The Future of the CISO Role - RSA February 2017

Transcription

1 SESSION ID: PROF-W03 The Future of the CISO Role - RSA February 2017 Bill Brown CIO and CISO Veracode

2 Poll Question: Are you a CISO or top Information Security person?

3 How has our role has CHANGED? More visible No longer a back office technology expert Accountable as an Innovator and Strategic Business leader Must be able to work across company leadership: Engineering, IT, Legal, Risk, Lines of Business, Public Relations, etc.

4 3 Simple Questions to ask Yourself 1. Am I helping to drive Innovation or am I slowing it down? 2. Am I an Enforcer or Enabler? 3. Am I communicating my security strategy effectively to my Executive team and Board?

5 #1 Am I helping to drive Innovation or am I slowing it down?

6 InfoSec grew up as with a focus on Infrastructure security Firewall Rules Vulnerability Scanning Application Security Testing

7 as well managing a backlog of Compliance and Customer Audits and Questionnaires Aspirations or Attestations?

8 but Infrastructure is now Code

9 Security/GRC becomes the innovation "wet blanket

10 What is the effect on your speed of innovation?

11 The CISO remit must change

12 Security has its rightful place

13 So, what can you do? Get InfoSec on the Scrum Teams Secure application code, infrastructure AND environments from the start Automate and integrate tools in the build process Build in compliance auditing and reporting 13

14 #2 Am I an Enforcer or an Enabler?

15 CIOs AND employees now have a toolbox of purpose-built SaaS tools architected and designed with consumer-grade features

16 Shadow IT is back stronger then ever! The widening perimeter of SaaS based tools in use by employees is pushing CISOs into a position of saying WAIT or NO saying rather than saying HOW

17 AND CISO s have a role in creating business value and employee enablement

18 So, what can you do? monitor the perimeter for the use of these cloud applications by your employees

19 and enable those applications that are enterprise ready they have a management console user management via invitation and self-subscription 2FA & encryption tools evaluate new ones that meet this criteria

20 then redirect users from the unready applications to sanctioned ones, block others

21 #3 Am I communicating my security strategy effectively to my Executive team and Board?

22 Worldview of the Board What are their biggest fears?

23 80% of respondents discuss cybersecurity at most or all boardroom meetings

24 More than 70% indicated they have significant concerns about risk from third-party software

25 Meeting Board Expectations Breach readiness and breach response are hot discussion topics They want to know you have a programmatic approach Speaking strategically can gain confidence in your security agenda

26 Concepts to get across There is no sure thing as a breach-free organization Cyber security is a company wide responsibility Cyber security needs to be thought of as a long term strategy

27 What they want to know about Breaches in similar industries Key trends in successful attacks Who is out to attack our company and why

28 What you also want them to know Describe top 5 cyber risks the company faces and level of exposure to each Let them know what you re working on How you compare to peers How your program is stacking up

29 So, what can you do? You will only get 5-15 minutes devoted to the cybersecurity topic Prepare an appendix for anything beyond a few key indicators Do not use acronyms - think denial of service not DDoS Use visuals not text Use analogies & comparatives Provide a scorecard to illustrate progress

30 Use Benchmarks and Comparatives

31 Provide a Scorecard

32 So Who are You? 1. Innovation Driver? 2. Enabler? 3. Communicator?

33 Key Takeaways As the CISO, you need to embrace the role of driving innovation Your company needs you to enable employees to be more productive Your Executive Teams and Boards need you to provide an accurate picture of your InfoSec program and how you are measuring up At the end of the day, they want to have a good story that we did everything possible to prevent and prepare for a breach

34 What to do next Next week you should: See where your team is slowing engineering innovation Assess your awareness of the use of cloud applications by your employees Ensure you know the Information Security concerns of your Board In the next quarter you should: Focus on you skills as a Driver of Innovation and as a Communicator Engage with peers to develop your Board Update Template 34

35 Thank You! Q & A