#RSAC

SESSION ID:SESSION ID:

#RSAC

John Pescatore

CXO-T11 - Briefing the Board: Lessons Learned from CISOs and Directors

CXO-T11

Director, Emerging Security TrendsSANS Institute@john_pescatore

Alan PallerResearch DirectorSANS Institute

#RSAC

“Obviously, some people here do not appreciate the gravity of our situation.”

#RSAC

Measuring the Right Things –Having Something Business Relevant to Say to the Board

John Pescatore, SANS

#RSAC

Driving Security Change By Communicating Upwards

We mostly know what to do in security, and we can learn how to do our part.

The biggest obstacle to success is getting others to do their part.

Support from above is the most powerful force to break through.

Goal: Learn how to inform CEOs and Boards and convince them to back strategies to drive change.

#RSAC

What (Actually) Works?

Separate the hype from the reality of briefing the board

John and Alan’s centuries years of experience

Discussions with Directors and CISOs

Sessions in Scottsdale AZ, San Diego, Washington DC (2)

#RSAC

Why Do Some Do Better Than Others?

980 breaches in 2016What did the other 9,020 of the F10000 do differently?

(781 in 2015)

On average, 36K records exposed per breach

What did those who limited breach size do differently?

(Average = 215K in 2015)

Almost invariably, the organizations with the least cyber incident impact have the strongest CISOs and security teams.

Source: Identity Theft Resource Center

#RSAC

Characteristics of Cybersecurity Success

Understand vulnerabilities and threats – critical table stakes

Know demands of particular industry/vertical/organization

Balancing demandsReduce threat impact to business

Reduce security impact to business

Ability to effectively communicate and drive actionWithin the team

Across the organization

Upwards

Measurable results, connecting action to change to business benefit.

#RSAC

Shellye ArchambeauDirector Verizon, Nordstrom

Steve Martino VP CISO Cisco

Kim JonesCISO Vantiv

Gary HayslipCISO City of San Diego

Jason CallahanCISO Illumina

#RSAC

Nick FickDirector DartmouthUniversity

Suzanne Vautrinot Director Wells Fargo, Symantec

Josh DavisQualcomm

#RSAC

REP

LAC

E SL

IDE

#RSAC

Avoiding the same old noise…

#RSAC

Focus on protecting the business first

Effectively and efficiently and quickly

Make sure the solution isn’t worse than the problem

Business benefits, not security features

Is it Safe Enough for Us to Self-insure?

#RSAC

Useful Security Metrics Can:

Drive changeIncrease efficiency

Increase effectiveness

Give WarningAction Required

Investment Required

Demonstrate ValueCompete for funds

Motivate workforce

Give the clueless a busy box

#RSAC

Delivering Security Efficiency and Effectiveness

Decrease the cost of dealing with known threats

Decrease the impact of residual risks

Decrease the cost of demonstrating compliance

Reduce business damage due to security failures

Maintaining level of protection with less EBITDA impact

Increase the speed of dealing with a new threat or technology

Decrease the time required to secure a new business application, partner, supplier

Reducing incident cost

Less down time

Fewer customer defections Security as a competitive business factor

Efficiency Effectiveness

#RSAC

Steve Martino, VP InfoSec, Cisco

#RSAC

Sources of Examples

#RSAC

Some Real World Examples

Healthcare – Building Security in Maturity Model (BSIMM) increase in secure app dev life cycle reduced time to market for new app by 30% and reduced software development costs by 15%

Higher Ed - Intrusion Detection Rate increased 46%, corrective actions costs decreased 35%

Financial – reduced PC reimaging due to malware from 4 per week to 1 every 3 months, and will enable the use free of AV on desktops

Services – firewall policy management tools enabled existing staff to reduced new connectivity approval from 2 weeks to 1 day.

#RSAC

Source: Kim Jones, Vantiv CISO at SANS Scottsdale AZ CISO Hot Topics Session

#RSAC

Alan PallerThe SANS Institute

paller@sans.org

AUGUST 2016, WASHINGTON, DC

Copyright 2016. SANS Institute

So You Just Got Invited To Brief the Board of directors on Security

#RSAC

The Situation

The CIO emails the CISO saying that Board of Directors is meeting next week; they want to be briefed on cybersecurity. You, the CISO, are on the agenda.

A big opportunity? Perhaps.

A high risk moment? Most certainly.

#RSAC

In Their Own Words

Shellye Archambeau

Member of the Board of Directors ofVerizon

Arbitron

Nordstrom

CEO of MetricStream

Answers the questions:

What does the board want to hear in your briefing, and what defines success for you?

#RSAC

#RSAC

#RSAC

#RSAC

#RSAC

#RSAC

#RSAC

#RSAC

#RSAC

Examples of BAD Slides ACTUALLY USED IN A FEDERAL Executive BOARD BRIEFING

#RSAC

Agency IT Risk Management (AITRM) Program

ISCM is a risk-based strategy to maintain ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.

Agency’s ISCM Strategy organizes the tools, processes, and information enabled by CDM and RISCS for an effective risk management framework.

Section I: Agency Cybersecurity Program Updates

In FY15, Agency updated its ISCM Strategy to align with new risk management projects and to reinforce an enterprise solution

Agency ISCM Strategy is 100% compliant with NIST ISCM and ongoing authorization guidance

As the Agency IT Risk Management program matures, Agency will revise its ISCM Concept of Operations

#RSAC

Agency IT Risk Management (AITRM) Program

AITRM integrates technical capabilities, reporting requirements, management processes, and the roles and responsibilities essential to mitigating risk, improving risk posture, and enabling risk-based decision making.

AITRM Program integrates risk information from multiple sources to enable an Agency-level, multi-tiered risk management approach:

Section I: Agency Cybersecurity Program Updates

CDM tools

RISCS modules

SOC Incident Management System data

Federal compliance metrics (e.g. FISMA)

IT Security Awareness & Training Center

(ITSATC) compliance data

#RSAC

Four CISOs Who Found Effective Paths

Approaches that have worked:

#RSAC

CISO 1: Board Briefing

Plus:

1) FBI Director to validate the immediacy of the risk

2) CISO of a well known industry leader as a benchmark

Validated metrics of software security

#RSAC

CISO 2: Top Management Update

Continuous quarterly gap analysis vs the 20 Critical Controls

Critical control category

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

QW

Level 2

Level 3

Level 4

Compliant

Compliant In Spirit

Work in Progress

Not appropriate for our culture

Gap with no current plan

Plus: Continuous:

1) Mean time to Detect Incidents” and “Mean time to Contain Incidents

2) 4 key automated vulnerability metrics – rolled up quarterly

#RSAC

CISO 3: Reporting to Cabinet Secretary & Congress

90% risk reduction over 12 months

0.0

200.0

400.0

600.0

800.0

1,000.0

1,200.0

6/1/2008 7/21/2008 9/9/2008 10/29/2008 12/18/2008 2/6/2009 3/28/2009 5/17/2009 7/6/2009 8/25/2009

DomesticSites ForeignSites

89%

Reduction

90%

Reduction

#RSAC

To be credible to management, metrics must be “authoritative and important and reliably measured”

How can you prove your metrics are authoritative and important (and reliably measured)?

“Offense informs defense!”The big idea:

#RSAC

Who Understands Offense?

Would they be willing to combine their knowledge of attacks and offense to define the most important defensive investments CIOs must make to block all known attacks?

NSA Red Teams

NSA Blue Teams

DoD Cyber Crime Center (DC3)

US-CERT

Top Commercial Pen Testers

Top Forensics Teams

JTF-GNO

Air Force OSI

Army Research Lab.

Dept. of Energy National Laboratories

Sandia

Los Alamos

#RSAC

CISO 4: Major Utility

Let’s start with the results:

The Chairman of the Board told the CIO: “That’s the first time a security person has made sense.”

And then he made the CISO’s budget “base” meaning it is funded automatically just like emergency power line repairs.

#RSAC

20 Critical Security Controls

Sample Red/Yellow/Green Metric

1 23

4

5

6

7

89

10111213

14

15

16

17

18

1920

Protection From the Most Likely Attack VectorsPrevention

Detection & Response

Identity, Access, Governance & Architecture

#RSAC

Auditor Buy-in

ONE More benefit from using the validated critical controls

#RSAC

Summary

CISO’s perspective doesn’t necessarily match the Board of Directors’ perspective

What do I need to do? How much is enough? Whom can I trust to answer those questions?

What seems to work: Externally validated, prioritized framework (the Critical Controls) with a 3-year plan

Continuously showing improvement in important metric

#RSAC

When You Get Back to Work

Make sure you are collecting the right security metrics so you can demonstrate value, improvement, danger – and connection to business goals.

Take advantage of any transitions coming:Moving to Windows 10, cloud services, mobile apps, agile dev, etc.M&A, re-org, new C-level management.Audit results

Prioritize by business impact – shoot for a near term win.

Change something!

Communicate upwards.SuccessesStrategic ObstaclesRecommendations

#RSAC

Resources

SANS What Works: https://www.sans.org/critical-security-controls/case-studies

CIS Critical Security Controls: https://www.cisecurity.org/critical-controls.cfm

By three methods we may learn Wisdom:

1. By reflection, which is noblest

2. By imitation, which is easiest

3. By experience, which is the bitterest

– Confucius