![Page 1: New New Age Enterprise Security Playbook: First 100 Days · 2018. 4. 3. · Dominic Vogel Chief Security Strategist, Cyber.SC New Age Enterprise Security Playbook: First 100 Days](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603efc6980bc0a4412785b6b/html5/thumbnails/1.jpg)
Dominic Vogel
Chief Security Strategist, Cyber.SC
New Age Enterprise Security Playbook: First 100 Days
![Page 2: New New Age Enterprise Security Playbook: First 100 Days · 2018. 4. 3. · Dominic Vogel Chief Security Strategist, Cyber.SC New Age Enterprise Security Playbook: First 100 Days](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603efc6980bc0a4412785b6b/html5/thumbnails/2.jpg)
Copyright © 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
• Current:
– Chief Security Strategist, Cyber.SC
• Previous:
– Security Strategist (Contractor), Health Services Authority
– Cyber Security Contractor, TELUS (BC Hydro)
– Information Security Team Lead, First West Credit Union
– Senior Security Consultant, Grant Thornton
– Global Security Administrator, CHC Helicopter
• Frequent security commentator radio/TV/social media
Who is this clown??
![Page 3: New New Age Enterprise Security Playbook: First 100 Days · 2018. 4. 3. · Dominic Vogel Chief Security Strategist, Cyber.SC New Age Enterprise Security Playbook: First 100 Days](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603efc6980bc0a4412785b6b/html5/thumbnails/3.jpg)
Copyright © 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Introducing: the Know-It All CIO
![Page 4: New New Age Enterprise Security Playbook: First 100 Days · 2018. 4. 3. · Dominic Vogel Chief Security Strategist, Cyber.SC New Age Enterprise Security Playbook: First 100 Days](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603efc6980bc0a4412785b6b/html5/thumbnails/4.jpg)
Copyright © 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
• Create positive and effective security culture
• Make secure solution easier than non-secure business process
• Avoid knee-jerk reactions to security threats
• Develop risk-based security approach
• Foster enduring internal business relationships
Effective Security: Five Pillars
![Page 5: New New Age Enterprise Security Playbook: First 100 Days · 2018. 4. 3. · Dominic Vogel Chief Security Strategist, Cyber.SC New Age Enterprise Security Playbook: First 100 Days](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603efc6980bc0a4412785b6b/html5/thumbnails/5.jpg)
Copyright © 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
CIO: Everyone needs to complete the security
awareness training except me because I am so damn
brilliant
Me: I think we have different interpretations of the word
“everyone”…and “brilliant”
Know-It All CIO – Security Culture
![Page 6: New New Age Enterprise Security Playbook: First 100 Days · 2018. 4. 3. · Dominic Vogel Chief Security Strategist, Cyber.SC New Age Enterprise Security Playbook: First 100 Days](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603efc6980bc0a4412785b6b/html5/thumbnails/6.jpg)
Copyright © 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
• Create and foster organic culture
• Two pronged: top-down & bottom-up
• Positive attitudes
• Educate not shame
• Embrace humility
Security Culture
![Page 7: New New Age Enterprise Security Playbook: First 100 Days · 2018. 4. 3. · Dominic Vogel Chief Security Strategist, Cyber.SC New Age Enterprise Security Playbook: First 100 Days](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603efc6980bc0a4412785b6b/html5/thumbnails/7.jpg)
Copyright © 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Time to share!
• Success (or horror!) stories
• Lessons learned
• Ingredients for success; pitfalls to avoid
• Questions & comments
Discussion: Security Culture
![Page 8: New New Age Enterprise Security Playbook: First 100 Days · 2018. 4. 3. · Dominic Vogel Chief Security Strategist, Cyber.SC New Age Enterprise Security Playbook: First 100 Days](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603efc6980bc0a4412785b6b/html5/thumbnails/8.jpg)
Copyright © 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
CIO: We need email encryption. Solution X does email
encryption. Buy Solution X. Damn I’m handsome!
Me: (face buried in palms) I should go check my lottery
tickets
Know-It All CIO – Complexity
![Page 9: New New Age Enterprise Security Playbook: First 100 Days · 2018. 4. 3. · Dominic Vogel Chief Security Strategist, Cyber.SC New Age Enterprise Security Playbook: First 100 Days](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603efc6980bc0a4412785b6b/html5/thumbnails/9.jpg)
Copyright © 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
• Make secure solution easy
• Secure processes ignored otherwise
• Define business problem
• Gather business requirements
• Communicate with business leaders
Conquer Complexity
![Page 10: New New Age Enterprise Security Playbook: First 100 Days · 2018. 4. 3. · Dominic Vogel Chief Security Strategist, Cyber.SC New Age Enterprise Security Playbook: First 100 Days](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603efc6980bc0a4412785b6b/html5/thumbnails/10.jpg)
Copyright © 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
• Security is not “chasing alerts”
• Detection efficiency and accuracy
• Only 4% alerts typically investigated
• Focus on data value rather than volume
• Choose fewest number of key data sources
Operations Complexity: Alert Overload
![Page 11: New New Age Enterprise Security Playbook: First 100 Days · 2018. 4. 3. · Dominic Vogel Chief Security Strategist, Cyber.SC New Age Enterprise Security Playbook: First 100 Days](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603efc6980bc0a4412785b6b/html5/thumbnails/11.jpg)
Copyright © 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Time to share!
• Success (or horror!) stories
• Lessons learned
• Ingredients for success; pitfalls to avoid
• Questions & comments
Discussion: Conquering Complexity
![Page 12: New New Age Enterprise Security Playbook: First 100 Days · 2018. 4. 3. · Dominic Vogel Chief Security Strategist, Cyber.SC New Age Enterprise Security Playbook: First 100 Days](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603efc6980bc0a4412785b6b/html5/thumbnails/12.jpg)
Copyright © 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
CIO: Block DropBox! Now we don’t have to worry about
data leaving to the cloud thingy….squirrel!
Me: Where is my bottle of aspirin?
Know-It All CIO – Knee Jerk Reactions
![Page 13: New New Age Enterprise Security Playbook: First 100 Days · 2018. 4. 3. · Dominic Vogel Chief Security Strategist, Cyber.SC New Age Enterprise Security Playbook: First 100 Days](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603efc6980bc0a4412785b6b/html5/thumbnails/13.jpg)
Copyright © 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
If your security program is focused on reacting to news of the last
data breach, you’ve all but ensured that you’ll fall victim to the next
data breach.
Lowest Form of Life (other than Donald Trump)
![Page 14: New New Age Enterprise Security Playbook: First 100 Days · 2018. 4. 3. · Dominic Vogel Chief Security Strategist, Cyber.SC New Age Enterprise Security Playbook: First 100 Days](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603efc6980bc0a4412785b6b/html5/thumbnails/14.jpg)
Copyright © 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
• Focus building resilience (people, process, technology)
• Knee-jerk reactions more damaging
• Assess and solve problems holistically
• Stop focusing on the “threat du jour”
• Risk prioritization – important assets
Cap the Knee-Jerk Reactions
![Page 15: New New Age Enterprise Security Playbook: First 100 Days · 2018. 4. 3. · Dominic Vogel Chief Security Strategist, Cyber.SC New Age Enterprise Security Playbook: First 100 Days](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603efc6980bc0a4412785b6b/html5/thumbnails/15.jpg)
Copyright © 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Time to share!
• Success (or horror!) stories
• Lessons learned
• Ingredients for success; pitfalls to avoid
• Questions & comments
Discussion: Knee-Jerk Reactions
![Page 16: New New Age Enterprise Security Playbook: First 100 Days · 2018. 4. 3. · Dominic Vogel Chief Security Strategist, Cyber.SC New Age Enterprise Security Playbook: First 100 Days](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603efc6980bc0a4412785b6b/html5/thumbnails/16.jpg)
Copyright © 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
CIO: I’ve told the board and the CEO that we have 100%
security and that the risk of a data breach is zero. We are
tighter than Fort Knox baby!
Me: You would have made an excellent grave-digger
Know-It All CIO – Handling Risk is Easy!
![Page 17: New New Age Enterprise Security Playbook: First 100 Days · 2018. 4. 3. · Dominic Vogel Chief Security Strategist, Cyber.SC New Age Enterprise Security Playbook: First 100 Days](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603efc6980bc0a4412785b6b/html5/thumbnails/17.jpg)
Copyright © 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
• Frameworks provide the blueprint for building security
• Define & prioritize tasks
• Manage cyber risk intelligently
• Prevent a haphazard approach to information security
• Reduce potential gaps in security efforts
Risk-based Security – Governance Frameworks
![Page 18: New New Age Enterprise Security Playbook: First 100 Days · 2018. 4. 3. · Dominic Vogel Chief Security Strategist, Cyber.SC New Age Enterprise Security Playbook: First 100 Days](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603efc6980bc0a4412785b6b/html5/thumbnails/18.jpg)
Copyright © 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
• High-level in scope; very concise
• Focuses on how to access and prioritize security functions
• Useful to achieve C-Suite buy-in
• Flexible in its implementation; combine with CIS Top 20
• Builds on (and does not replace) existing security standards
Risk-based Security – NIST CSF Framework
![Page 19: New New Age Enterprise Security Playbook: First 100 Days · 2018. 4. 3. · Dominic Vogel Chief Security Strategist, Cyber.SC New Age Enterprise Security Playbook: First 100 Days](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603efc6980bc0a4412785b6b/html5/thumbnails/19.jpg)
Copyright © 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Risk-based Security – NIST CSF Framework
![Page 20: New New Age Enterprise Security Playbook: First 100 Days · 2018. 4. 3. · Dominic Vogel Chief Security Strategist, Cyber.SC New Age Enterprise Security Playbook: First 100 Days](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603efc6980bc0a4412785b6b/html5/thumbnails/20.jpg)
Copyright © 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
• Do not take the old school “theoretical” approach
• Focus on critical data assets (deliver high ROI)
• Achieving 100% risk free environment is impossible
• Standardize on value at risk model such as FAIR
• Executives provided with actionable data about cyber risks
• Outcome: increase in business and greater efficiency
Risk-based Security
![Page 21: New New Age Enterprise Security Playbook: First 100 Days · 2018. 4. 3. · Dominic Vogel Chief Security Strategist, Cyber.SC New Age Enterprise Security Playbook: First 100 Days](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603efc6980bc0a4412785b6b/html5/thumbnails/21.jpg)
Copyright © 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Time to share!
• Success (or horror!) stories
• Lessons learned
• Ingredients for success; pitfalls to avoid
• Questions & comments
Discussion: Risk-based Security
![Page 22: New New Age Enterprise Security Playbook: First 100 Days · 2018. 4. 3. · Dominic Vogel Chief Security Strategist, Cyber.SC New Age Enterprise Security Playbook: First 100 Days](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603efc6980bc0a4412785b6b/html5/thumbnails/22.jpg)
Copyright © 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
CIO: Who gave you permission to speak to the VP of
Operations? How dare you disobey the rigid hierarchy. I
am the voice of security in this organization! You only
speak when spoken to.
Me: Your fly is down…
Know-It All CIO – Relationships
![Page 23: New New Age Enterprise Security Playbook: First 100 Days · 2018. 4. 3. · Dominic Vogel Chief Security Strategist, Cyber.SC New Age Enterprise Security Playbook: First 100 Days](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603efc6980bc0a4412785b6b/html5/thumbnails/23.jpg)
Copyright © 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
• Get out of your damn ivory tower (or boiler room)
• Drop “no” from your vocabulary
• Develop rapport as trusted business advisor
• Deliver effective and sustainable security
Build Business Relationships
![Page 24: New New Age Enterprise Security Playbook: First 100 Days · 2018. 4. 3. · Dominic Vogel Chief Security Strategist, Cyber.SC New Age Enterprise Security Playbook: First 100 Days](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603efc6980bc0a4412785b6b/html5/thumbnails/24.jpg)
Copyright © 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Time to share!
• Success (or horror!) stories
• Lessons learned
• Ingredients for success; pitfalls to avoid
• Questions & comments
Discussion: Building Relationships
![Page 25: New New Age Enterprise Security Playbook: First 100 Days · 2018. 4. 3. · Dominic Vogel Chief Security Strategist, Cyber.SC New Age Enterprise Security Playbook: First 100 Days](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603efc6980bc0a4412785b6b/html5/thumbnails/25.jpg)
Copyright © 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
• Overcome obstacle and break down silos
• Increase organizational resiliency
• Seamless collaboration
• Greater value for security dollars
• Increase in business and greater efficiency
• Cannot please everyone
Key Outcomes – Make Security Easy
![Page 26: New New Age Enterprise Security Playbook: First 100 Days · 2018. 4. 3. · Dominic Vogel Chief Security Strategist, Cyber.SC New Age Enterprise Security Playbook: First 100 Days](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603efc6980bc0a4412785b6b/html5/thumbnails/26.jpg)
Copyright © 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Thank you! Any questions?
![Page 27: New New Age Enterprise Security Playbook: First 100 Days · 2018. 4. 3. · Dominic Vogel Chief Security Strategist, Cyber.SC New Age Enterprise Security Playbook: First 100 Days](https://reader033.vdocuments.mx/reader033/viewer/2022052104/603efc6980bc0a4412785b6b/html5/thumbnails/27.jpg)
Copyright © 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
• Email: [email protected]
• Twitter: @domvogel
How to Contact Me…if you want…