stuff my ciso says
DESCRIPTION
Many CISOs come from more of a technical, rather than a business, background. However, we need to be able to communicate with Senior Management, business-area leaders and users who are usually not technologists. In this talk we will look at some of the common topics CISOs need to cover and discuss how to rephrase the messages to better reach a business-oriented audience. We will discuss: How to think about security risks in a way business personnel do; How to translate technical security topics into more business-friendly language, and; How to reach a broader audience with the information security message.TRANSCRIPT
- 1. http://about.me/barrycaplinsecurityandcoffee.blogspot.com
2. Security Isnt EasyWe didnt get into it for the 3. The Challenge of Security AwarenessNobody cares about SecurityWhy?And how do we get their attention andsupport? 4. Issues Security viewed as a negative Avoidance v. risk Delays Cost Extra work Gotchas 5. It Cant Be Just 6. We need sensible controls 7. early in the process 8. Bad CISO/Good CISO 9. GovernanceGovernanceWe dont needno stinkingovernance!Bad CISO 10. GovernanceDevelop a clearstrategy usingan industrystandardframework. 11. PolicyAll SecurityPolicy is thesame. I got Bad CISOmine from abook.Hello Mr. Anderson 12. PolicyPolicies arebased on solidprinciples, butadapted to fittheorganization. and prophesies from the oracle 13. ComplianceWe write thepolicies. Wemake peoplesign an oath. Bad CISODone.Compliance and consequences policy 14. ComplianceWe must make(understandable)policies. We mustteach. We mustassess, measureand report. 15. AwarenessUsers will knowwhat they haveto do or beeliminated. Bad CISO 16. AwarenessUsers can talk toSecurity. Weteach. We answerquestions. 17. Senior ManagementI say whatthey want tohear.Theyre notBad CISOlisteninganyway. 18. Senior ManagementGive them the infothey need andthey will beengaged. 19. Projects and DevThey can pay menow or they canpay me later.Bad CISO 20. Projects and DevWe work togetherwith business tofinish on-time andwith neededcontrols. 21. Business NeedsI buy the bestknown securityproductsbecause theyve Bad CISOgot to be good. 22. Business NeedWorking togetherwe find control-and cost-effectivesecurity productsthat work and areusable. 23. OperationsWeve always doneit this way. Bad CISO 24. OperationsWe partner withthe business andtailor the programto meet the need. 25. Stuff I SayKISS 26. Stuff I SayNo one has read andunderstoodbut definitely still responsibleSimple, direct language in policyCompliance via education 27. Stuff I SayYou pay by the wordKeep policies short and sweetIf not, youll pay on the compliance-effort side 28. Stuff I SayPeople want to do the rightthingbut what is the right thing?Understandable policySimple rules 29. Stuff I SayDo What Makes SenseRisk Management approachSeek out and destroy meaningless policy/controls/practices 30. Stuff I SayIterative ImprovementMaturity modelCObIT, SEI CMMI 31. Stuff I SayAutomation!MetricsToolsReporting 32. Stuff I SayWhat is the business need?Find out business need in plain business language 33. Stuff I SayHave Fun! 34. DiscussionSlides at http://slideshare.net/bcaplin [email protected] [email protected], @bcaplin, +barry caplin securityandcoffee.blogspot.com