Conf42 Golang 2021 - Online

Every CISO’s First 90 Days on the Job

Video size:

Abstract

This session will give you the tools and techniques to be a world class CISO. We’ll Explore the programs, processes, procedures, and technical skills needed to be a survive in your role as CISO. We will also explore the tools to help you do your job better, cheaper, and faster than the competition.

  • Learn to use the MAP (measure, asses, plan) process to:
  • Assess your organization
  • Assess an information security department, the people in it, and the organization it serves.
  • Plan the work and work the plan
  • Demonstrate why your programs, processes, and projects will keep the organization as secure as possible in the world we live in today.

Summary

  • Gordon Rudd will talk to you about information security and specifically how to be a chief information security officer. Please feel free to connect with me on any social media platform. I'll be happy to answer any questions you may have.
  • We are going to talk about every CISO's 1st 90 days and how to achieve lasting success as a CISO. If you're going to have a great career, you've got to monitor these nine things all the time. Also talk about finding your company's rhythm, about due diligence, collaboration and automating.
  • Take a moment and decide what kind of CISo are you. Are you a technical or a managerial CISO? That's a hands on versus an executive. I strongly suggest that you find either a coach or an accountability partner.
  • As a CISo, you should have a 30, 60, 90 day plan in your possession. You want to assess the enterprise's cybersecurity, their architecture and their current training plan. Prep, measure, assess, plan, mapping everything out.
  • As we come up through our network with our itoperations, systems, applications, the whole thing, 123456 serves. Every time you build in scalability, you're building in economic flexibility. One size doesn't fit all. The differences in infrastructure and information security will change.
  • Go is becoming part of information security professional's arsenal. Python has been the biggest thing in the world for security forensics. Log aggregation, log management, very critical. Firewall clustering, AI user behavior analytics are critical for you.
  • The board is 100% responsible for the organization. You want to report to them every month, every time they meet. Cybersecurity board reports should include a total inventory of everything you're managing. If you don't communicate they're going to speculate.
  • Make sure you're assessing risks. You need to have an understanding of the people, processes and technology that are going on within your organization. Every line of business is an attack surface. The quantitative management capability is really the Golden Circle.
  • Stop looking for the unicorn employee. Build your own unicorns and do it using a model like this. Get a training plan in place to bring your team up to where they need to be. Make sure that your people and the IT people have certifications.
  • You're going to be doing risk assessments at least annually or as needed. Scan small network segments daily, but make it a different segment. Have continuity management in place so everything can be restored. Watch your numbers, watch your budget numbers, your employees.
  • Five areas where successful cisos excel. High performance team building. Third party risk management. Measure, assess, plan, map. The information security department, the people in it, and the organization it serves.
  • My big tell on operational readiness is showing me your sock. Network operating centers and security operating systems do have overlap. Make sure that you have critical infrastructure designations in your mind. Plans have to have a timeline on them.
  • Risk analysis is really simple. You should have a risk appetite statement. Be willing to invest in your team, get them certifications. You need to be aware of change management and how change management differs from the Internet of things.
  • The CISO has released its best practices to save you from being disrupted by ransomware. Filtering network traffic to prohibit ingress and egress communications with known malicious ip addresses. Backups should be tested every day. Make sure that you're doing everything you can to stay secure.

Transcript

This transcript was autogenerated. To make changes, submit a PR.
It. Hi, this is Gordon Rudd coming to you from Conference 42s Golang conference. I'm going to talk to you today about information security and specifically how to be a chief information security officer. This is me. Please feel free to connect with me on any social media platform. Give me a call anytime. We're always here to go. So without further ado, we've got a lot to go through today. I'm going to make sure that we get through everything. And again, if we have any questions, connect with me on social media. I'll be happy to answer any questions you may have. We are going to talk about every CISO's 1st 90 days and how to achieve lasting success as a CISO. Our agenda for the day is really quite simple. You want to be a CISO? Yeah, everybody wants to be a CISO. Not everybody, but a lot of folks do. And 30, 60, 90 day plans. You're a CISO now. What should you be doing with your day? What should you be doing for your organization? How should you be conducting yourself and what does a world class CISO look like and creating your roadmap for success. And we want to make sure during this time that we're getting your head in the game and that we're giving you some clues on where to go to next. Because after all, for a lot of people, being a chief information security officer is a dream job. And we want to make sure that when you get that dream job, you understand what you're getting into. You are not going to be a rock star. This is a rock star. This is a CISO. Cisos spend a good deal of time being underwater. That's just the way it works. We are normally a little bit behind the curve. We're trying to anticipate everything that's going to happen. But as you might guess, anticipating what's going to happen can sometimes lead you a little astray. What I'm going to do today is give you a for sure methodology for making sure that you succeed as a chief information security officer, or chief information officer, or chief technology officer for that matter. I'm going to really begin to outline the measure, assess plan or the map strategy, so that you can measure what you've got in place when you get there. When you get to the new job, you can assess the gap, figure out what's needed, and then you can simply plan the work and work the plan. It's what we all want to do. And it doesn't better how you came to be the CISO, whether you started the help desk and went through network administration. Perhaps you were a SoC analyst, maybe even a forensic analyst, and then a CISO. It doesn't matter how we come to it. If you're going to have a great career, if you're going to succeed as a CISO, you've got to make sure that you're monitoring these nine things all the time, the tone from the top. You've got to watch the board and the senior management team and make sure that you understand their priorities and what they perceive to be a complete information security program. You also want to look at your GRC, your governance, risk and compliance, and you want to make sure you stay with the cisos. The kiss principle. Excuse me? You want to make sure you keep it simple, not necessarily for the stupid, but for the sake of simplicity. You want to make sure that you have employee ownership. The employees have to own the information security program, because information security is a team sport. And you're going to find that you can't do it without everybody. So let's make them owners, let's get them involved, and we're going to solve problems. And it's not just buying new tech. A lot of times we find that organizations will want to buy a new piece of software, some new service, when they already have something on the ground that'll do it and probably meet every specification they've got. So we're also going to talk a little about finding your company's rhythm, about due diligence, collaboration, and automating everything as much as possible. Automation is your friend. One of the first things I really want you to do if you're thinking about being a CISO, is take a moment and decide what kind of CISo are you? Are you a technical or a managerial CISO? That's a hands on versus an executive. We've got a lot of different acronyms, three letter acronyms, four letter acronyms, or tlas and flas that we're throwing around today. Technically oriented CISO, that's the one that would be the hands on CISO. It's usually a one man band, maybe two or three people. A policy oriented CISO, also known as a business information security officer, that's somebody that doesn't touch the technology, that just kind of stays in the sea level and makes sure that everything's itoperations correctly from the strategic and tactical levels, not necessarily boots on the ground. Or are you strategically oriented CISO, or also a strategic information security officer? Are you looking forward? Are you looking at new things and trying to figure out how to dial them? Into your organization. The first thing I want to make sure we're all doing is getting our head in the game. And to do that, you're going to have to measure asses and plan or map yourself. You're going to have to do an agonizing self appraisal and find out where your strengths are and where your weaknesses are. You're going to have to know, what are you? Are you the information security CISO that everybody talks about that can fix anything, or are you the strategy CISO? Are you the executive CISO? You're going to have to figure out who you are. I always suggest that to do that, you start with a diagram very much like this, and you go through the who you are, where you're going, how you're going to get there, what actions you're going to take, and how to evaluate and review everything that's going on. Those are stages that will do you well. They will serve you well if you use smart goals and objectives, specific, measurable, attainable, realistic and time bound. The evaluate and review that we see over here, this evaluate and review that is absolutely part of the process. Put times on the different activities that you feel you have to have to make yourself a better executive. And when you come to that time, mark, reevaluate. You've got lots of things to think about as a CISO today or as any technology executive. You've got a lot of decisions to make. I strongly suggest that you find either a coach or an accountability partner. Either one will do. You don't necessarily have to have a coach, but you need an accountability partner, somebody that you can talk to and you can work through the process of saying, I've got these things to do, these are my timelines. And somebody just holds you accountable. And I've always found that using your boss as that accountability partner doesn't often work out the way you'd think, because a lot of times you want to give some reasoning why you're late. Many times the boss doesn't have an ear for that sort of thing. I want you to remember that you are running a marathon. As a chief information security officer, however, that marathon is going to be running sprints. You're going to go hard, stop and rest. Go hard, stop and rest. At least we hope you get that stop and rest cycle in there. So I want to make sure you're ready for this because it's going to be sprint, rest, sprint rest until you get the whole 26.2 miles. Now, to get the job as CISo, you probably had the whole, okay, we're promoted. We're replacing somebody. Candidate selection process. At any rate, as you went through all these things, you did the resume, you did the COVID letter, you did the interview, you did all your research at the interview. You should have had in your possession a 30, 60, 90 day plan that you used as a tool to tee up what you think you should be doing during your first 90 days on the job. That you can also use to find out what your supervisor, what your boss thinks you should be doing every day on the job. That's the beauty of that plan. It's a communication tool for you. And then you're going to take your plan that probably looked like a word document and you're going to break it down like this. You will notice that before you got there, before day one, you had a 30, 60, 90 day plan. You understood your manager's expectations. You had a copy of the chart. You'd done your research on the industry, the company, the department. And now you're going to start measuring things. The strategic and tactical, the budget, the GRC policy and procedure analysis, enterprise risk assessments, that sort of thing. Assets that are being managed, assets that are unmanaged, vulnerability assessments, personnel skill access controls, interviews. Those are just a few of the things that you're going to do. You want to understand the change management process from jump. Ask what the change management process is and how information security fits into it. The other thing you want to make sure you're doing is to assess the enterprise's cybersecurity, their architecture and baseline their current training plan. Software development teams, DevOps teams can be the same thing. Maybe not. Some folks just do development. Some folks do DevOps. We're seeing DevOps take over. But there's still a significant number of organizations out there today that have the software development teams that are all developing different pieces for the systems that are found throughout the organization. How the organization is meeting, all its, you know, it should be NYDFs, not NTDFs, CCPA, GDPR, all those. How are you doing that? And you want to look at your backup management plan. That backup management, especially if you're looking at a ransomware situation, can save you. It will save you or kill you, depending on whether you're doing it right or if you're just not paying attention to it. And then you're going to plan all these things. Corporate information protection plan, that's yours to create. You need to have one. You need to have it blessed by the board. So from wherever you are to the board, you've got to work your way through those layers of management, filtering that plan, making changes and additions to it until you get consensus on it. And you're going to have to build you, you're going to have to figure out where you are and where you need to be. So you're going to plan for yourself, you're going to plan for your executive growth. You want to make sure that you're testing every bit of business continuity management that the organization has. Business continuity management, again, it's going to make you or break you in any kind of an incident. So prep, measure, assess, plan, mapping everything out. And again, this is very generic. Yours is going to be different depending on your industry, depending on your organization, and depending on your skill set. Remember, we're all going to start out the same place. We're all going to start out with data at the center. That app is going to be, there's going to be an app wrapped around the data, that's pulling the data in and reading and writing the data, storing the data. There's going to be a host that the app sets on. The host is going to sit on a network. The network is going to have a perimeter, it's going to have physical security. We're going to have policies and procedures for data governance, and we're going to have a security education, training and awareness program. Those are all things we have to have. Very interesting. When you start looking at it, you must have those pieces to that puzzle. And the way we put them together for chief information security officer is to create overlapping layers of security to create this model so that you've got your perimeter security. You step inside and you've got another layer of layer of security. Some of the items that you might find, like a firewall and VPN on the outside, might have counterparts in that middle circle. So if you're looking outside at your perimeter and then looking a step inside, this would be inside the firewall, that would be forward facing what you're looking at the wild, wild west and you're going to look at your encryption inside. What have you got inside? Remember, cybersecurity is very complex today. It's not just the agile development cycles or the DevOps teams that are creating code, packaging it and putting it through change management and an automated process. We've got mobile, we've got websites. Websites today are normally going to be the busiest branch or physical location that you have. Normally your website will do ten times more business every day than all your physical sites put together. As just kind of a rule of thumb that we're seeing. So that complexity means that you're really going to have to stay on top of things. You're going to have to make sure that you're pitching in every chance you get to keep the wheels turning. And to do that, there's a skill set that if you don't have, you need to develop. If you do have, you need to hone it. The security program, creation, management and operations, creating the program, managing the program and operating the program are three different stages. You need to be familiar with those stages. You need to understand them. The information security core concepts. If you're a CISSP, look at the domains that go with that certification. We used to have ten, now we've got eight. But they're still very valid domains. So those are the core concepts. Encryption, all that sort of thing that's found in those domains is pertinent to your job. You should know those domains, you should be familiar with them. You also need to have the ability to plan, need to have a rudimentary understanding of finance, risk management and vendor management or third party risk management. Depending on the size of your organization, your governance, risk and compliance is going to be key. And those five p's, program, processes, procedures, projects and people. You need to know your programs, your processes, your procedures, your projects and your people. And it's at this point that I would suggest to you that a project that's gone on for more than that's allotted time, let's say just for the sake of argument, it was supposed to be a year long project. You're going into year three. That's not a project anymore. That's a process. Just call it a process. Declare the project done, take the win and go home. And whether or not you're in information technology or information security management, controls and auditing, that ties into that GRC. How do you control it? How do you audit and what techniques acumen do you need? If you're hands on CISO, you're going to need to understand the technology. And then we're going to take a look at the organization itself as part of that mapping process. We're going to assess the organizational maturity and the operational readiness. And the way we're going to do that is just use a basic CMMI model so that we're starting down here in the initial stages where all organizations start, they're all pretty much, this is actually level one down here. They're all pretty much competent people using heroic efforts to keep things going, keep all the wheels spinning round and round every day. And when you move up from that. When you move up to the managed but isolated projects, you start to see basic project management. You start to see different tactics being used, but they're used inconsistently. And as you move up, you're looking at defined processes, multiple project capabilities. So all of a sudden at level three here, you're going to be seeing a project portfolio, and projects across the entire organization are all going to be grouped together in one portfolio and managed as such. You get up to level four. It's all counted. Everything's counted, quantitatively managed, quantitatively operated. Every one of those things is absolutely where you want it to be, but it's counted. And that's really kind of the bottom line, because the five is going to be part of the defense industrial complex or really big organization, federal government kind of thing. All that sizing is to say that we don't want to throw anything away. We want to be able to purchase the equipment we need today and figure out a way for it to scale, because scalability gives the organization economic flexibility. So as we come up through our network with our itoperations, systems, applications, the whole thing, 123456 serves as we come up the seven layers. The one thing I want you to understand is that every time you build in scalability, you're building in economic flexibility, and that's important to your organization. Okay. You've got to maintain the confidentiality, integrity and availability triad while you're doing it. But you also need to make sure that it's scalable. You don't want to do forklift upgrades. You want to minimize the number of forklift upgrades you're doing. And you do that by simply remembering that one size doesn't fit all. It does not fit all. You're going to have different solutions as the organization grows more employees than organization has. The differences in not only the infrastructure, but the information security that's involved in securing that infrastructure will change. But I want to make sure that the four points of alignment, and you notice there's actually five things on that slide, but we call them the four points of alignment because you see functionality twice. You want to stop and say, what functionality do I have on the ground right now? The pieces, parts, the systems that I have in place today? What's their functionality? What's their capability? Then you want to look at aligning the economics. Does it make dollars and cents? And then you want to look at the talent. Do we have the talent to drive the equipment we have, or is the talent not trained up enough? So the talent your people are telling you that the equipment doesn't function the way they need it to function. Not your optimum situation to be in, but you can train your way out of that. And then you want to decide, are we going to use our existing equipment or are we going to use new equipment? Whose equipment are we going to use and what's it going to look like? And we want to make sure that you're leaving breadcrumbs, that you're creating a roadmap for yourself. You're using everything you've got, just using all the skills that you've been taught and making sure that you're collecting all the appropriate artifacts. You want to make sure that you're collecting threat hunting artifacts, that you're doing. Log aggregation, every computer on the planet allows you to log everything that happens on it. That can get a little messy because any computer on the planet can exhaust any amount of disk space by simply sitting there and operating and recording everything to log files. Log aggregation, log management, very critical. Firewall clustering, AI user behavior analytics are critical for you. Vulnerability management. If you look at the threat hunting, threat hunting, vulnerability management, and patch management all go together. So there's a little triad there, a little trilogy. You want to make sure you're aware of your security research, your incident response, your forensics, your training and cross training. Those types of things are all artifact driven. You want to record where you are and where you're going. You want to make sure you know how you got where you are, and you want to make sure you're looking at your network and endpoint defenses. Are we monitoring multiple layers of security? Well, I hope so. We should be by now. We want to look at our firewalls, our dlp spam filtering, antivirus threat emulation, HTTPs inspection, bot protection, application control, and ur filtering. It's at this point that I would say, if you're not familiar with the OWAS model, you should be. If we go back here and we look at the log aggregation, we just say, okay, great, we're going to aggregate these logs. Why do we want to do that? We don't have enough disk space for everything. So if you think about a stream flowing into a creek flowing into a river, that flows into a lake, that eventually flows into a bigger river and flows into the ocean, through that entire scenario, you're looking at water on moss moving. You're not looking at the drops of water in it. But as an information security professional, especially if I'm into forensics, I'm looking for the data points. Now, Python has been the biggest thing in the world for security forensics, and for analyzing log files, taking care of everything. That is log aggregation. That has been a python kind of thing for the longest time. My friends that are really into forensics and investigative services are telling me, they started telling me this last year, actually, that they're moving to go because they find go to be easier to use, quicker to learn, and you can do the same thing with less lines of code. Now, I'm not a professional go programmer. I could best be described as kind of an amateur. As a programmer, I can do a little python, I can do a little go. And from what I've seen of go, I believe that it has the strength and the flexibility of a. A python, that kind of thing. But I think it's also a little easier to use for me, it's easier for me to understand. So I'm looking at go as becoming part of an information security professional's arsenal, a tool that they're going to have in their toolbox. And we know that all those things aren't enough because nothing's foolproof, okay? Users make mistakes, vendors make mistakes. You and I have both are all, I guess I should say, gotten overwhelmed. And we've clicked on something that we didn't look at closely, and we all know that what we don't see can kill us. We can start a brute force attack accidentally. The detecting and evading that the bad actors do, privilege, escalation, lateral movement, all those things we need to see. Protocol poisoning, something we needed to watch. How do we gain insight? The AI insight machine learning cluster, algorithms, you may have to add staff. I like to automate where possible, because when you automate it, the automation doesn't normally take the day off. It doesn't have to have a vacation, doesn't have to have a child's recital or a sick spouse. Those are all things that happen in life. If you're doing anything with a human, the humans that you've got are going to have the same problems. All humans have nothing wrong with that. Just acknowledge it and say, hey, people are just not going to be showing up every day for work like you'd like. And that's okay. There are people that AI inside will give you the view you need. So if you look at the behavioral analytics and you learn what your network traffic looks like, which to bake it in is going to take six to nine months. And if the salesperson says it's shorter than that, you want to look at them. Kind of funny, because I'm seeing more AI installs simply because we're getting a lot more sophisticated at installing them and tuning them up out of the crate. A lot of more AI installs are taking nine to twelve months to actually normalize. And by that I mean to ferret out all the false positives and false negatives and to actually be useful for exposing intruders and seeing those individual drops of water that are flowing around inside. So we always want to use that. We want to make sure that we're letting it scan the networks and detect new devices and that we're doing it in a controlled fashion. When you first get your first AI tool, you're going to turn on and see what's on the whole network. Well, that's the wrong answer because that'll probably cause enough network traffic that for all intents and purposes your average user is going to think that the network is down. Not a good idea, let's not do that. What are your benefits? Where are you going to keep your vulnerable systems on your radar? You're going to watch these vulnerability notifications that are going to pop up out of these systems. You're going to be able to assign remediation tasks. You're going to be able to track that remediation and make vulnerability management workable. It's got to be workable. And you decrease your attack surface. So as we're rocking along doing these things, we want to make sure that we're constantly assessing, we're constantly evaluating, and that's supposedly a representation of the old stoplight method, green, yellow and red. Because your success as a CISO hinges on your team's ability to monitor the central nervous system of your organization and make sure that they understand everything they're seeing and can report it accurately to the senior management team and the board. So while we're talking about that, what you do for a living as a go programmer, as a python, programs anything in it, unless you're talking to another IT professional, the chances of folks really understanding what you're doing and who you are are kind of slim to none. So I want to encourage you to over communicate what you feel like is over communicating. I'm not saying tell the senior management team and the board how the watch was made. I'm saying don't be afraid to communicate because if you don't communicate they're going to speculate. And that is not a place you want to be in. One of those first things that you want to do is make sure you're taking a look at this little red box here. You want to make sure that you're looking at your strategic planning and your project requests and how those are coming in and how you're doing them, because you're going to have an IT executive board, I don't know if you call it the president's Cabinet Technology Operations service committee, whatever you call it, you're going to have an IT strategic advisory committee. You're going to have committees of the board, like the audit committee that may meet quarterly. And you're going to have all these issues that you see here. Every one of these issues you're going to have. When it gets down to governance, I want to make sure that for whatever reason you can rationalize in your head, you put strategic planning and the project request and project prioritization ahead of all these other things. Because if you can do that, you can succeed as a CISO today. But you've got to be able to understand the projects, the priority they have, and how those priorities are going to change over time. So to do that, you're going to have to communicate. If you're looking at board reporting, you've got to realize that the board is 100% responsible for the organization. In the story, the board governs the organization, not the senior management team, but the board. Members of the senior management team may have a seat on the board. That happens. Some will, some won't. You're also going to make sure that you look at your regulatory guidance. If you're in the finance industry, you're going to make sure that your ffic regulatory requirements are met. If you're in healthcare, you're going to look at the high trust model and you're going to make sure that you're ticking and checking off everything on the high trust model. You always want that tone from the top, from the board and senior management team. And you're going to find every industry that has a regulatory body behind it is going to want the board to be involved and they're going to want you to be able to prove the board's involved. So how are we going to do that? Well, boards today, even a small, medium size or small to medium sized organization, may have as many as 700 to 1000 pages that they're supposed to read every month for a board meeting. Well, now, every board that I've ever been on, the week before the board meeting, they'll give you a board packet. Basically they give you an iPad today and you log into a website and the board packet is all online. You've got 800 pages online. You've got a week to read it and oh, by the way, you've still got a day job. It's going to be tough. So you want to make sure that you set up a frequency of reporting so you're not inundating the board of the senior management team. The board needs to have at least an annual report, should probably have quarterly reports and an annual summary, at least your governance, risk and compliance, your compliance committee, risk management committee, technology services committee, that sort of thing. You want to report to them every month, every time they meet. Committees of the board, like the audit committee, may meet quarterly. You want to report to them quarterly. And you want to make sure that you dial in the board, the senior management and your key stakeholders when you're designing this reporting framework so that they are up to speed on the frequency and the content of the report so they know what to expect, that's good for you. Surprising them, not good for you. Letting them know what you're going to do and how to do it before you do it gives them an opportunity to put their thumbprint around if they so choose. Always a good idea to give senior management the board an opportunity to dial you into what their expectations are. Cybersecurity board reports should include a total inventory of everything you're managing, your status when it comes to threats, vulnerability and patch management. How that's working? Is it working? Is something broken? The organization's risk assessments now cybersecurity, it does risk assessments. You should do a risk assessment on every new piece of equipment you get, every new projects, every new service. All these have risk assessments. And every year you should be risk assessing everything you've got. So you're going to have ongoing monitoring activities for everything that's going on, and you're going to assess the risks that are in that and then any material, upcoming contract renewals, terminations, any problems also need to be reported up. And I always recommend that the board report contain at least one PowerPoint slide for each of these. Your asset security, these are your columns, I'm sorry, these are your pillars or your domains of information security. I guess domains is the thing I'm looking for here. It's your domains. So make sure you give them a little information on each one of these and make sure that the other component you recommend, I'm sorry, make sure that the other component I recommend is included. And that is a word document that puts more detail into each one of those sections. It also gives any important industry information, any new regulatory guidance, updates on staff changes, overall inventory of actively managed third parties, and any cybersecurity program. Changes, particularly focusing on the changes to high risk and critical areas of operation. You can make sure that you're doing the right thing by finding the right framework. Find a framework, use it. There are many to choose from. CISO, NIST, ISO, probably where you want to start. If you're in the US, you're probably going to be NIST. The rest of the world, you're probably, especially in the european theater, you're going to be ISO. Find a framework and use it. Make sure you're assessing risks. Risk comes in, there's really three parts to risk. There's the inherent risk and there's the mitigating activities that are going to reduce the inherent risk, and there's the residual risk and those risks. You need to have an understanding of the people, processes and technology that are going on within your organization, especially within it. And information security. You need to be aware of. You also need to be aware of the people, processes and technology in every line of business. Because every line of business is an attack surface. You need to know how the people are working, what processes they're using, what technology they have in place, what are they doing all day and how does it relate to securing the organization and maintaining that confidentiality, integrity and availability triad? You're also going to have to manage your team's talent level and your project management capabilities. Got to have an assessment on that. Standardization, how standard are you? Do you have a standard desktop? Do you have a standard smart device? I'll just say smart device. I keep wanting to be vendor specific. If you've got a smartphone or a smart tablet, what are your standards for setting those up? What are your standards for setting up a workstation, a laptop? What are your standards? How did you standardize server configuration? And what are your quantitative management capabilities? The quantitative management capability that you have, the ability to measure everything you're doing and assess what you're doing based on numbers, based on calculations, based on figures, based on quantitative analytics is really the Golden Circle because once you get down to that, then you can say, we're running a little shy in this area, we need to flange it up or, wow, we have certainly seen an escalation in the number of bad actors moving past our firewall. Now, to do all this, you want to make sure that you understand the skills that you have on your team. This is a very simple skills determination. I think it makes the point you just take the person that you've got, whoever the person is, the current role they're in, the skills. Now, one person may have more than one role, and one role may have more than one skills. So you may have these things fanning out on you as you go down. Then what's your current capability and what's your ideal capability for that particular person, for that particular job, and what's your developmental action going to be? How are you going to bring them up to speed today? I'm going to just go out on a limb and say this. You need to stop looking for the unicorn employee. The unicorn employee does not exist. It's not there. If you find the unicorn employee, they're going to want too much money. And then as soon as somebody comes along and offers them 20% to 25% more than you're paying them, they're gone. Don't look for that unicorn employee. If one drops in your lab, take them. No doubt about it. Stop looking for the unicorn. Start building your team. Build your own unicorns and do it using a model like this. You can refine it, you can make it do anything you need it to do for your organization, but get a training plan in place to bring your team up to where they need to be, and you may have to include it in it. The technology groups oftentimes have to move in tandem, and you needed to make sure that your people and the IT people have certifications. Well, there are a few certifications out there. I didn't list all the certifications from sans because there are just tons of them. CCNA, CCIE, all good certifications. The CISSP is usually the cert. By last figure, I saw 68%, almost 69% of all chief information security officers hold a CISO. So not a bad place to be. Now, remember, when we start talking about certifications, your certifications, your team's certifications, I want you to understand that they're going to have to go take tests. You're going to have to take a test. And it kind of behooves us to stop at this point and take a look at what is learning. Now, for those of you that have children, especially ones that you might read a bedtime story to, the thing you're going to notice at some point is they're going to want you to read the same story over and over and over and over until you're frankly sick of the story. And then you're going to start, the child's asleep and you're sleepy, and you're going to start going through, and you're going to be. And you're skip a word and your child's going to say it. Didn't say that it says this. And even though the child can't read, the child has the book. Every time you reread the same book to your child, you're building the child's iq. They're learning. They're building mental capacity. When they get a little older and they start playing video games, they're doing the same thing. They're learning, they're building mental capacity in video games, especially games that have problems to solve, whether it's something that's civilization building or army building. Even first person shooter games all have the ability to help the individuals that are playing them learn, increase their iq, and get some serious problem solving skills. So remember, your employees are going to start out right where you are. They're going to start out in that comfort zone where they feel safe. The next zone away from comfort is fear. You cannot learn when you're afraid, fear releases a chemical in your body that shuts down your frontal cortex. And I promise you, once the front part of your brain, the frontal lobe, ceases to function normally, and it's in that kind of fight, flight, or freeze state, you're not learning anything. The learning zone actually is the next zone over after fear. And the growth zone actually happens after the learning zone, where you know the material enough that you can actually apply it, you can see how it works. The best example I can give you of that is long, long time ago for the certified novell administrator exam. I'd been a novel administrator for four or five years before I ever took the exam. And they had know, hey, if you do this, we'll give you a free exam ticket. So our organization punched the first ticket. We got a free exam. I went and took the exam, passed it, and never really studied for it. But then I had worked with Novell long enough that I was not in the fear zone or in the comfort zone or even the learning zone. You could ask me how to do anything after working with it for five years, and I could tell you. So I was, at that point, in a growth zone, looking to get better. Not in the comfort zone, not in the fear zone, and not in the learning zone. Remember, match your frameworks to your industry and to your organization, and make sure that as you're pulling up certifications and saying, it'd be great if we had one of those, make sure that that certification fits with the framework. Certification must fit with framework. There are Togaf certifications, Zachmans, ISOs, itils. Koso's got a cert, NIST, CFS. I'm sure there's a cert out there somewhere for it. I don't know off the top of my head where it is, but I'll bet somebody's providing it, and you should have a clock in your head constantly running. I like to justify the technology that I have on the ground that I'm currently using every 18 months. And 18 months isn't something that it isn't arbitrary, is what I'm trying to say. 18 months isn't arbitrary. Moore's law says that every 32 months, the power of the technology that we're using doubles. So if you've got technology that's been on the ground for 32 months or more, it's probably time to upgrade it, because the power that you can get in that same equipment today is going to be at least double what it was 36 months ago. Well, that's all great. Especially Moore's law is a little old. Now. Today, about every 18 months, the power of the technology doubles. So you want to make sure that you train yourself and your teams to justify that technology. And by that, I mean to take a look at it and say, is there anything better out there? If you're looking at firewalls and you're looking at the big players, the junipers, the CISos, the checkpoints, the palo altos, you're looking at those. If you've got one, let's say, for the sake of argument, you're a CISO. Every 18 months, your team needed to come back and say, yeah, Cisco is still the best answer for us, and you want to make sure that you're training every three months. I like my technology teams to train for five days every three months. That doesn't necessarily mean they have to go away. They may sit at their desk or stay home or do something that's self paced learning. But every three months, they need to train for five days, and we need to train more than one person to do every particular thing. The old saying, two is one and one is none, is very real. Make sure that you've got more than one person trained to do everything. You need at least two firewall drivers, at least two network security administrators, at least two forensic experts. Now, if you have, let's say, two forensic experts, you know that both of them aren't going to have the exact same skills. One of them is going to be a little ahead of the other one, and that's okay. Figure out a way to challenge them so that they keep one up and the other one, and keep learning and keep raising the bar for each other. Look at your framework adjustments. Frameworks get adjusted. Gosh, about every month anymore there's a release that says CISO or NIST is considering changing some framework somewhere, which means that down the line that framework is going to get adjusted. You need to track those adjustments and say, okay, what's NISt thinking? What's CISO thinking? Where might this go? How should our organization react to it? And the generally available releases, you're going to have every twelve to 18 months, a generally available release of every piece of software you've got. Okay, so we want to make sure that every twelve to 18 months, no matter what, we're looking at our GA releases. Sometimes those are PRN. If you're in healthcare, you know that that means as needed, we're going to look at framework adjustments and generally available release adjustments no matter what, every twelve to 18 months. And certainly as needed, the vulnerability assessments, you need to be doing those daily. And by that I mean you're going to be scanning your networks. You're not going to scan the whole network all at once. I think anybody that's been a CISO got really happy and turned on their vulnerability scanner, got 9 million items for every thousand employees they had, and sit around scratching their head going, wow, that's amazing. And then they realized that the call log to the help center went nuts during that time frame and they're going to be wondering why they go nuts. Well, the bandwidth utilization to do those scans is usually a little more extreme than just daily operations. So what you're looking at is a situation where you can scan a network and decrease the bandwidth to the point that the network appears to be down to the end user. Not a good place to be. So scan small network segments daily. Scan something every day, but make it a different segment. Unless something gets wonky on one of your scans and you want to redo it, scan the next segment. Keep moving, keep those scans going and that clock is going to keep on ticking. You're going to be doing risk assessments at least annually or as needed. If you have a new product service or a new piece of gear, you're going to do code reviews, DevOps and software development or team sports. Code reviews are a real deal. Isolated programmers creating magic. Doesn't happen very often. Again, those people are unicorns. Normally you're going to want to have more than one person reviewing the code that comes out to see if it's efficient, to make sure there's nothing missed, to make sure that all the security parameters you can are dialed into that code. Your patches every week. You want to make sure you don't have any patches for anything or as needed. That is one of those things. If we look at Spectra and meltdown, Spectra and Meltdown come out, I'm read up on them. We made a decision on what to do and I'm sitting around the day of the board meeting that I'm not scheduled to be at, thinking I might want to be ready to go to this particular board meeting. And time goes by and I think, well, I'm going to be missing this one. Oh, no. Still got to go to the board and say, hey, the spectrum meltdown thing, that's a problem. What are we going to do? And then I had to explain that, yes, it is a vulnerability. Yes, we do have it. No, at this point in time, nobody's weaponized that vulnerability. Yes, there is a patch out. At that point in time, Microsoft had a patch, but our tests have found that if we patch the servers we have in production today, it won't kill them, but they'll run so slow that the end user will think that they're down. So that's not something we can do. We're going to have to trust our perimeter security, trust our behavior analytics, and make sure that we're watching our log aggregation and the AI inside is tuned up and telling us what's going on because we really don't want to patch Spectre and meltdown right now. And I think everybody went through the same kind of thing and they're all the people that I know in information security going, well, you're going to have to wait for a new generation of processors before we can do anything with it. That sort of thing happens from time to time. And you're going to find things like the solar winds utilization of a software repository didn't go exactly like they thought it would. Those kind of things are going to happen. There's just no way around it. What you want to make sure you do is have your business continuity management in place so that you have a place to back up, back off and make sure that everything you're doing can be restored. System configuration always happens pre production. You never put a system in and produce it. And the roadmap that you're going to have for cybersecurity for any organization better include these nine items. Your security education, training and awareness program. Who are your stakeholders? Who are they? Well, senior management, the board and heads of the lines of business and anybody else that might be a key player for you. Watch your numbers, watch your budget numbers, your number of employees, your burn rate. Burn rate is a term that you're going to hear venture capitalists use. Burn rate simply means, what does it cost to keep the doors open every day? So, for your information security program, you should be able to tell your senior management team, your board of directors, anybody that asks, this is our burn rate. It cisos us this much every day or this much every month to keep information security going. You should know that number. You should also be able to show what the organization is getting for that number and know your four p's or your five p's, depending on how you look at them. Your policies, your procedures, your processes, your projects, all those four things make up a program. So programs, policies, procedures, processes, and projects, you got to know them. What's your security architecture? Are you too tall? If you're too tall. Tools. Hierarchical. You're not going to be able to shut down segments efficiently without downing entire work groups that you don't intend to down. You want your network to be as flat and as horizontal as possible. So if you do have something that happens to one network segment, oh, let's say ransomware happens, if that happens, then you can close that segment down. You can isolate it, you can do your forensics on it, you can maintain your chain of custody on it, and you can handle the problem without it affecting the rest of your network, the rest of your plant. Make sure that your assets have been identified. Business continuity planning, disaster recovery planning. You got to have it. You got to understand it. You got to understand your recovery time objective, your recovery point objective, and your maximum allowable downtime. The business impact analysis is the tool that you should, if you're not involved in it, you should get involved in, because the BIA, the business impact analysis, will rank every process in the entire organization for every line of business, and then it'll tell the it folks, this is the most important process. That gives them the ability to say, that process runs on that system. So that's the most important system we've got. We need to make sure that either doesn't go down or can come back up within our recovery point objectives. Recovery time objectives, and certainly within the maximum allowable downtime. Training. Training train. I think we made the point on training. If we haven't, give me a call. We'll talk about it. Five areas where successful cisos excel. Well, cisos are usually smart, but they're also emotionally smart. They also have their emotions in check, so their IQ and their EIQ are in line. They have the ability to communicate. They have the ability to talk to the board of directors, the senior management team, align a business or an audience, such as yourselves, and they have technical kung fu instead of krav maga. If you know anything about martial arts, you understand that kung fu is a very elegant art form. Krav maga is extraordinarily brutal. You really want to strive for technical kung fu versus Krav maga? Now, we've all thrown stuff together to get it running in the middle of the night, and at 09:00 in the morning, you're going, darn, we were up all night, and we've got this combo together, and we still got 72 things we need to do to make it stable. We've all been there, but as much as possible, work your way out of that and get back to the elegance that, you know, your technology should have. High performance team building. Every successful C level, anybody, doesn't matter if it's a chief financial officer, chief operating officer, chief information officer, chief technology officer, chief information officer, or chief information security officer has the ability to put high performance teams together. If they don't, I'd suggest that the board needs to find somebody else. The third party risk management. Got to do it. You got to understand how to handle third party risk today, because your vendors, vendors, vendor could be the Achilles heel in your organization. If you're not doing third party risk management, you're not doing it correctly. You're never going to find that out again. What you don't see, what you don't know, can kill you. And remember, you're always going to be measuring, assessing and planning. You're always going to be going through this loop. Measure it, assess it. It's a gap assessment. And then what's the plan to close the gap? Very simple stuff. Measure, assess, plan, map. The information security department, the people in it, and the organization it serves. Sounds simple. It'll take you a little time, but it's very insightful. It's a very insightful task or set of tasks. Very insightful project. Let's call it what it is. It's project, and we want to make sure that we're developing organizational specific tools to accurately determine the capabilities and operational readiness of the department. My big tell on operational readiness, when we work with clients or somebody comes to me and says, I think I'm good to go, you want to take a walk through with me? The first question I ask them is, well, show me your sock. Your security operations center. They may say, well, we don't have a sock. We've got a nox job. Isn't exactly the same as a sock, network operating centers and security operating systems do have overlap, not the same. A good sock should have the ability to manipulate network segments and perform some exhaustive forensics from the SoC. I would submit that a network operating center doesn't have a need to do that. Sometimes I get a little blowback on that. But for the most part, the sea level people that I work with really understand that you want to make sure that you've got a security itoperations better because it's going to be doing a set of tasks with a set of tools that are different from what the technology folks, the it folks are doing. And you want to make sure that you're creating the people, processes and technology roadmaps for your entire information security department. You're going to measure the department, the people, the organization it serves, and you're going to assess same department, people organization over and over again. We're going to do this and then you're going to plan same thing for this department, for the people, and for the organization that you're going to create that information security plan for your entire organization. You're looking at that team, you're looking at your information technology team. You're looking at your third parties. You're assessing them. You're making sure that they understand that you're going to plan the work and work the plan that you've got a strategic plan and you've got some tactical plans. You need to share those. That's where your competition or speculation comes in. What is your strategy? What are your tactics? That should not be something that's a secret. If it's a secret with a closely held group, well, it's not a plan. Plans are something you can lay out on the table and show everybody, this is where we're going, this is how we're doing it. This is what it looks like. Please feel free to come on down, do whatever you want, and you're going to measure your progress against your plan. Plans have to have a timeline on them. And as Elon Musk said, if you allow a project to take a month, it'll take a month. If you allow it to take a week, it'll take a week. Same project. He's right. You've got to measure your progress, put a timeline on it that's realistic and measure the progress against it. Demonstrate your program's effectiveness, demonstrate the process effectiveness that you have within your program and demonstrate the level of security that you have to your senior management team, the heads of the lines of business and your board of directors. And make sure that you constantly, constantly, constantly are measuring, assessing, and planning your industry, your organization's lifecycle position within the industry. You're always looking at the industry expanding or contracting. When you're looking at those things, see if there are ways that you can actually help your company disrupt the industry. You're always looking for that disruption potential. Make sure that you have critical infrastructure designations in your mind. The Homeland Security Department has 17 or 18 critical infrastructure designations. If you're one of those, there's a lot of help out there for you. If you're in the finance industry, defense, industrial complex, healthcare, communications, that sort of thing, they being the Department of Homeland Security and the whole federal government, have a lot of resources. And make sure that you don't have too much culture shock for you or any new people you bring on. If you're looking at that operational readiness, we want to make sure that we absolutely, positively, as we talked about, looked at that BIA, RPO, RTO and maximum allowable downtime. And in the business impact analysis, everybody can't be number one. You've got to define that criticality which comes from the tone from the top. And you want to make sure that you also have disaster recovery, pandemic planning and incident response in your business continuity management plan. And you want to make sure that you understand disaster recovery only recovers three things. We recover people, facilities, and systems. We recover them in that order. And the reason we do it is because if we don't have people, we don't need facilities. If we don't have people or facilities, we certainly don't need systems. So we recover the people, put them in facilities or send them home. Home is a facility, and we make sure they've got the systems they need. And we're going to assess risk. We're going to look for the context that a risk has. We're going to identify it, analyze it, and then we're going to look at handling it. We're going to accept it, mitigate it, transfer it, avoid it or exploit it. And risk analysis is really simple. You should have a risk appetite statement. If you don't, the thing I would encourage you to do is simply ask your chief financial officer what's a material loss. Now, I've done that before, and when I'd asked the first time, the CFO would say 25,000, I'd ask him five years later and he's 300,000. So the risk appetite of the organization moves. The risk appetite of the organization in different areas also moves. But you're always always going to be looking at the threat times, the vulnerability times, the consequences, gives you your inherent risk. Your inherent risk minus your risk mitigation is going to give you a residual risk and you're going to be doing things that look like this. That's the same inherent risk you just calculated it. It moves to the next equation and you're going to put simple things together like this. The earthquakes in Oklahoma is something that we lived through prior to the early OS. We may have had one or two earthquakes every year or two, maybe in 2009, we had almost 1000 earthquakes in Oklahoma. Virtually every square mile of Oklahoma had an earthquake in it. So while the probability pre 2009 was close to one, it wasn't zero, but it was close to one. The probability during 2009 was close to 100%. So those risks are going to change and you're going to be doing risk assessments that are going to look like this. And of course this is online for you to go back and look at later and you're going to expand them that look like this. And these are the risk assessments that you need to be doing. And you need to be aware of change management and how change management differs from the Internet of things all the way through the SDLC. DevOps has a change management style that's different. Agile has a change management style that's different. You need to understand those and adapt to them. Now, how do you adapt since we really have no logical alternative? Well, you look at your hard skills and your soft skills, you look at your comfort zone, and then you always surround yourself with smarter people. They're going to help you figure out alternatives, logical alternatives, alternatives that will work in your environment. And that's really what you want. You want to make sure that you can do exactly what you're planning. You want to be able to measure your skills with a skill matrix, your EIQ, you can use a Myers Briggs, you can use a disk assessment, you can use true colors, any of those. Don't just do it for you, do it for your entire team. It will help you put together a better team. Look at your risk appetite, look at your obsolescence. What is your end of life looking like for every piece of equipment you've got? Your team's composition, what are their hard skills, what are their soft skills? Where do they need help? Where do they need to be trained up? Be willing to invest in your team, get them certifications, get them more than one. There's always same certification slide, always a way to do it, always a way to make it happen, even if it's lunch and learns. And remember, not everybody can get all the way over to the growth zone. A lot of people are stuck in comfort. They hit that fear zone when we start talking about certs. To get them over it, you've got to get them through the learning zone, and that's repetition, repetition, repetition, repetition. And let's have a few final thoughts here, since we're running a little long. I always like to make sure that the wire is done right up front, that your network infrastructure is perfect. And for my money, you cannot have too much memory spinning disks. Why, they're a little archaic anymore. It costs a little more to get some SSD, but I'm going to submit that it's kind of the way to go. I've had a lot of good luck with it over the last five years. Some of the early fits and starts seem to have worked out, so I don't really have a problem with it. Asset management, you got to know what's on the wire. When the wire's working, you got to know what's on it. Make sure you know what's on your wire. Personnel people can be your best asset, so take care of them. And the CISO has released its best practices to save you from being disrupted by ransomware. Filtering network traffic to prohibit ingress and egress communications with known malicious ip addresses. Very important strong spam filters. Phishing. A set of programs. Security education, training and awareness. Extremely important. Implementing robust network segmentation between information technology and the operational technology networks is critical. Regularly testing manual controls. If it's manual, you got to test it at least every week and ensuring that backups are implemented and regularly tested. Backups should be tested every day. You don't have a good backup unless you've tested it isolated from your network connections. Oh my gosh, let's get our backups off of our network connections. You got to do that or you end up backing up the cryptography that's encrypting your network with ransomware. So when you go to restore, you're just restoring a bad situation. Don't want to do that. And again, please don't hesitate to connect with me on social media. Send me feedback on what you thought about the program. And please have a good day. Make sure that you're doing everything you can to stay secure. If you want to be a chief information security officer, that you keep a career map in your mind and go ahead and write it out, plan it out, map it out for you so you can be a world class CISO. That's all I have for you today. Thank you for your time and attention. I look forward to hearing from you in the near future.
...

Gordon Rudd

CEO @ Stone Creek Coaching

Gordon Rudd's LinkedIn account Gordon Rudd's twitter account



Join the community!

Learn for free, join the best tech learning community for a price of a pumpkin latte.

Annual
Monthly
Newsletter
$ 0 /mo

Event notifications, weekly newsletter

Delayed access to all content

Immediate access to Keynotes & Panels

Community
$ 8.34 /mo

Immediate access to all content

Courses, quizes & certificates

Community chats

Join the community (7 day free trial)