SESSION ID:SESSION ID:
#RSAC
Bill Brown
The Future of the CISO Role - RSA February 2017
CIO and CISOVeracode
PROF-W03
#RSAC
More visible
No longer a back office technology expert
Accountable as an Innovator and Strategic Business leader
Must be able to work across company leadership: Engineering, IT, Legal, Risk, Lines of Business, Public Relations, etc.
How has our role has CHANGED?
#RSAC
3 Simple Questions to ask Yourself
1. Am I helping to drive Innovation or am I slowing it down?
3. Am I communicating my security strategy effectively to my Executive team and Board?
2. Am I an “Enforcer” or “Enabler”?
#RSAC
InfoSec “grew up” as with a focus on Infrastructure security
Firewall Rules
Vulnerability Scanning
Application Security Testing
#RSAC…as well managing a backlog of Compliance and Customer Audits and Questionnaires
“Aspirations or Attestations?”
#RSAC
So, what can you do?
13
Get InfoSec on the Scrum Teams
Secure application code, infrastructure AND environments from the start
Automate and integrate tools in the build process
Build in compliance auditing and reporting
#RSAC
CIOs AND employees now have a toolbox of “purpose-built” SaaS tools architected and designed with consumer-grade features
#RSAC
The widening perimeter of SaaS based tools in use by employees is pushing CISOs into a position of saying WAIT or NO saying rather than saying HOW
“Shadow IT is back stronger then ever!”
#RSAC
So, what can you do?
monitor the perimeter for the use of these cloud applications by your employees
#RSAC
…and
enable those applications that are enterprise ready
they have a management consoleuser management via invitation and self-subscription2FA & encryption tools
evaluate new ones that meet this criteria
#RSAC
Meeting Board Expectations
Breach readiness and breach response are hot discussion topics
They want to know you have a programmatic approach
Speaking strategically can gain confidence in your security agenda
#RSAC
Concepts to get across
There is no sure thing as a breach-free organization
Cyber security is a company wide responsibility
Cyber security needs to be thought of as a long term strategy
#RSAC
What they want to know about
Breaches in similar industries
Key trends in successful attacks
Who is out to attack our company and why
#RSAC
What you also want them to know
Describe top 5 cyber risks the company faces and level of exposure to each
Let them know what you’re working on
How you compare to peers
How your program is stacking up
#RSAC
So, what can you do?
You will only get 5-15 minutes devoted to the cybersecurity topic
Prepare an appendix for anything beyond a few key indicators
Do not use acronyms - think “denial of service” not DDoS
Use visuals not text
Use analogies & comparatives
Provide a scorecard to illustrate progress
#RSAC
Key Takeaways
As the CISO, you need to embrace the role of driving innovation
Your company needs you to “enable” employees to be more productive
Your Executive Teams and Boards need you to provide an accurate picture of your InfoSec program and how you are measuring up
At the end of the day, they want to have a good story that we did everything possible to prevent and prepare for a breach
#RSAC
34
Next week you should:See where your team is slowing engineering innovationAssess your awareness of the use of cloud applications by your employeesEnsure you know the Information Security concerns of your Board
In the next quarter you should:Focus on you skills as a Driver of Innovation and as a CommunicatorEngage with peers to develop your Board Update Template
What to do next…