quali&es of an eﬀec&ve ciso - sf isaca · ciso resume 6 ideally, a ciso should have a...

2015FallConference–“CyberSizeIT”November9–11,2015

Quali&esofanEffec&veCISO

Miguel(Mike)O.VillegasCISA,CISSP,GSEC,CEH,PCIQSA,[email protected]

November10,2015

1


AbstractHiringaChiefInformaHonSecurityOfficer(CISO)isalaudablegoal.ItimpliesexecuHve management realizes the value of having an execuHve levelposiHonforinformaHonsecurity.The CISO is an execuHve who provides expert guidance to other c-levelexecuHvesonmaUersofrisk,complianceandinformaHonprotecHonfromastrategic and tacHcal business objecHves perspecHve. Security pracHHonersare typically technical in nature but donot generally have access to c-levelexecuHves,sotheCISOposiHoncanhelpfillinthisgap.This session will discuss the qualiHes of an effecHve CISO. This includeseducaHon, background, reporHng structure, focus, responsibiliHes, personalqualiHes,vision,leadershipcapabiliHes,andtechnicalbackground.

2


TableofContents

v CISOResumev Repor&ngStructurev CISOVisionandResponsibili&esv PersonalQuali&esv LeadershipQuali&es

3


CISORESUME

4


CISOSurvey

5

AsurveyconductedinJuly2014,203US-basedC-levelexecuHvesfoundastartlinglackofrespectforCISOsintheenterprise.BelowaresomeinteresHngstaHsHcs:•  74%saidtheydonotbelieveCISOsdeserveaseatatthetable

andshouldnotbepartofanorganizaHon'sleadershipteam.•  54%believeCISOsshouldnotberesponsibleforcybersecurity

purchasing.•  44%believeCISOsshouldbeaccountableforanyorganizaHonal

databreaches.•  28%saidtheirCISOhasmadecybersecuritydecisionsthat

negaHvelyimpactedtheorganizaHon'sfinancialhealth.

Source:hUp://www.threaUracksecurity.com/resources/the-role-of-the-ciso.aspx


CISOResume

6

Ideally,aCISOshouldhaveacombinaHonofbusinessandtechnicalskillsthatallowforcompetentcontribuHonsandguidancewithbothITandexecuHvemanagement.AsuccessfulCISOwillbeabletoincisivelytranslatetechnicalchallengesandstrategiesintobusinessterms.SomespecificrecommendedqualificaHonsforaCISOinclude:•  DegreeinaccounHngorMBA,degreeinCISorInformaHon

Security;•  CPA,CISSP,CISM,CISA,PMPcerHficaHons;•  CFE,CEH,GPEN,CRISCspecializedcerHficaHons;•  TenyearsminimumexperienceasaCISO,informaHonsecurity

engineer,orsecurityconsultant.Big4seniormanagersorpartnersfromthesystemsassurancewouldbeanaddedplus

•  ISSA,ISACA,(ISC)2,OWASP,orCISOforummemberships.


Cer&fica&onsvsExperience

7

ManyofushaveknownthosethattouttechnicalexperHsebecauseoftheirlonglistofcerHficaHonsyetoncehired,itdoesnottakelongbeforerealizaHonsitsin.HiringaCISO…•  Cer&fica&onsgethimthroughthedoor.•  Theinterviewgiveshimaseat.•  The90-dayproba&onaryperiodassureshecanstay•  Histechnicalabili&esdeterminewhatkindofworkhe

canmanage•  Hiscommunica&onskillsdeterminewhetherhe

deservesa“seatatthetable”(Board)


Whynothirewithin?

8

Securityprofessionalswhoworkwithintheenterprisehavegreatadvantages.•  TheyknowtheITenvironment•  Theyknowthebusiness•  TheyhaveearnedcerHficaHonsthataretheenvyof

many•  Theyhaveestablishedacompetentrapportwith

networkengineersandsystemadministratorsHowever,manyHmesthePeterPrinciplemightapplysuchthatthesecurityprofessionalhasgoneasfarasheiscapableof.


GoodCISOCandidates

9

TherewillalwaysbeexcepHonsandeachcandidateshouldstandontheirown.However,belowisalistofgoodcandidatesforCISO.•  DirectorofInformaHonSecurity•  Internalsecurityprofessionals•  ITAuditManager•  ITRiskManager•  ExternalCISOhire•  Big4SeniorManagerorPartner•  Sr.SecurityConsultant

Aprophetisnotacceptedinhisowncountry


REPORTINGSTRUCTURE

10


Repor&ngStructure

11

TherearefourbasicquesHonsinthisdebate.(1) ShouldtherebeaCISOposiHon?(2) WhoshouldtheCISOreportto?(3) WhataretheprosandconsforCISOreporHng

structure?(4) Whodecides?


ShouldtherebeaCISOposi&on?

12

ThekeystomakingtheCISOrolesuccessfulareindependence,empowermentandposiHon.TheCISOneedstobe:•  Independentofinfluenceorpressurefrom

thoseaffectedintheprotecHonofcorporateassets;

•  EmpoweredtodeployallproperlevelsofprotecHon;and

•  Posi&onedwithintheorganizaHontoembedinformaHonsecurityintothebusinessculture.


WhoshouldtheCISOreportto?

13

ThesurveyconductedinJuly2014byThreatTrackSecurityreportedfoundthat:•  47%ofCISOsreporttotheirCEOorpresident•  45%reporttotheCIO,•  4%totheChiefComplianceOfficer,and•  lessthan2%totheCOOorCFO.

Source:hUp://www.threaUracksecurity.com/resources/the-role-of-the-ciso.aspx


ProsandConsforCISORepor&ngStructure

14

Pros:•  C-levelexecuHvethatsupports,understandsandchampions

theinformaHonsecurityfuncHonandCISO•  ThisprovidestheCISOindependence,abilitytodisagreeand

empowermenttodeploytheinformaHonsecurityprogramCons:•  WheretheCISOreportstoissituaHonal•  Hemightlosecontact,credibility,cooperaHonand

empowermenttocontrolthesecurityofcorporateassets.•  C-levelexecuHvedoesnothavesufficientappreciaHonor

influencetosupporttheCISO.•  Conversely,reporHngtotheCIOcouldbejustasrepressive•  ItcomesdowntowhotheCISOwouldulHmatelyreportto.


Whodecides?

15

DespitetheendlessdebatesandopinionsvoicedwhethertheCISOshouldreporttotheCIOoranotherC-levelexecuHve,theulHmatequesHonis“Whodecides?”•  ItclearlywillnotbethenewlyhiredCISO.•  ItwillnotbetheexisHngDirectorofInformaHonSecurity.

•  TheCIOmightrecommendhiringaCISObutverylikelyreporHngtotheCIO.

•  TheCEOandboardmembersshouldulHmatelydecidebuttypicallythequesHonisnotaconsideraHonunHltheyhaveexperiencedabreachoramajorsecurityincident.


CISOVISIONANDRESPONSIBILITIES

16


CISOVisionandResponsibili&es

17

TheCISOsvisionistoaligntheinformaHonsecurityprogramwiththeenterprisestrategicbusinessobjecHves.TheCISOsresponsibilityistoensuretheinformaHonsecurityprogrammeetsthoseobjecHvesandgrowscommensuratewiththeenterprisegoals.ExecuHvemanagementlookstotheCISOto:•  DefineandmanagetheinformaHonsecurityprogram•  ProvideeducaHonandguidancetotheexecuHveteam•  PresentopHonsandinformaHontoenabledecision

making•  ActasaninformaHonsecurityadvisor


CISOVisionandResponsibili&es

18

Thisincludes,isnotlimitedto:

•  ExecuHveManagementReporHng•  Riskandcompliance•  InformaHonSecurityAdministraHon•  Competentandskilledstaff•  CSIRTProgram•  InformaHonProtecHon•  SecurityMonitoring•  SecurityPoliciesandProcedures•  VendorSecurity•  WirelessSecurity

•  MobileDeviceSecurity•  WebApplicaHonSecurity•  VulnerabilityTesHng•  SecurityTools•  NetworkSecurity•  ApplicaHonSecurity•  PersonnelSecurity•  DatabaseSecurity•  CloudSecurity•  SecurityAwarenessProgram


WhattheCISOshoulddotoearnrespect•  Usethe"threeC's"toemphasizetheimportanceofinformaHonsecurity

withinanorganizaHon:–  CooperaHonprecludespernicioussilos;–  CommunicaHoniscriHcalbutitmustbeincisive,relevantanddonewith

aplomb;and–  CounterbalanceensurescontribuHonsarecommensuratewithbusiness

objecHves.•  IdenHfyaC-levelteammemberwhocanchampiontheCISO's

contribuHonsandparHcipaHon.Befriend,educate,earntrustandprovidehimorherwithinsighqulinformaHonthatwillalsoelevatehisorhervisibilityandcredibility.

•  SchedulemonthlyexecuHvemanagementreportsonthestateofinformaHonsecurityforyourenterprise.Usegraphics,red-yellow-greeniconstohighlightareastofocus,andcommunicateyourmessageinbusinesstermsrelatedtocost,ROI,risk,growthandcompliance.

•  Stayinformedofcurrenteventsandnewtechnologies,especiallyastheyrelatetoyourenterpriseindustry.

19


WhattheCISOshoulddotoearnrespect•  Givebusinessmanagersreasontopraiseyoureffortsandvalue.Meet

withkeybusinessmanagerstobeUerunderstandtheirpainpointsasitrelatestoinformaHonsecurity,riskandcompliance.Beatrustedbusinessadvisor.

•  EmbedinformaHonsecurityintheprojectmanagementcycle,changethemanagementlifecycleandtheinformaHongovernanceprocess.

•  HireorbuildanexemplarystaffwithpassionforinformaHonsecurity.•  BealuminaryinyourfieldsoexecuHvemanagementisawareofyour

endeavors,notonlyfromwithin,butfromothersoutsideyourorganizaHon.WritearHcles.GivelecturesoninformaHonsecurity.ParHcipateinprofessionalorganizaHonstogaininsightofwhatworksandwhatdoesn't.

•  Useaprovenandindustryacceptedframework,suchasISO-27001orNISTCybersecurityFramework(usedbyCybersecurityNexusCSX)

20


21


PERSONALQUALITIES

22


PersonalQuali&es

23

•  TrustedBusinessAdvisor-haveabusinesssenseonenterprisestrategicgoals

•  SecurityEngineer-Technicallycompetentsuchthathecanstandtoe-to-toewithIT

•  Leader-Leadsstaffbyexample•  Manager–managesprojectstocompleHon•  Presence-GoodpresencewithexecuHvemanagement

demandingaUenHonandrespect•  Communicator–abilitytocommunicatetechnicaltopicsto

Boardintermstheyunderstandandsupport•  AsserHve–notaggressive;doesnothavetorightorwinan

argumentalltheHme•  Ethical–doesnotoccultbadnewstosaveface•  Manageable–CISOcannotmanageifheisnotmanageable


PersonalQuali&es

24

•  CISOneedstobe•  Incisive,•  DiplomaHc,and•  Confident

•  CISOshouldhavehightechnicalacumen•  CISOshouldbepassionateaboutinformaHonsecurity•  butnotsoquixoHcordogmaHcthatitwouldcalltheir

credibilityintoquesHon•  CISOshouldbeanagentofchange

•  Notacop•  Notanauditor

•  CISOshouldbetoughskinned


LEADERSHIPQUALITIES

25


LeadershipQuali&es

26

•  Cybersecurityispredominantlydefensiveinnature.•  EnterprisesaresubjecttoaconstantbarrageofaUacks

frominadvertentandadvertentunauthorizedaccessbyinternalandexternalsources.

•  EachdaytheinformaHonsecurityprofessionalischallengedwithnewaUackvectorsandexploits.

•  ItisnowonderhowprotecHonmeasures,monitoringandremediaHoneffortsseemfuHleandSisyphean.

TheCISOneedsto:•  Leadbyexample•  Developandgrowthestaff•  RecognizestaffcontribuHons


LeadbyExample

27

•  Infectyourstaffwithyourpassion•  Hireorbuildexemplarystaffthatsharesyourpassion

forinformaHonsecurity•  Letthemseeyourinterest,resolveandmoHvefor

informaHonsecurity•  Inculcatethemaximofbeinganagentofchange•  StandforprofessionalethicsintheeventtheCISO

reporHngexecuHveinstructsotherwise•  DonotinstructstafforITtoonlyprovideauditorsand

assessorswhattheyaskforandnothingmore•  ThissaysthathalftruthsareOK•  StaffwillfeelhalftruthsareOKwithCISO•  UlHmatelyhurtstheenterprise


DevelopandGrowtheStaff

28

•  ThereisanabundanceofcybersecuritytrainingthatisnotexpensivesuchasISACA,ISSA,OWASPorOJT

•  assigningspecialprojectsto•  developorupdatesecuritypolicies,•  securityawarenessprogram,•  incidentmonitoringandreporHng,•  vulnerabilityremediaHonefforts,•  controlstesHng,•  compliancetesHng,and•  proofofconcepts(POC)forsecuritysoluHons,

whetheryoupurchasethemornot•  cerHficaHontrainingfor•  CISSP,CISMandCISA•  SANScourses,E-Council


RecognizeStaffContribu&ons

29

•  Recognizethempubliclythrough•  newsleUers,•  personallynamed,whenappropriate,in

managementmeeHngs,•  allowthemtoparHcipateinvisibleprojects,and•  givecredittothosethathadadirecthandinspecial

projectachievements.•  TheCISOmanyHmeswillgetalltheglorybutwillalso

getalltheblame.StaffmembersneedtobelievetheCISOistheretobuild,protectandchampiontheirefforts.

ThedynamicsinthisapproachwillrealizestaffwillingtoexceedexpectaHons.


Summary

v CISOResumev Repor&ngStructurev CISOVisionandResponsibili&esv PersonalQuali&esv LeadershipQuali&es

30


Miguel (Mike)O.Villegas isaVicePresident forK3DESLLC. HeperformsandQA’sPCI-DSSandPA-DSSassessmentsforK3DESclients. HealsomanagestheK3DESISO/IEC 27001:2005 program. Mike was previously Director of InformaHon Security atNewegg, Inc. forfiveyears.MikecurrentlyaContribuHngWriter forSearchSecurity-TechTarget.Mikehasover30yearsofInformaHonSystemssecurityandITauditexperience.Mikewas previously Vice President & Technology RiskManager forWells Fargo Servicesresponsible for IT Regulatory Compliance and was previously a partner at ArthurAndersenandErnst&YoungfortheirinformaHonsystemssecurityandISauditgroupsoveraspanofnineyears.MikeisaCISA,CISSP,GSECandCEH. HeisalsoaQSA,PA-QSAandASVasVPforK3DES.MikewaspresidentoftheLAISACAChapterduring2010-2012andpresidentoftheSFISACAChapterduring2005-2006.HewastheSFFallConferenceCo-Chairfrom2002–2007 and also served for two years as Vice President on theBoard ofDirectors forISACAInternaHonal.MikehastaughtCISAreviewcoursesforover18years.

BIO

31

quali&es of an eﬀec&ve ciso - sf isaca · ciso resume 6 ideally, a ciso should have a...

Documents