Session ID:Session Classification:

#RSAC

Thom Langford (@thomlangford)

PLAYING THE GAME OF THRONES:

ENSURING THE CISO’s ROLE AT THE KING’S TABLE

Sapient

GRC-R08Intermediate

#RSAC @thomlangford

DISCLAIMER

The opinions expressed in this presentation are my own and

do not necessarily represent the views of my employer

#RSAC @thomlangford

WHY ARE WE HERE?

#RSAC @thomlangford

BECAUSE WE DON’T OWN A PAIR OF THESE

▶ Source (i)

#RSAC @thomlangford

IN THE GAME OF THRONES...

#RSAC @thomlangford

A QUESTION OF DEFINITION

#RSAC @thomlangford

WHO ARE WE TALKING ABOUT?

CISOCSOHead of

Information RiskIT SecurityHead of

Enterprise SecurityHead of

Business ProtectionInformation

Compliance ManagerHead of Security

Risk & ComplianceChief Information

Security Officer

#RSAC @thomlangford

REFERENCE POINTS

#RSAC @thomlangford

▶ Prevalence of CFO Position, 1963-2000

THE RISE OF THE CFO

0%

9%

18%

27%

36%

45%

54%

63%

72%

81%

90%

1963 1968 1973 1978 1983 1988 1993 19982000

▶ Source (Princeton University, ii)

#RSAC @thomlangford

17/10/2013 11:38Global Information Security Practices: 2014 Survey Key Data Findings: PwC

Page 1 of 1http://www.pwc.com/gx/en/consulting-services/information-security-survey/giss.jhtml#

% of respondents

When taking action to improve the effectiveness of your organization's informationsecurity function, what are your greatest obstacles?

22.91%

16.19%

17.53%

22.15%

23.54%

24.14%

19.26%

18.93%

17.63%

All industries in all regions

Leadership: CEO, President, Board, orequivalent

Leadership: CIO or equivalent

Leadership: CISO, CSO, or equivalent

Lack of an effective information securitystrategy

Lack of an actionable vision orunderstanding of how future business

needs impact information security

Insufficient capital expenditures

Insufficient operating expenditures

Absence or shortage of in-housetechnical expertise

Poorly integrated or overly complexinformation and IT systems

0 5 10 15 20 25 30

Source: The Global State of Information Security Survey 2014. Not all factors may be shown. Totals may not add up to 100%.

THE RISE OF THE CISO?

▶ Source (PwC, iii)

#RSAC @thomlangford

THE EVOLUTION OF THE CISO

▶ Responders

▶ Enterprise Protectors

▶ Organisational Influencers

▶ The IT Guy

#RSAC @thomlangford

A QUESTION OF TEETH?

‣budgets

‣authority

‣decision making

#RSAC @thomlangford

THE VIEW FROM HALFWAY UP

Board

CMO

CEO

COOCFO

CIO

GC

CISO

CISO

150 pages

20 pages

#RSAC @thomlangford

WHAT HAS HELPED

▶ Source (iv)

#RSAC @thomlangford

GAINING THE KING’S TRUST

#RSAC @thomlangford

RE-INTERPRET YOUR CIA TRIANGLE

▶ Confidentiality

▶ Integrity

▶ Availability

C

I A

#RSAC @thomlangford

CIA REINTERPRETED

‣Trust the integrity of the data you are gathering

‣Make your data available in a way that makes sense to the business

‣Gain the confidence of your businessC

I

A

#RSAC @thomlangford

17/10/2013 11:36Global Information Security Practices: 2014 Survey Key Data Findings: PwC

Page 1 of 1http://www.pwc.com/gx/en/consulting-services/information-security-survey/giss.jhtml#

% of respondents

Which of the following are included in your organization's security policy?

49.8%

17.03%

20.29%

31.81%

32.04%

25.51%

30.52%

25.86%

25.48%

21.7%

All industries in all regions

Backup and recovery/business continuity

Classifying business value of data

Procedures dedicated to protectingintellectual property (IP)

Role-based access controls

Security risk assessment

Inventory of assets/asset management

Regular review of users and access

Incident response plan

End-user security awareness trainingand communications

Procedures and/or standardspartners/suppliers must comply with

0 5 10 15 20 25 30 35 40 45 50 55

Source: The Global State of Information Security Survey 2014. Not all factors may be shown. Totals may not add up to 100%.

INTEGRITY (1)

▶ Source (PwC, iii)

#RSAC @thomlangford

assessments

INTEGRITY (2)

poor

poor findings

poor data

poor business information

poor decision making

risk

#RSAC @thomlangford

INTEGRITY (3)

collaborative educational

open

non-confrontational

non-judgemental

constructive

assessmentsrisk

#RSAC @thomlangford

AVAILABILITY (1)

▶ TRADITIONAL VIEW gather data... ...put it into a report... ...and automagically... ...create commentary!

Data

Information

Commentary

#RSAC @thomlangford

AVAILABILITY (2)

‣Business Intelligence ≠ Quality & Coverage

‣This is not panning for gold

‣Need to start with an idea

#RSAC @thomlangford

AVAILABILITY (3)

“There has been an increase in security costs over the last two years”

Establish a hypotheses:

“This is tied to BYOD and WFH”

What is the business belief?

#RSAC @thomlangford

AVAILABILITY (4)

Staff records, onboarding training, personal devices, industry increases, access control

records, hiring practises, remote access records, security training records, etc..

‣Identify data needed to support the hypotheses

#RSAC @thomlangford

AVAILABILITY (5)

“WFH + BYOD + Remote Access + start date before 2010 +

OS=increased costs”

‣Establish correlations

#RSAC @thomlangford

AVAILABILITY (6)

▶ Functional requirements ▶ Use cases ▶ What can I do with the data?

!▶ Non-functional requirements

▶ Location of data ▶ Volume of data ▶ Performance/KPI’s

#RSAC @thomlangford

AVAILABILITY (7)

‣Build your report

‣Format it to your audience

#RSAC @thomlangford

AVAILABILITY (8)

#RSAC @thomlangford

AVAILABILITY (9)

#RSAC @thomlangford

AVAILABILITY (10)Enterprise Risk Report

#RSAC @thomlangford

CONFIDENCE

‣Only 38% of non-executive respondents use business-oriented language when communicating with senior executives (v)

‣51% of respondents rated their communication of relevant security risks to executives as “not effective” (vi)

▶ Source (Hanover Research, v & Ponemon institute vi)

#RSAC @thomlangford

CONFIDENCE (2)

#RSAC @thomlangford

CONFIDENCE (3)

‣“this is what I need digital to do to help me sell more beer”

▶ Steve Mura, Director of Digital Marketing, MillerCoors (vii)

#RSAC @thomlangford

CONFIDENCE (4)

ANNUAL REPORT

FOR ALL KNIGHTS, LADIES AND

SERVANTS

#RSAC @thomlangford

GUIDING PRINCIPLES

Only provide information that

is necessary

Be consistent

Build & maintain trust

Optimise dependency

activities

Simplify your experiences &

interactions

#RSAC @thomlangford

KEY TAKE AWAYS

#RSAC @thomlangford

VALUE

‣Is your organisation is truly getting the full value of all of your activities?

#RSAC @thomlangford

BUSINESS INTELLIGENCE

‣Look at how your security group is reporting to the business

#RSAC @thomlangford

UNDERSTANDING

‣Ask yourself how much do you really understand your business, and how it operates?

#RSAC @thomlangford

BE CAREFUL WHAT YOU WISH FOR

#RSAC @thomlangford

WITH RESPONSIBILITY COMES...

#RSAC

Thank you

@thomlangford

Thom Langford

http://thomlangford.comthom@thomlangford.com

@thomlangford

Sapient

#RSAC @thomlangford

THIS PRESENTATION IS AVAILABLE AT THOMLANGFORD.COM IN KEYNOTE AND PDF

#RSAC @thomlangford

REFERENCES‣References ‣(i) Twist & Shout “Rose Tinted Glasses” shown with permission

‣(ii) Here a Chief, There a Chief: The Rise of the CFO in the American Firm by Dirk M. Zorn, Princeton University

‣(iii) PwC, The State of Information Security Survey 2014

‣(iv) In discussion with Simon Hember and Scott West of Acumin

‣(v) Tripwire commentary on Hanover Research, Doctor, My CEO Doesn’t Understand Security

‣(vi) Tripwire commentary on Ponemon Institute research Majority of IT Professionals Don’t Communicate Security Risks

‣(vii) MarketingProfs Four Tips For a Common Sense Approach to Marketing

‣ All Game of Thrones images copyright HBO and relevant authors of their own fan art