VIEW FROM THE CISO - DEMONSTRATING WINS

Michael Doucet Executive Director, Office of the CISO [email protected] (613)899-7169 Agenda

❖ Complexity in our Environment ❖ Changing Perspective ❖ Cyber Program Goals ❖ Six Forces of Security Strategy Influencers ❖ Security Domains ❖ Optimized Security Program ❖ Wrap up

Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved. COMPLEXITY SECURITY PROGRAM

▪ Business aligned Billions of 100’s of 2,500+ Security ▪ Right sized for the organization Threats and Regulations Technology Vulnerabilities and Standards Vendors ▪ Prioritized ▪ Never completed WannaCry | Petya | Locky | ShadowBrokers | EternalBlue | Vault7 | Magnitude | Exfiltration Artificial Disdain | Terror | Nuclear | RIG | Neutrino | Angler | Stegano | Cloudbleed | Cloud DevOps, Intelligence APTs Mirai | Necurs | Angler | Dridex | KRACK | Apache Struts | Toast Overlay | Next-Gen Security Architectures Bluborne | Intel IME Advanced Threat | Mobility | Cloud | Third-party Risk | IoT | Insider Threats | DDoS | Threat Intelligence | Risk Management Virtualization/Cloud

Thisis THE CISO CONUNDRUM

PCI DSS | HIPAA | GDPR | NYDFS | NERC CIP | FISMA | CIS | SOX

IoT WannaCry | Petya | Locky | ShadowBrokers | EternalBlue | Vault7 | Magnitude | Big Data; APTs Platform Disdain | Terror | Nuclear | RIG | Neutrino | Angler | Stegano | Cloudbleed |

Machine Learning Mirai | Necurs | Angler | Dridex | KRACK | Apache Struts | Toast Overlay | Intelligence | IP | Customer Data | Security Awareness | Compliance and Regulations Bluborne | Intel IME DLP NAC Advanced Malware Detection and Prevention | SCAP | FDCC | USGCB | GLBA | FERPA | DFARS | ISO 27001/ | 27002/15408 | NIST | CISQ | COBIT | ITIL

Proprietary and Confidential. Do Not Distribute. © 2018 Optiv Inc. All Rights Reserved. I’m criticized by execs as the guy “As a CISO, you have a who always says “no.” How do I My CapEx costs are too high, choice: either become become the guy who says “yes”? due to investments in the strategy guy, or products that are ineffective the scapegoat.” There are too many opinions, too much information, too many or never deployed. experts and too little time. Everyone keeps telling me how many ”things” they have – researchers, endpoints, found attacks. But none of that helps me with my problem. THE CISO CONCERNS “This year, more than ever, I need to step back, take inventory and rationalize what we have, what’s working and what’s not. I need to focus on optimizing our current environment.”

25 – 30% of everything I have My CFO continues to ask me to bought has not yet been deployed. Do I even need it? The Vendor show them the measures and “I have 17 Security agents metrics proving we are safe with pitch on the problem and the deployed on our Desktop. I know I solution seemed to make sense? the investments we have made. don’t need all of these, but who The vendors won’t do this. do I trust to guide to which are needed and which are redundant?”

Proprietary and Confidential. Do Not Distribute. © 2018 Optiv Inc. All Rights Reserved. THE CISO CHALLENGES

Back to Basics Inventory Rationalize Optimize Demonstrate

Proprietary and Confidential. Do Not Distribute. © 2018 Optiv Inc. All Rights Reserved. The perimeter no Security purview must longer exists widen to meet the challenge

The path forward is Frameworks and blueprints unique for every can be used but must be business tailored

Technology must be There is an mindfully selected and embarrassment of riches in technology integrated for a proven

CHANGING CHANGING purpose PERSPECTIVE

Proprietary and Confidential. Do Not Distribute. © 2018 Optiv Inc. All Rights Reserved. Cyber Program goals

Determine specific threats against your Map Controls in Build a Business Align Security organization. Place to Protect Your Aligned Security Initiatives with Your Identify Business Program Business Goals requirements to elevate your defense and response

8 Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved. Business Model of Information Security

Security Program Strategy & Oversight

GOVERNANCE

PROCESS Operations & ENABLING & COMPLIANCE Orchestration PEOPLE SUPPORT TECHNOLOGY Knowledge & Architecture & Behavior Implementation EMERGENCE

CONSUMERIZATION

9 Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved. Six Forces of Security: Security Influencers

IT Organization, Systems and Business Infrastructure Strategy

Organizational Global Social Culture and Political Forces

Adversaries Government and and Threats Industry Regulations

10 Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved. RISK MANAGEMENT CYBER DIGITAL THREAT AND TRANSFORMATION MANAGEMENT TRANSFORMATION Privacy and Governance Cloud Security Secure Infrastructure Adversarial Emulation Cyber Resilience Product Security (Exposure Mgmt) Threat Detection Risk Optimization Analytics/Big Data and Response

Orchestration and SECURITY Cyber Assurance Automation

IDENTITY CYBER INTEGRATION AND AND DATA DOMAINS OPERATIONS INNOVATION MANAGEMENT Intelligence Operations Identity Governance Applied Research

Cyber-as-a-Service Access Management Design Innovation Services

Advanced Fusion Center Data Governance Integration Services Operations (MDR) and Protection

Managed Security Services (MSS)

Cyber Authorized Support Services The members of the The security program security team believed made progress over The security program is they were valuable to time in its risk aligned with the business the organization and mitigation goals and had an impact strategy

WHAT DOES IT MEAN TO BE “OPTIMIZED”?

Board of Director and The executives of the Technology was one part executive leadership organization saw value in of many components of interaction with the the security program the security program security leader Single, Identifiable, Executive Sponsor or Advocate

Develop a Risk Steering Committee

OPTIMIZED Leverage a Control Framework PROGRAMS Targeted High Maturity in Some Controls

Thoughtful Deployment of Technology

Work with Great People Business Aligned

Risk Based

Data Centric THIS IS A Threat Based

JOURNEY Compliance Based

Infrastructure Based The day-to-day of the security technologies deployed to accomplish the security strategy Operation

WITH THE protecting employed by the business the business RIGHT from threats Strategy Technology to accomplish its goals BUILDING BLOCKS security controls designed to Architecture accomplish the security strategy what industry, and how it Business operates Business The Security Journey Aligned

Risk Based/ Business Aligned Strategy: Create a security Data Centric program that enables your organization by understanding the business objectives, compliance objectives, threats and material Threat risks. Based

Compliance Based

Infrastructure Based Ad Hoc Program In Conclusion…how good are we?

❖ Complexity in our Environment ❖ Changing Perspective ❖ Cyber Program Goals ❖ Six Forces of Security Strategy Influencers ❖ Security Domains ❖ Optimized Security Program ❖ Wrap up

Proprietary and Confidential. Do Not Distribute. © 2017 Optiv Inc. All Rights Reserved. VIEW FROM THE CISO - DEMONSTRATING WINS

Michael Doucet Executive Director, Office of the CISO [email protected] “Inside-Out” Security purview must widen

ED to meet business needs and outcomes

The path forward is Frameworks and blueprints can unique for every be used but must be tailored business

There is an Technology must be mindfully embarrassment of selected and integrated for a riches in technology

OUTCOME TARGET OUTCOME proven purpose

CHANGING CHANGING PERSPECTIVE

Proprietary and Confidential. Do Not Distribute. © 2018 Optiv Inc. All Rights Reserved.