VIEW FROM THE CISO - DEMONSTRATING WINS
Michael Doucet Executive Director, Office of the CISO [email protected] (613)899-7169 Agenda
❖ Complexity in our Environment ❖ Changing Perspective ❖ Cyber Program Goals ❖ Six Forces of Security Strategy Influencers ❖ Security Domains ❖ Optimized Security Program ❖ Wrap up
Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved. COMPLEXITY SECURITY PROGRAM
▪ Business aligned Billions of 100’s of 2,500+ Security ▪ Right sized for the organization Threats and Regulations Technology Vulnerabilities and Standards Vendors ▪ Prioritized ▪ Never completed WannaCry | Petya | Locky | ShadowBrokers | EternalBlue | Vault7 | Magnitude | Exfiltration Artificial Disdain | Terror | Nuclear | RIG | Neutrino | Angler | Stegano | Cloudbleed | Cloud DevOps, Intelligence APTs Mirai | Necurs | Angler | Dridex | KRACK | Apache Struts | Toast Overlay | Next-Gen Security Architectures Bluborne | Intel IME Advanced Threat | Mobility | Cloud | Third-party Risk | IoT | Insider Threats | DDoS | Threat Intelligence | Risk Management Virtualization/Cloud
Thisis THE CISO CONUNDRUM
PCI DSS | HIPAA | GDPR | NYDFS | NERC CIP | FISMA | CIS | SOX
IoT WannaCry | Petya | Locky | ShadowBrokers | EternalBlue | Vault7 | Magnitude | Big Data; APTs Platform Disdain | Terror | Nuclear | RIG | Neutrino | Angler | Stegano | Cloudbleed |
Machine Learning Mirai | Necurs | Angler | Dridex | KRACK | Apache Struts | Toast Overlay | Intelligence | IP | Customer Data | Security Awareness | Compliance and Regulations Bluborne | Intel IME DLP NAC Advanced Malware Detection and Prevention | SCAP | FDCC | USGCB | GLBA | FERPA | DFARS | ISO 27001/ | 27002/15408 | NIST | CISQ | COBIT | ITIL
Proprietary and Confidential. Do Not Distribute. © 2018 Optiv Inc. All Rights Reserved. I’m criticized by execs as the guy “As a CISO, you have a who always says “no.” How do I My CapEx costs are too high, choice: either become become the guy who says “yes”? due to investments in the strategy guy, or products that are ineffective the scapegoat.” There are too many opinions, too much information, too many or never deployed. experts and too little time. Everyone keeps telling me how many ”things” they have – researchers, endpoints, found attacks. But none of that helps me with my problem. THE CISO CONCERNS “This year, more than ever, I need to step back, take inventory and rationalize what we have, what’s working and what’s not. I need to focus on optimizing our current environment.”
25 – 30% of everything I have My CFO continues to ask me to bought has not yet been deployed. Do I even need it? The Vendor show them the measures and “I have 17 Security agents metrics proving we are safe with pitch on the problem and the deployed on our Desktop. I know I solution seemed to make sense? the investments we have made. don’t need all of these, but who The vendors won’t do this. do I trust to guide to which are needed and which are redundant?”
Proprietary and Confidential. Do Not Distribute. © 2018 Optiv Inc. All Rights Reserved. THE CISO CHALLENGES
Back to Basics Inventory Rationalize Optimize Demonstrate
Proprietary and Confidential. Do Not Distribute. © 2018 Optiv Inc. All Rights Reserved. The perimeter no Security purview must longer exists widen to meet the challenge
The path forward is Frameworks and blueprints unique for every can be used but must be business tailored
Technology must be There is an mindfully selected and embarrassment of riches in technology integrated for a proven
CHANGING CHANGING purpose PERSPECTIVE
Proprietary and Confidential. Do Not Distribute. © 2018 Optiv Inc. All Rights Reserved. Cyber Program goals
Determine specific threats against your Map Controls in Build a Business Align Security organization. Place to Protect Your Aligned Security Initiatives with Your Identify Business Program Business Goals requirements to elevate your defense and response
8 Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved. Business Model of Information Security
Security Program Strategy & Oversight
GOVERNANCE
PROCESS Operations & ENABLING & COMPLIANCE Orchestration PEOPLE SUPPORT TECHNOLOGY Knowledge & Architecture & Behavior Implementation EMERGENCE
CONSUMERIZATION
9 Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved. Six Forces of Security: Security Influencers
IT Organization, Systems and Business Infrastructure Strategy
Organizational Global Social Culture and Political Forces
Adversaries Government and and Threats Industry Regulations
10 Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved. RISK MANAGEMENT CYBER DIGITAL THREAT AND TRANSFORMATION MANAGEMENT TRANSFORMATION Privacy and Governance Cloud Security Secure Infrastructure Adversarial Emulation Cyber Resilience Product Security (Exposure Mgmt) Threat Detection Risk Optimization Analytics/Big Data and Response
Orchestration and SECURITY Cyber Assurance Automation
IDENTITY CYBER INTEGRATION AND AND DATA DOMAINS OPERATIONS INNOVATION MANAGEMENT Intelligence Operations Identity Governance Applied Research
Cyber-as-a-Service Access Management Design Innovation Services
Advanced Fusion Center Data Governance Integration Services Operations (MDR) and Protection
Managed Security Services (MSS)
Cyber Authorized Support Services The members of the The security program security team believed made progress over The security program is they were valuable to time in its risk aligned with the business the organization and mitigation goals and had an impact strategy
WHAT DOES IT MEAN TO BE “OPTIMIZED”?
Board of Director and The executives of the Technology was one part executive leadership organization saw value in of many components of interaction with the the security program the security program security leader Single, Identifiable, Executive Sponsor or Advocate
Develop a Risk Steering Committee
OPTIMIZED Leverage a Control Framework PROGRAMS Targeted High Maturity in Some Controls
Thoughtful Deployment of Technology
Work with Great People Business Aligned
Risk Based
Data Centric THIS IS A Threat Based
JOURNEY Compliance Based
Infrastructure Based The day-to-day of the security technologies deployed to accomplish the security strategy Operation
WITH THE protecting employed by the business the business RIGHT from threats Strategy Technology to accomplish its goals BUILDING BLOCKS security controls designed to Architecture accomplish the security strategy what industry, and how it Business operates Business The Security Journey Aligned
Risk Based/ Business Aligned Strategy: Create a security Data Centric program that enables your organization by understanding the business objectives, compliance objectives, threats and material Threat risks. Based
Compliance Based
Infrastructure Based Ad Hoc Program In Conclusion…how good are we?
❖ Complexity in our Environment ❖ Changing Perspective ❖ Cyber Program Goals ❖ Six Forces of Security Strategy Influencers ❖ Security Domains ❖ Optimized Security Program ❖ Wrap up
Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved. VIEW FROM THE CISO - DEMONSTRATING WINS
Michael Doucet Executive Director, Office of the CISO [email protected] “Inside-Out” Security purview must widen
ED to meet business needs and outcomes
The path forward is Frameworks and blueprints can unique for every be used but must be tailored business
There is an Technology must be mindfully embarrassment of selected and integrated for a riches in technology
OUTCOME TARGET OUTCOME proven purpose
CHANGING CHANGING PERSPECTIVE
Proprietary and Confidential. Do Not Distribute. © 2018 Optiv Inc. All Rights Reserved.