quali es of an effec ve ciso
play

Quali&es of an Effec&ve CISO Miguel (Mike) O. Villegas - PowerPoint PPT Presentation

Quali&es of an Effec&ve CISO Miguel (Mike) O. Villegas CISA, CISSP, GSEC, CEH, PCI QSA, PA-QSA Vice President- K3DES LLC mike.villegas@k3des.com November 13, 2015 2015 IIA-Orange County 1 Abstract Hiring a Chief Informa?on Security


  1. Quali&es of an Effec&ve CISO Miguel (Mike) O. Villegas CISA, CISSP, GSEC, CEH, PCI QSA, PA-QSA Vice President- K3DES LLC mike.villegas@k3des.com November 13, 2015 2015 IIA-Orange County 1

  2. Abstract Hiring a Chief Informa?on Security Officer (CISO) is a laudable goal. It implies execu?ve management realizes the value of having an execu?ve level posi?on for informa?on security. The CISO is an execu?ve who provides expert guidance to other c-level execu?ves on maOers of risk, compliance and informa?on protec?on from a strategic and tac?cal business objec?ves perspec?ve. Security prac??oners are typically technical in nature but do not generally have access to c-level execu?ves, so the CISO posi?on can help fill in this gap. This session will discuss the quali?es of an effec?ve CISO. This includes educa?on, background, repor?ng structure, focus, responsibili?es, personal quali?es, vision, leadership capabili?es, and technical background. 2 2015 IIA-Orange County

  3. Table of Contents v CISO Resume v Repor&ng Structure v CISO Vision and Responsibili&es v Personal Quali&es v Leadership Quali&es 3 2015 IIA-Orange County

  4. CISO RESUME 2015 IIA-Orange County 4

  5. CISO Survey A survey conducted in July 2014, 203 US-based C-level execu?ves found a startling lack of respect for CISOs in the enterprise. Below are some interes?ng sta?s?cs: • 74 % said they do not believe CISOs deserve a seat at the table and should not be part of an organiza?on's leadership team. • 54 % believe CISOs should not be responsible for cybersecurity purchasing. • 44 % believe CISOs should be accountable for any organiza?onal data breaches. • 28 % said their CISO has made cybersecurity decisions that nega?vely impacted the organiza?on's financial health. Source: hOp://www.threaOracksecurity.com/resources/the-role-of-the-ciso.aspx 5 2015 IIA-Orange County

  6. CISO Resume Ideally, a CISO should have a combina?on of business and technical skills that allow for competent contribu?ons and guidance with both IT and execu?ve management. A successful CISO will be able to incisively translate technical challenges and strategies into business terms. Some specific recommended qualifica?ons for a CISO include: • Degree in accoun?ng or MBA, degree in CIS or Informa?on Security; • CPA, CISSP, CISM, CISA, PMP cer?fica?ons; • CFE, CEH, GPEN, CRISC specialized cer?fica?ons; • Ten years minimum experience as a CISO, informa?on security engineer, or security consultant. Big 4 senior managers or partners from the systems assurance would be an added plus • ISSA, ISACA, (ISC) 2 , OWASP, or CISO forum memberships. 6 2015 IIA-Orange County

  7. Cer&fica&ons vs Experience Many of us have known those that tout technical exper?se because of their long list of cer?fica?ons yet once hired, it does not take long before realiza?on sits in. Hiring a CISO… • Cer&fica&ons get him through the door. • The interview gives him a seat. • The 90-day proba&onary period assures he can stay • His technical abili&es determine what kind of work he can manage • His communica&on skills determine whether he deserves a “seat at the table” (Board) 7 2015 IIA-Orange County

  8. Why not hire within? Security professionals who work within the enterprise have great advantages. • They know the IT environment • They know the business • They have earned cer?fica?ons that are the envy of many • They have established a competent rapport with network engineers and system administrators However, many ?mes the Peter Principle might apply such that the security professional has gone as far as he is capable of. 8 2015 IIA-Orange County

  9. Good CISO Candidates There will always be excep?ons and each candidate should stand on their own. However, below is a list of good candidates for CISO. • Director of Informa?on Security • Internal security professionals • IT Audit Manager • IT Risk Manager • External CISO hire • Big 4 Senior Manager or Partner • Sr. Security Consultant A prophet is not accepted in his own country 9 2015 IIA-Orange County

  10. REPORTING STRUCTURE 2015 IIA-Orange County 10

  11. Repor&ng Structure There are four basic ques?ons in this debate. (1) Should there be a CISO posi?on? (2) Who should the CISO report to? (3) What are the pros and cons for CISO repor?ng structure? (4) Who decides? 11 2015 IIA-Orange County

  12. Should there be a CISO posi&on? The keys to making the CISO role successful are independence, empowerment and posi?on. The CISO needs to be: • Independent of influence or pressure from those affected in the protec?on of corporate assets; • Empowered to deploy all proper levels of protec?on; and • Posi&oned within the organiza?on to embed informa?on security into the business culture. 12 2015 IIA-Orange County

  13. Who should the CISO report to? The survey conducted in July 2014 by ThreatTrackSecurity reported found that: • 47% of CISOs report to their CEO or president • 45% report to the CIO, • 4% to the Chief Compliance Officer, and • less than 2% to the COO or CFO. Source: hOp://www.threaOracksecurity.com/resources/the-role-of-the-ciso.aspx 13 2015 IIA-Orange County

  14. Pros and Cons for CISO Repor&ng Structure Pros: • C-level execu?ve that supports, understands and champions the informa?on security func?on and CISO • This provides the CISO independence, ability to disagree and empowerment to deploy the informa?on security program Cons: • Where the CISO reports to is situa?onal • He might lose contact, credibility, coopera?on and empowerment to control the security of corporate assets. • C-level execu?ve does not have sufficient apprecia?on or influence to support the CISO. • Conversely, repor?ng to the CIO could be just as repressive • It comes down to who the CISO would ul?mately report to. 14 2015 IIA-Orange County

  15. Who decides? Despite the endless debates and opinions voiced whether the CISO should report to the CIO or another C-level execu?ve, the ul?mate ques?on is “Who decides?” • It clearly will not be the newly hired CISO. • It will not be the exis?ng Director of Informa?on Security. • The CIO might recommend hiring a CISO but very likely repor?ng to the CIO. • The CEO and board members should ul?mately decide but typically the ques?on is not a considera?on un?l they have experienced a breach or a major security incident. 15 2015 IIA-Orange County

  16. CISO VISION AND RESPONSIBILITIES 2015 IIA-Orange County 16

  17. CISO Vision and Responsibili&es The CISOs vision is to align the informa?on security program with the enterprise strategic business objec?ves. The CISOs responsibility is to ensure the informa?on security program meets those objec?ves and grows commensurate with the enterprise goals. Execu?ve management looks to the CISO to: • Define and manage the informa?on security program • Provide educa?on and guidance to the execu?ve team • Present op?ons and informa?on to enable decision making • Act as an informa?on security advisor 17 2015 IIA-Orange County

  18. CISO Vision and Responsibili&es This includes, is not limited to: Execu?ve Management Repor?ng • Mobile Device Security • Risk and compliance • Web Applica?on Security • Informa?on Security Administra?on • Vulnerability Tes?ng • Competent and skilled staff • Security Tools • CSIRT Program • Network Security • Informa?on Protec?on • Applica?on Security • Security Monitoring • Personnel Security • Security Policies and Procedures • Database Security • Vendor Security • Cloud Security • Wireless Security • Security Awareness Program • 18 2015 IIA-Orange County

  19. What the CISO should do to earn respect Use the "three C's" to emphasize the importance of informa?on security • within an organiza?on: – Coopera?on precludes pernicious silos; – Communica?on is cri?cal but it must be incisive, relevant and done with aplomb; and – Counterbalance ensures contribu?ons are commensurate with business objec?ves. Iden?fy a C-level team member who can champion the CISO's • contribu?ons and par?cipa?on. Befriend, educate, earn trust and provide him or her with insighpul informa?on that will also elevate his or her visibility and credibility. Schedule monthly execu?ve management reports on the state of • informa?on security for your enterprise. Use graphics, red-yellow-green icons to highlight areas to focus, and communicate your message in business terms related to cost, ROI, risk, growth and compliance. Stay informed of current events and new technologies, especially as they • relate to your enterprise industry. 2015 IIA-Orange County 19

Recommend


More recommend