Post on 06-Mar-2018
2015IIA-OrangeCounty
Quali&esofanEffec&veCISO
Miguel(Mike)O.VillegasCISA,CISSP,GSEC,CEH,PCIQSA,PA-QSAVicePresident-K3DESLLCmike.villegas@k3des.com
November13,2015
1
2015IIA-OrangeCounty
AbstractHiringaChiefInforma?onSecurityOfficer(CISO)isalaudablegoal.Itimpliesexecu?ve management realizes the value of having an execu?ve levelposi?onforinforma?onsecurity.The CISO is an execu?ve who provides expert guidance to other c-levelexecu?vesonmaOersofrisk,complianceandinforma?onprotec?onfromastrategic and tac?cal business objec?ves perspec?ve. Security prac??onersare typically technical in nature but donot generally have access to c-levelexecu?ves,sotheCISOposi?oncanhelpfillinthisgap.This session will discuss the quali?es of an effec?ve CISO. This includeseduca?on, background, repor?ng structure, focus, responsibili?es, personalquali?es,vision,leadershipcapabili?es,andtechnicalbackground.
2
2015IIA-OrangeCounty
TableofContents
v CISOResumev Repor&ngStructurev CISOVisionandResponsibili&esv PersonalQuali&esv LeadershipQuali&es
3
2015IIA-OrangeCounty
CISOSurvey
5
AsurveyconductedinJuly2014,203US-basedC-levelexecu?vesfoundastartlinglackofrespectforCISOsintheenterprise.Belowaresomeinteres?ngsta?s?cs:• 74%saidtheydonotbelieveCISOsdeserveaseatatthetable
andshouldnotbepartofanorganiza?on'sleadershipteam.• 54%believeCISOsshouldnotberesponsibleforcybersecurity
purchasing.• 44%believeCISOsshouldbeaccountableforanyorganiza?onal
databreaches.• 28%saidtheirCISOhasmadecybersecuritydecisionsthat
nega?velyimpactedtheorganiza?on'sfinancialhealth.
Source:hOp://www.threaOracksecurity.com/resources/the-role-of-the-ciso.aspx
2015IIA-OrangeCounty
CISOResume
6
Ideally,aCISOshouldhaveacombina?onofbusinessandtechnicalskillsthatallowforcompetentcontribu?onsandguidancewithbothITandexecu?vemanagement.AsuccessfulCISOwillbeabletoincisivelytranslatetechnicalchallengesandstrategiesintobusinessterms.Somespecificrecommendedqualifica?onsforaCISOinclude:• Degreeinaccoun?ngorMBA,degreeinCISorInforma?on
Security;• CPA,CISSP,CISM,CISA,PMPcer?fica?ons;• CFE,CEH,GPEN,CRISCspecializedcer?fica?ons;• TenyearsminimumexperienceasaCISO,informa?onsecurity
engineer,orsecurityconsultant.Big4seniormanagersorpartnersfromthesystemsassurancewouldbeanaddedplus
• ISSA,ISACA,(ISC)2,OWASP,orCISOforummemberships.
2015IIA-OrangeCounty
Cer&fica&onsvsExperience
7
Manyofushaveknownthosethattouttechnicalexper?sebecauseoftheirlonglistofcer?fica?onsyetoncehired,itdoesnottakelongbeforerealiza?onsitsin.HiringaCISO…• Cer&fica&onsgethimthroughthedoor.• Theinterviewgiveshimaseat.• The90-dayproba&onaryperiodassureshecanstay• Histechnicalabili&esdeterminewhatkindofworkhe
canmanage• Hiscommunica&onskillsdeterminewhetherhe
deservesa“seatatthetable”(Board)
2015IIA-OrangeCounty
Whynothirewithin?
8
Securityprofessionalswhoworkwithintheenterprisehavegreatadvantages.• TheyknowtheITenvironment• Theyknowthebusiness• Theyhaveearnedcer?fica?onsthataretheenvyof
many• Theyhaveestablishedacompetentrapportwith
networkengineersandsystemadministratorsHowever,many?mesthePeterPrinciplemightapplysuchthatthesecurityprofessionalhasgoneasfarasheiscapableof.
2015IIA-OrangeCounty
GoodCISOCandidates
9
Therewillalwaysbeexcep?onsandeachcandidateshouldstandontheirown.However,belowisalistofgoodcandidatesforCISO.• DirectorofInforma?onSecurity• Internalsecurityprofessionals• ITAuditManager• ITRiskManager• ExternalCISOhire• Big4SeniorManagerorPartner• Sr.SecurityConsultant
Aprophetisnotacceptedinhisowncountry
2015IIA-OrangeCounty
Repor&ngStructure
11
Therearefourbasicques?onsinthisdebate.(1) ShouldtherebeaCISOposi?on?(2) WhoshouldtheCISOreportto?(3) WhataretheprosandconsforCISOrepor?ng
structure?(4) Whodecides?
2015IIA-OrangeCounty
ShouldtherebeaCISOposi&on?
12
ThekeystomakingtheCISOrolesuccessfulareindependence,empowermentandposi?on.TheCISOneedstobe:• Independentofinfluenceorpressurefrom
thoseaffectedintheprotec?onofcorporateassets;
• Empoweredtodeployallproperlevelsofprotec?on;and
• Posi&onedwithintheorganiza?ontoembedinforma?onsecurityintothebusinessculture.
2015IIA-OrangeCounty
WhoshouldtheCISOreportto?
13
ThesurveyconductedinJuly2014byThreatTrackSecurityreportedfoundthat:• 47%ofCISOsreporttotheirCEOorpresident• 45%reporttotheCIO,• 4%totheChiefComplianceOfficer,and• lessthan2%totheCOOorCFO.
Source:hOp://www.threaOracksecurity.com/resources/the-role-of-the-ciso.aspx
2015IIA-OrangeCounty
ProsandConsforCISORepor&ngStructure
14
Pros:• C-levelexecu?vethatsupports,understandsandchampions
theinforma?onsecurityfunc?onandCISO• ThisprovidestheCISOindependence,abilitytodisagreeand
empowermenttodeploytheinforma?onsecurityprogramCons:• WheretheCISOreportstoissitua?onal• Hemightlosecontact,credibility,coopera?onand
empowermenttocontrolthesecurityofcorporateassets.• C-levelexecu?vedoesnothavesufficientapprecia?onor
influencetosupporttheCISO.• Conversely,repor?ngtotheCIOcouldbejustasrepressive• ItcomesdowntowhotheCISOwouldul?matelyreportto.
2015IIA-OrangeCounty
Whodecides?
15
DespitetheendlessdebatesandopinionsvoicedwhethertheCISOshouldreporttotheCIOoranotherC-levelexecu?ve,theul?mateques?onis“Whodecides?”• ItclearlywillnotbethenewlyhiredCISO.• Itwillnotbetheexis?ngDirectorofInforma?onSecurity.
• TheCIOmightrecommendhiringaCISObutverylikelyrepor?ngtotheCIO.
• TheCEOandboardmembersshouldul?matelydecidebuttypicallytheques?onisnotaconsidera?onun?ltheyhaveexperiencedabreachoramajorsecurityincident.
2015IIA-OrangeCounty
CISOVisionandResponsibili&es
17
TheCISOsvisionistoaligntheinforma?onsecurityprogramwiththeenterprisestrategicbusinessobjec?ves.TheCISOsresponsibilityistoensuretheinforma?onsecurityprogrammeetsthoseobjec?vesandgrowscommensuratewiththeenterprisegoals.Execu?vemanagementlookstotheCISOto:• Defineandmanagetheinforma?onsecurityprogram• Provideeduca?onandguidancetotheexecu?veteam• Presentop?onsandinforma?ontoenabledecision
making• Actasaninforma?onsecurityadvisor
2015IIA-OrangeCounty
CISOVisionandResponsibili&es
18
Thisincludes,isnotlimitedto:
• Execu?veManagementRepor?ng• Riskandcompliance• Informa?onSecurityAdministra?on• Competentandskilledstaff• CSIRTProgram• Informa?onProtec?on• SecurityMonitoring• SecurityPoliciesandProcedures• VendorSecurity• WirelessSecurity
• MobileDeviceSecurity• WebApplica?onSecurity• VulnerabilityTes?ng• SecurityTools• NetworkSecurity• Applica?onSecurity• PersonnelSecurity• DatabaseSecurity• CloudSecurity• SecurityAwarenessProgram
2015IIA-OrangeCounty
WhattheCISOshoulddotoearnrespect• Usethe"threeC's"toemphasizetheimportanceofinforma?onsecurity
withinanorganiza?on:– Coopera?onprecludespernicioussilos;– Communica?oniscri?calbutitmustbeincisive,relevantanddonewith
aplomb;and– Counterbalanceensurescontribu?onsarecommensuratewithbusiness
objec?ves.• Iden?fyaC-levelteammemberwhocanchampiontheCISO's
contribu?onsandpar?cipa?on.Befriend,educate,earntrustandprovidehimorherwithinsighpulinforma?onthatwillalsoelevatehisorhervisibilityandcredibility.
• Schedulemonthlyexecu?vemanagementreportsonthestateofinforma?onsecurityforyourenterprise.Usegraphics,red-yellow-greeniconstohighlightareastofocus,andcommunicateyourmessageinbusinesstermsrelatedtocost,ROI,risk,growthandcompliance.
• Stayinformedofcurrenteventsandnewtechnologies,especiallyastheyrelatetoyourenterpriseindustry.
19
2015IIA-OrangeCounty
WhattheCISOshoulddotoearnrespect• Givebusinessmanagersreasontopraiseyoureffortsandvalue.Meet
withkeybusinessmanagerstobeOerunderstandtheirpainpointsasitrelatestoinforma?onsecurity,riskandcompliance.Beatrustedbusinessadvisor.
• Embedinforma?onsecurityintheprojectmanagementcycle,changethemanagementlifecycleandtheinforma?ongovernanceprocess.
• Hireorbuildanexemplarystaffwithpassionforinforma?onsecurity.• Bealuminaryinyourfieldsoexecu?vemanagementisawareofyour
endeavors,notonlyfromwithin,butfromothersoutsideyourorganiza?on.Writear?cles.Givelecturesoninforma?onsecurity.Par?cipateinprofessionalorganiza?onstogaininsightofwhatworksandwhatdoesn't.
• Useaprovenandindustryacceptedframework,suchasISO-27001orNISTCybersecurityFramework(usedbyCybersecurityNexusCSX)
20
2015IIA-OrangeCounty
PersonalQuali&es
23
• TrustedBusinessAdvisor-haveabusinesssenseonenterprisestrategicgoals
• SecurityEngineer-Technicallycompetentsuchthathecanstandtoe-to-toewithIT
• Leader-Leadsstaffbyexample• Manager–managesprojectstocomple?on• Presence-Goodpresencewithexecu?vemanagement
demandingaOen?onandrespect• Communicator–abilitytocommunicatetechnicaltopicsto
Boardintermstheyunderstandandsupport• Asser?ve–notaggressive;doesnothavetorightorwinan
argumentallthe?me• Ethical–doesnotoccultbadnewstosaveface• Manageable–CISOcannotmanageifheisnotmanageable
2015IIA-OrangeCounty
PersonalQuali&es
24
• CISOneedstobe• Incisive,• Diploma?c,and• Confident
• CISOshouldhavehightechnicalacumen• CISOshouldbepassionateaboutinforma?onsecurity• butnotsoquixo?cordogma?cthatitwouldcalltheir
credibilityintoques?on• CISOshouldbeanagentofchange
• Notacop• Notanauditor
• CISOshouldbetoughskinned
2015IIA-OrangeCounty
LeadershipQuali&es
26
• Cybersecurityispredominantlydefensiveinnature.• EnterprisesaresubjecttoaconstantbarrageofaOacksfrominadvertentandadvertentunauthorizedaccessbyinternalandexternalsources.• Eachdaytheinforma?onsecurityprofessionalischallengedwithnewaOackvectorsandexploits.• Itisnowonderhowprotec?onmeasures,monitoringandremedia?oneffortsseemfu?leandSisyphean.
TheCISOneedsto:• Leadbyexample• Developandgrowthestaff• Recognizestaffcontribu?ons
2015IIA-OrangeCounty
LeadbyExample
27
• Infectyourstaffwithyourpassion• Hireorbuildexemplarystaffthatsharesyourpassion
forinforma?onsecurity• Letthemseeyourinterest,resolveandmo?vefor
informa?onsecurity• Inculcatethemaximofbeinganagentofchange• StandforprofessionalethicsintheeventtheCISO
repor?ngexecu?veinstructsotherwise• DonotinstructstafforITtoonlyprovideauditorsand
assessorswhattheyaskforandnothingmore• ThissaysthathalftruthsareOK• StaffwillfeelhalftruthsareOKwithCISO• Ul?matelyhurtstheenterprise
2015IIA-OrangeCounty
DevelopandGrowtheStaff
28
• ThereisanabundanceofcybersecuritytrainingthatisnotexpensivesuchasISACA,ISSA,OWASPorOJT
• Assigningspecialprojectsto• developorupdatesecuritypolicies,• securityawarenessprogram,• incidentmonitoringandrepor?ng,• vulnerabilityremedia?onefforts,• controlstes?ng,• compliancetes?ng,and• proofofconcepts(POC)forsecuritysolu?ons,
whetheryoupurchasethemornot• Cer?fica?ontrainingfor• CISSP,CISMandCISA• SANScourses,E-Council
2015IIA-OrangeCounty
RecognizeStaffContribu&ons
29
• Recognizethempubliclythrough• newsleOers,• personallynamed,whenappropriate,in
managementmee?ngs,• allowthemtopar?cipateinvisibleprojects,and• givecredittothosethathadadirecthandinspecial
projectachievements.• TheCISOmany?meswillgetalltheglorybutwillalso
getalltheblame.StaffmembersneedtobelievetheCISOistheretobuild,protectandchampiontheirefforts.
Thedynamicsinthisapproachwillrealizestaffwillingtoexceedexpecta?ons.
2015IIA-OrangeCounty
Summary
v CISOResumev Repor&ngStructurev CISOVisionandResponsibili&esv PersonalQuali&esv LeadershipQuali&es
30
2015IIA-OrangeCounty
Miguel (Mike)O.Villegas isaVicePresident forK3DESLLC. HeperformsandQA’sPCI-DSSandPA-DSSassessmentsforK3DESclients. HealsomanagestheK3DESISO/IEC 27001:2005 program. Mike was previously Director of Informa?on Security atNewegg, Inc. forfiveyears.MikecurrentlyaContribu?ngWriter forSearchSecurity-TechTarget.Mikehasover30yearsofInforma?onSystemssecurityandITauditexperience.Mikewas previously Vice President & Technology RiskManager forWells Fargo Servicesresponsible for IT Regulatory Compliance and was previously a partner at ArthurAndersenandErnst&Youngfortheirinforma?onsystemssecurityandISauditgroupsoveraspanofnineyears.MikeisaCISA,CISSP,GSECandCEH. HeisalsoaQSA,PA-QSAandASVasVPforK3DES.MikewaspresidentoftheLAISACAChapterduring2010-2012andpresidentoftheSFISACAChapterduring2005-2006.HewastheSFFallConferenceCo-Chairfrom2002–2007 and also served for two years as Vice President on theBoard ofDirectors forISACAInterna?onal.MikehastaughtCISAreviewcoursesforover18years.
BIO
31