PLAZA AMERICA TOWER II • 11710 PLAZA AMERICA DR. • SUITE 520 • RESTON, VA 20190 • PHONE: (703) 467-2000

WWW.KNOWLEDGECG.COM

KCG CISO Framework The CISO’s Rise to Prominence

The Chief Information Security Officer (CISO) role has grown to prominence in the last ten years as technology continues to evolve and dominate our lives. The role has evolved from being an afterthought to being at the forefront of today’s digital world as we see more cyber attacks affecting our digital information and assets. As the role becomes more prominent, so do the requirements and challenges that affect us on an almost daily basis. CISO’s continually receive new and sometimes competing requirements that force them to constantly re-evaluate the direction of their program and adjust course appropriately. The main inhibitor tends to come back to pure dollars and cents and the ability to make investment decisions that yield the greatest impact on risk reduction. Filtering out the noise and identifying the most impactful changes becomes an overwhelming exercise.

Making Sense of the Constant Changes Federal CISO’s must constantly evaluate the drivers that affect their programs including the myriad of changes from the Office of Management and Budget’s (OMB), the National Institute of Standards and Technology (NIST), and Federal Information Security Management Act (FISMA). KCG brings over 10 years of corporate experience focused purely on cyber security. We leveraged our experiences at over 25 different Federal clients to develop KCG’s CISO Framework. The CISO Framework provides a formal approach and methodology for Assessing, Planning, Building, and Executing effective cyber security programs. Our framework, depicted below, provides CISO’s with the

means to efficiently and effectively understand the current state and maturity of their program and the impacts of new drivers and requirements on their strategic and operational plans.

KCG CISO Framework

The framework can be used to evaluate a cyber security program to determine its maturity through the evaluation of the people, processes, and technology supporting the program. Conducting a program level evaluation allows CISOs to identify areas of their program that have matured to the point that investment yields low marginal return, diminishing returns for each dollar spent. The CISO Framework focuses on three key dimensions moving from the center to the outer area. The framework utilizes a four-phased approach with a continuous lifecycle for maturing a security program through Assess, Plan, Build, and Execute. Security programs will continue to evolve as threats, technologies, and the regulatory environment changes and this approach ensures the program does not become stagnant.

PLAZA AMERICA TOWER II • 11710 PLAZA AMERICA DR. • SUITE 520 • RESTON, VA 20190 • PHONE: (703) 467-2000

WWW.KNOWLEDGECG.COM

The next dimension incorporates the key functions of a security program through Governance, Risk Management, Compliance, and Operations. The following table provides an overview of each function. Security Program Function Security Program Function

Description

Governance Governance represents the formal mechanism for bringing mission, technology, and risk management together through organizational structures and committees. This establishes the “who” and the “what” for risk management strategies and decisions to be made at various levels of the organization and clearly delineates responsibility and accountability for performance.

Risk Management

Risk Management builds upon Governance to define the policies, processes, and stakeholders for identifying, assessing, prioritizing, mitigating/accepting/transferring, and monitoring risk on a continual basis.

Compliance Compliance ensures the agency manages risk within the defined risk tolerance established through Governance and Risk Management. Policies defined by external regulatory requirements and internal requirements encapsulate the risk tolerance of the agency and must be monitored to ensure compliance on a continuous basis.

Operations Operations serves the function of designing, implementing, and monitoring the security controls at the operational and tactical level. This function implements the policies defined in the Governance and Risk Management functions through operational and technical security controls.

The outermost ring of the CISO Framework represents the security capabilities or activities executed by the information security program within Governance, Risk Management, Compliance, and Operations. The capabilities will vary from agency to agency dependent upon the type of security program (pure oversight vs. operationally focused). This represents major capabilities we typically see within security programs but does not represent an exhaustive list.

The CISO Framework can be applied and customized to meet the needs of any information security program and provides a means for CISO’s to manage and evolve their program over time. The threat landscape is ever-changing but cyber security remains rooted in the same underlying principles represented in our CISO Framework. KCG brings the expertise and experience to help CISO’s meet the present and future demands by bringing best practices and innovation based upon our CISO Framework. To learn more about our capabilities, please visit www.KnowledgeCG.com or contact us at (703) 467-2000 or info@KnowledgeCG.com . About Knowledge Consulting Group Headquartered in Northern Virginia, KCG is an award-winning information assurance services firm with expertise in providing cyber security services support. KCG’s role is often that of an independent trusted advisor to our client base. Organizations within the Department of Homeland Security (DHS), the Department of Justice (DOJ), the Department of Defense (DOD), Federal Agencies, and the Intelligence Community (IC) utilize KCG to act as an independent advisor providing cyber security services in the areas of Risk Management, Regulatory Compliance, Security Operations, and Security Governance. Our focus is on protecting the federal government from cyber threats while maintaining regulatory compliance and improving the organization’s security posture and situational awareness. One of the greatest challenges in today’s environment is providing cyber security professionals with relevant information security experience validated by relevant, industry recognized certifications. KCG actively complies with DoD IA Work Force Management Objectives (DOD 8570.01-M) and as a result, over 70% of KCG cyber security professionals possess active security certifications including CISSP, CISM, GIAC, GCIH, CISA, SSCP, CGEIT, and C|EH.