches to address
cyber risks.
Provides a prioritized, flexible, repeatable, performance-based, and
cost-effective approach, including information security measures
and controls, to help owners and operators of critical infrastructure
identify, assess, and manage cyber risk.
Identifies areas for improvement to be addressed through future
collaboration with particular sectors and standards-developing
organizations.
Is consistent with voluntary international standards.
Slide Credit: “Cybersecurity Framework Overview” virtual event - https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events
26. The Framework Is for Organizations…
• Of any size, in any sector in (and outside of) the critical
infrastructure.
• That already have a mature cyber risk management and
cybersecurity program.
• That don’t yet have a cyber risk management or
cybersecurity program.
• Needing to keep up-to-date managing risks, facing
business or societal threats.
• In the federal government, too…since it is compatible with
FISMA requirements and goals.
Slide Credit: “Cybersecurity Framework Overview” virtual event - https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events
27. Core
Cybersecurity Framework Component
27
Function Category ID
What processes and
assets need
protection?
Identify
Asset Management ID.AM
Business Environment ID.BE
Governance ID.GV
Risk Assessment ID.RA
Risk Management Strategy ID.RM
What safeguards are
available?
Protect
Access Control PR.AC
Awareness and Training PR.AT
Data Security PR.DS
Information Protection Processes & Procedures PR.IP
Maintenance PR.MA
Protective Technology PR.PT
What techniques can
identify incidents?
Detect
Anomalies and Events DE.AE
Security Continuous Monitoring DE.CM
Detection Processes DE.DP
What techniques can
contain impacts of
incidents?
Respond
Response Planning RS.RP
Communications RS.CO
Analysis RS.AN
Mitigation RS.MI
Improvements RS.IM
What techniques can
restore capabilities?
Recover
Recovery Planning RC.RP
Improvements RC.IM
Communications RC.CO
Slide Credit: “Cybersecurity Framework Overview” virtual event - https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events
28. Core Cybersecurity
Framework Component
28
Function Category ID
Identify
Asset Management ID.AM
Business Environment ID.BE
Governance ID.GV
Risk Assessment ID.RA
Risk Management
Strategy
ID.RM
Protect
Access Control PR.AC
Awareness and Training PR.AT
Data Security PR.DS
Information Protection
Processes & Procedures
PR.IP
Maintenance PR.MA
Protective Technology PR.PT
Detect
Anomalies and Events DE.AE
Security Continuous
Monitoring
DE.CM
Detection Processes DE.DP
Respond
Response Planning RS.RP
Communications RS.CO
Analysis RS.AN
Mitigation RS.MI
Improvements RS.IM
Recover
Recovery Planning RC.RP
Improvements RC.IM
Communications RC.CO
Subcategory Informative References
ID.BE-1: The
organization’s role in
the supply chain is
identified and
communicated
COBIT 5 APO08.04, APO08.05,
APO10.03, APO10.04, APO10.05
ISO/IEC 27001:2013 A.15.1.3,
A.15.2.1, A.15.2.2
NIST SP 800-53 Rev. 4 CP-2, SA-12
ID.BE-2: The
organization’s place in
critical infrastructure
and its industry sector
is identified and
communicated
COBIT 5 APO02.06, APO03.01
NIST SP 800-53 Rev. 4 PM-8
ID.BE-3: Priorities for
organizational
mission, objectives,
and activities are
established and
communicated
COBIT 5 APO02.01, APO02.06,
APO03.01
ISA 62443-2-1:2009 4.2.2.1,
4.2.3.6
NIST SP 800-53 Rev. 4 PM-11, SA-
14
ID.BE-4:
Dependencies and
critical functions for
delivery of critical
services are
established
ISO/IEC 27001:2013 A.11.2.2,
A.11.2.3, A.12.1.3
NIST SP 800-53 Rev. 4 CP-8, PE-9,
PE-11, PM-8, SA-14
ID.BE-5: Resilience
requirements to
support delivery of
critical services are
established
COBIT 5 DSS04.02
ISO/IEC 27001:2013 A.11.1.4,
A.17.1.1, A.17.1.2, A.17.2.1
NIST SP 800-53 Rev. 4 CP-2, CP-
11, SA-14 28
Slide Credit: “Cybersecurity Framework Overview” virtual event - https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events
46. What to Measure?
• What data (attributes) about your processes do you want to track?
• Earlier I suggested these attributes:
Description
Owner
Primary Resource
Backup Resource
Customer
Event Driven or Scheduled
Frequency
Process Details
Hours / Month
Annualized Hours
Metrics
Tools
Escalation Process
Process Maturity Rating
Process Improvement Project
“If you can’t measure it, you can’t manage it.”
--Peter Drucker
49. Using the SMF
• Analysis: What’s missing from your program
Backup resources
Efficient Tools
A lot is being done with spreadsheets, documents, and free tools
• What can you do with your data?
Perform a maturity review of your processes
Create projects to increase process / program maturity
Add up the FTE hours needed to execute the processes
Track program metrics
How often have you executed each process on time?
When have processes not been completed and why?
Are processes taking more time than estimated to complete?
Forecast security program budget
You can add additional attributes
Cost to execute process
Risk of failing to perform process to specifications
53. Explain Risks To Management
• Show up with solutions, not problems
• Get management buy-in on what must be done
• Show management what can and cannot be done
• Document risks in risk register
Are they willing fund improvements?
• Make your budget requests to close gaps and
improve maturity
• Get management signoff on risks
This should not be your burden to bear
• Spend your money wisely
• If management doesn’t fund the program and
doesn’t accept the risks?
Update your resume
Time to move on
53