A day in the life of a CISO

Dimitrios Stergiou (@dstergiou)

• Dimitrios Stergiou (@dstergiou)

• CISO @ NetEnt, then CISO @ MTG

• 18 years InfoSec experience (engineer, consultant,

manager)

• Mini bio:

– Greek (and Swede)

– Loves: InfoSec, Social Engineering, Economics, Video

games

– Hates: Vegetables, Rain, Pronouncing “j” as “y”

DisclaimerDISCLAIMER

I don’t have the ultimate truth

But I am also NOT trying to sell

you anything

Listen, question and take

everything with a grain of salt

NetEnt

So, what does a CISO do?

The team:

• CISO

• Security architect

• InfoSec Engineer(s)

• AppSec Engineer(s)

The side team:

• Legal

• Compliance

• Operations

• Development

• HR

A typical day in the life of a CISO (based on empirical data)

• 01:00 – Check the Internet for impending doom

• 01:30 – Sleep (if no impending doom)

• 07:30 – Wake up, have breakfast, take gnome to school

• 08:30 – Read email on the bus

• 09:00 – Arrive at the office

• 09:15 – Review the changes in CAB and approve or reject

• 09:30 – Reply to urgent emails that I read but can’t reply while on the phone

• 10:00 – Review of threat intelligence, security dashboards

• 10:15 – Daily meeting with the team

• 10:30 – Daily check with Legal, Compliance, HR

• 11:00 – Quick coffee with CIO, CTO, make sure nothing is exploding

• 11:20 – Poke head into CEO’s office to ask for more security budget

• 11:30 – Lunch (usually with the team or the head of the teams that we “need”)

• 13:00 – Politely hang up on vendors that offer the dream solution

• 13:30 – Meeting, meeting and meeting

– New technologies that developers want to introduce

– Security requirements for a new application

– How does GDPR affects our privacy policies

– Plan next year’s awareness training

– Review of new corporate software

– Entry into new markets

– Business Continuity update

• 16:00 – Remind the C-level execs that we need to review the risk registry

• 17:00 – Leave the office

• 17:30 - Keep reading mail on the bus

• 18:00 – Arrival at home

• 22:00 – Family is asleep, knowledge build up

Goals

The main goal

15

25

60

Pie of Doom

What I know What I know I don't know What I don't know I don't know

Less red, more of the other colors

• Ensure the C-level execs are comfortable with the risk appetite

• Ensure I am comfortable with how we treat risks

• Balance risk and cost

• Run an effective team

• Establish top-notch incident management

• Use resources and knowledge outside my team effectively

• Prioritize works based on risk

• Help my team grow

• Be a servant leader

What about you?

CISO does… Policy

Governance

Strategy

People

Business enablement

Compliance

Architecture

Helping others

Expect to be heavily involved in all of these

areas!

What do I need to know to become a CISO?

• Risk management is king

• Risk cannot be eliminated

• Risk is everywhereRisk management

• Doesn't really matter where you report

• Lead with attitude, not with authorityReporting

• Operations background is fine

• Development background is fine

• People background is fineBackground

• Make friends fast

• Support peers

• Respect people (no matter what)

• Learn the metaRelationships

• Know your company (and divisions)

• Know the business environment

• Learn how to researchBusiness

• Evangelize security in your organization

• Know how to “sell” security to different C-level execs

• Speak business not technologySales