SESSION ID:SESSION ID:

#RSAC

Bill Brown

The Future of the CISO Role - RSA February 2017

CIO and CISOVeracode

PROF-W03

#RSAC

Poll Question:Are you a CISO or top Information Security

person?

#RSAC

More visible

No longer a back office technology expert

Accountable as an Innovator and Strategic Business leader

Must be able to work across company leadership: Engineering, IT, Legal, Risk, Lines of Business, Public Relations, etc.

How has our role has CHANGED?

#RSAC

3 Simple Questions to ask Yourself

1. Am I helping to drive Innovation or am I slowing it down?

3. Am I communicating my security strategy effectively to my Executive team and Board?

2. Am I an “Enforcer” or “Enabler”?

#RSAC

#1Am I helping to drive

Innovation or am I slowing it down?

#RSAC

InfoSec “grew up” as with a focus on Infrastructure security

Firewall Rules

Vulnerability Scanning

Application Security Testing

#RSAC…as well managing a backlog of Compliance and Customer Audits and Questionnaires

“Aspirations or Attestations?”

#RSAC

…but Infrastructure is now Code

#RSACSecurity/GRC becomes the innovation "wet blanket”

#RSAC

What is the effect on your speed of innovation?

#RSAC

The CISO remit must change

#RSAC

Security has its rightful place

#RSAC

So, what can you do?

13

Get InfoSec on the Scrum Teams

Secure application code, infrastructure AND environments from the start

Automate and integrate tools in the build process

Build in compliance auditing and reporting

#RSAC

#2Am I an “Enforcer” or

an “Enabler”?

#RSAC

CIOs AND employees now have a toolbox of “purpose-built” SaaS tools architected and designed with consumer-grade features

#RSAC

The widening perimeter of SaaS based tools in use by employees is pushing CISOs into a position of saying WAIT or NO saying rather than saying HOW

“Shadow IT is back stronger then ever!”

#RSAC

… AND CISO’s have a role in creating business value and employee enablement

#RSAC

So, what can you do?

monitor the perimeter for the use of these cloud applications by your employees

#RSAC

…and

enable those applications that are enterprise ready

they have a management consoleuser management via invitation and self-subscription2FA & encryption tools

evaluate new ones that meet this criteria

#RSAC

…then

redirect users from the “unready” applications to sanctioned ones,

block others

#RSAC

#3Am I communicating my security strategy

effectively to my Executive team and

Board?

#RSAC

Worldview of the Board

What are their biggest fears?

#RSAC80% of respondents discuss cybersecurity at most or all boardroom meetings

#RSACMore than 70% indicated they have significant concerns about risk from third-party software

#RSAC

Meeting Board Expectations

Breach readiness and breach response are hot discussion topics

They want to know you have a programmatic approach

Speaking strategically can gain confidence in your security agenda

#RSAC

Concepts to get across

There is no sure thing as a breach-free organization

Cyber security is a company wide responsibility

Cyber security needs to be thought of as a long term strategy

#RSAC

What they want to know about

Breaches in similar industries

Key trends in successful attacks

Who is out to attack our company and why

#RSAC

What you also want them to know

Describe top 5 cyber risks the company faces and level of exposure to each

Let them know what you’re working on

How you compare to peers

How your program is stacking up

#RSAC

So, what can you do?

You will only get 5-15 minutes devoted to the cybersecurity topic

Prepare an appendix for anything beyond a few key indicators

Do not use acronyms - think “denial of service” not DDoS

Use visuals not text

Use analogies & comparatives

Provide a scorecard to illustrate progress

#RSAC

Use Benchmarks and Comparatives

#RSAC

Provide a Scorecard

#RSAC

So …Who are You?

1. Innovation Driver?

3. Communicator?

2. “Enabler”?

#RSAC

Key Takeaways

As the CISO, you need to embrace the role of driving innovation

Your company needs you to “enable” employees to be more productive

Your Executive Teams and Boards need you to provide an accurate picture of your InfoSec program and how you are measuring up

At the end of the day, they want to have a good story that we did everything possible to prevent and prepare for a breach

#RSAC

34

Next week you should:See where your team is slowing engineering innovationAssess your awareness of the use of cloud applications by your employeesEnsure you know the Information Security concerns of your Board

In the next quarter you should:Focus on you skills as a Driver of Innovation and as a CommunicatorEngage with peers to develop your Board Update Template

What to do next…

#RSAC

Thank You!

Q & A

bbrown@veracode.com

@BillBrownUSA