90 Day Security Strategy: Ready, Set, Go Mr. & Mrs. CISO!

Post-Conference Summary

Todd Fitzgerald, Global Director Information Security

Grant Thornton International, Ltd.

Wednesday March 2, 2016 3:20-5:20pm West Room 2024

Thursday, March 3, 2016, 3:20-5:20pm West Room 2024

2

Table of Contents

EXECUTIVE SUMMARY ........................................................................................................... 3

INTRODUCTION ..................................................................................................................... 4

Attendee Experience Level .......................................................................................................... 4

Session Pre-Work ........................................................................................................................ 4

Congratulations, you are The New CISO! .................................................................................... 4

Oh yeah, and Did We Mention 90 days?..................................................................................... 5

THE SECURITY STRATEGY PROCESS (WORKSHOP AGENDA) ..................................................... 5

1. Introductions ........................................................................................................................ 5

2. Why were YOU hired? .......................................................................................................... 6

3. Security Vision Statement .................................................................................................... 7

4. Where are My Crown Jewels? ............................................................................................. 8

5. Mind mapping our way to Protection.................................................................................. 9

6. Planning the Next 5 Years .................................................................................................. 10

7. Presenting to the Board ..................................................................................................... 11

APPENDIX A- MIND MAP SAMPLES ...................................................................................... 12

ABOUT THE FACILITATOR ..................................................................................................... 24

3

Executive Summary The 90 Day security strategy Learning Lab was comprised of 64 senior CISOs and other senior-level security leaders interested in developing their company’s information security strategy. The sold-out 2-hour workshop was held twice at 2016 RSA Conference, and was very interactive, leveraging the knowledge and sharing of the participants.

The following sections include a facsimile of the materials used in the workshop, as well as workshop insights of the work created in each section. The contribution by the workshop participants are noted by the “Workshop Insight” call-outs in each section. This document may be used as a reference for developing an information security strategy. Think of this workbook as a set of Lego pieces, each of which may be assembled in different ways to create the security program. In the end, there is always a pile of pieces not used today… but may be relevant for the next Lego project!

I hope you enjoy the materials and they are as valuable to you as the session was to the workshop participants and myself. If you like what you see and would like to participate in the future, be sure to arrive early for this workshop at the 2017 RSA conference!!!

Thanks to everyone that shared their experience and helped others through participation in the workshop!

Sincerely,

Todd Fitzgerald

Global Director Information Security, Grant Thornton International, Ltd.

4

Introduction One of the key job responsibilities as a new CISO to an organization is to develop an information security strategy. Where should the CISO begin? What could go wrong? How do you get support so the strategy becomes more than shelf ware or a pretty picture? This session will discuss what makes an effective strategy and review experiences that have worked well and not so well.

Attendee Experience Level

This session is focused on those security leaders that are new to their organization, or new in the role of the CISO. While you may be very experienced in leading security efforts, implementing technical security solutions, auditing controls, or managing security compliance – your role is now to develop an information security strategy and lead the organization. You may also be an experienced security leader that wants to take the opportunity to learn and share experiences with others, as well as enhance your own security strategy.

Session Pre-Work

As a busy professional, there is none – except - come prepared to share the information that you would like to protect and knowledge of where some of the opportunities for improvement within your security program may be. We can all learn from each other, so please come prepared to discuss your viewpoint!

Congratulations, you are The New CISO!

Congratulations, after an extensive job search you have been hired as the new information security leader for your company. You may have the title of Chief Information Security Officer (CISO), VP, information Security, VP, Information Risk Management, VP, Data Protection, Director of Information Security, Security Manager, Security and Privacy manager, or who knows what – the job requirements are all the same….

YOU WILL KEEP THE COMPANY OUT OF THE HEADLINES.

PERIOD.

It does not matter if this is your first rodeo, or your twentieth rodeo, this rodeo will be different from the last horse that you rode… the challenges to stay on your horse will be the same… and different.

5

YOU MANY BE WONDERING… WHY DID I GET ON THIS HORSE?

Today, we will explore some of the steps that are necessary to ensure that you get to ride the horse for more than 15 seconds, and if you do fall off, you know how to get back on the horse.

Oh yeah, and Did We Mention 90 days?

We can’t take our whole lives to figure out how to mount our darling bucking horse of an organization – saddle up and let’s go! We only have 90 days and that nice person that hired you will be looking for a 12-18 month and 3-5 years strategy (or it may be advisable to prepare 3 envelopes…)

The Security Strategy Process (Workshop Agenda)

No Agenda Item Time

1 Introduction – Let’s get to know each other 5 min

2 Why were you hired? 15-20 min

3 Preparing a security vision statement 15 min

4 Where are my crown jewels? 20 min

5 Mind mapping our way to protection 20 min

6 Planning the next 5 years 20-25 min

7 Presenting to the Board 15 min

8 Wrap-up 5 min

1. Introductions

(GROUP ACTIVITY)

Name

Company

Title

What I do for fun (non-security related)

6

2. Why were YOU hired?

We know you are good. We know you are the best, or you would not be at the RSA Conference, right? There must have been a reason why YOU were hired above all the candidates – (TABLE DISCUSSION)

1) Why did they want you?2) Why did you decide to take this job/role above any others?

WORKSHOP INSIGHT: We used a high-energy technique in the workshop to have everyone meet as many people as possible in under 3 minutes. Some people met and introduced themselves to as many as 20 people!! – How often do we go out of our comfort zone in our organizations to introduce ourselves to new stakeholders? If we can meet 20 new people in 3 minutes, surely we can find time to have security conversations with many people in our organization to build our strategy.

WORKSHOP INSIGHT: The reasons were varied as there were people. If we do not understand why we are hired, or why the predecessor is no longer there, or why you are the first CISO, we are at a disadvantage. We can make the mistake of assuming that we know the answers without having the context of why the decisions were made. We need to first understand the culture of the organization, by listening and observing for the first 30-45 days. Resist the urge to communicate ‘your plans’, as there is probably something that was missed- such as a technology you want to eliminate was the brainchild of the person you need most to support your security efforts!

7

3. Security Vision Statement

WORKSHOP INSIGHT: Developing a vision statement on the surface seems like an easy exercise. However, get 8 people together and it is clear it is anything but easy! Security professionals tend to be very detailed and analytical – some of the vision statements were very lengthy and included everything. To create a valuable vision statement, it should 1) reflect the core values of the organization, 2) be aligned with the mission, and 3) be brief so that others, not the security professional, can get excited about why we need to do what we need to do.

8

4. Where are My Crown Jewels?

WORKSHOP INSIGHT: Without knowing what to protect, we end up trying to protect everything to the same level. None of us have the resources to achieve this. Therefore, we need to identify what exactly we are protecting. Different industries will have different assets that need protection. It is worthwhile to write these on post-it notes and then group the post-it notes into themes. This can be done with the business users across the organization. Across the group of 64 security leaders in each workshop, several hundred different ‘crown jewels’ were identified!!!

9

5. Mind mapping our way to Protection

WORKSHOP INSIGHT: Mind maps are a very effective way to create free-form thinking. The goal of mind mapping is to just get the idea down on paper, and branch off the ideas without evaluating them. This is a very quick way to determine the functions needed in the organization. The appendix shows several of the mind maps generated in the workshop. The mind maps help us determine what we ‘should’ be doing.

10

6. Planning the Next 5 Years

No Mat 12 Months 24 Months Mat 3-5 years Mat

1

2

3

4

5

Maturity Levels:

0=Nonexistent No evidence of practice or standard

1=Initial Ad-hoc and inconsistent

2=Repeatable consistent overall approach, but mostly undocumented

3=Defined documented approach, lacks enforcement or measurement

4=Managed regularly measures compliance and makes regular process improvements

5=Optimized refined the compliance to best practice

WORKSHOP INSIGHT: The planning is where the ‘rubber meets the road.’ While it is all well and good to determine a) crown jewels, and b) what functions need to be in place to protect them (mind mapping), without having a plan of action, the strategy is, well, just a strategy. 3-5 years is long term planning for most organizations, and real progress needs to be delivered in 12-18 months and 3 year horizons. So pick those areas where the most critical crown jewels can be protected and with the functions that are lacking that need further investment. Assessing the before and after risk is important to move these strategies ahead and retain management commitment.

11

7. Presenting to the Board

WORKSHOP INSIGHT: Now that the strategy is together, the board or senior leadership team needs to review and agree on the direction. 3 slides containing the vision, assets to protect, how these will be protected, and the plan and costs should be provided. Why 3? The board is very busy and we need to be able to communicate in easy to understand terms that can focus the discussion. More slides can be placed in an appendix if necessary. Risk to the organization and what progress we are making to mitigate the risk will be of primary concern. This support at the top-level is critical for the organization to become aligned to the security program.

12

Appendix A- Mind Map Samples

13

14

15

16

17

18

19

20

21

22

23

24

About The Facilitator Todd Fitzgerald Global Director of Information Security, Grant Thornton International, Ltd.

CISSP, CISA, CISM, CGEIT, CRISC, CIPM, CIPP/US, CIPP/EU, PMP, ISO27000, ITILv3f, MBA

Todd Fitzgerald is the Global Director of Information Security for Grant Thornton International, Ltd., providing strategic information security leadership for Grant Thornton member firms supporting over 40,000 employees in 133 countries. Leading large company information security programs for 18 years, Todd is a 2013 Top 50 Information Security

Executive, 2013–15 Ponemon Institute Distinguished Fellow, and 2015 runner-up CISO of the Year Award Chicago by AITP, ISSA, and Infragard. He is the author of 3 information security leadership books (Information Security Governance Simplified: From the Boardroom to the Keyboard, CISO Leadership: Essential Principles for Success (ISC2 Press), and 2014 Certified Chief Information Security Officer (C-CISO) Body of Knowledge and a contributor to a dozen others. Todd is a frequent security presenter.