cxo-t11 - briefing the board: lessons learned from … session id: john pescatore cxo-t11 - briefing...
TRANSCRIPT
#RSAC
SESSION ID:SESSION ID:
#RSAC
John Pescatore
CXO-T11 - Briefing the Board: Lessons Learned from CISOs and Directors
CXO-T11
Director, Emerging Security TrendsSANS Institute@john_pescatore
Alan PallerResearch DirectorSANS Institute
#RSAC
“Obviously, some people here do not appreciate the gravity of our situation.”
#RSAC
Measuring the Right Things –Having Something Business Relevant to Say to the Board
John Pescatore, SANS
#RSAC
Driving Security Change By Communicating Upwards
We mostly know what to do in security, and we can learn how to do our part.
The biggest obstacle to success is getting others to do their part.
Support from above is the most powerful force to break through.
Goal: Learn how to inform CEOs and Boards and convince them to back strategies to drive change.
#RSAC
What (Actually) Works?
Separate the hype from the reality of briefing the board
John and Alan’s centuries years of experience
Discussions with Directors and CISOs
Sessions in Scottsdale AZ, San Diego, Washington DC (2)
#RSAC
Why Do Some Do Better Than Others?
980 breaches in 2016What did the other 9,020 of the F10000 do differently?
(781 in 2015)
On average, 36K records exposed per breach
What did those who limited breach size do differently?
(Average = 215K in 2015)
Almost invariably, the organizations with the least cyber incident impact have the strongest CISOs and security teams.
Source: Identity Theft Resource Center
#RSAC
Characteristics of Cybersecurity Success
Understand vulnerabilities and threats – critical table stakes
Know demands of particular industry/vertical/organization
Balancing demandsReduce threat impact to business
Reduce security impact to business
Ability to effectively communicate and drive actionWithin the team
Across the organization
Upwards
Measurable results, connecting action to change to business benefit.
#RSAC
Shellye ArchambeauDirector Verizon, Nordstrom
Steve Martino VP CISO Cisco
Kim JonesCISO Vantiv
Gary HayslipCISO City of San Diego
Jason CallahanCISO Illumina
#RSAC
Nick FickDirector DartmouthUniversity
Suzanne Vautrinot Director Wells Fargo, Symantec
Josh DavisQualcomm
#RSAC
REP
LAC
E SL
IDE
#RSAC
Avoiding the same old noise…
#RSAC
Focus on protecting the business first
Effectively and efficiently and quickly
Make sure the solution isn’t worse than the problem
Business benefits, not security features
Is it Safe Enough for Us to Self-insure?
#RSAC
Useful Security Metrics Can:
Drive changeIncrease efficiency
Increase effectiveness
Give WarningAction Required
Investment Required
Demonstrate ValueCompete for funds
Motivate workforce
Give the clueless a busy box
#RSAC
Delivering Security Efficiency and Effectiveness
Decrease the cost of dealing with known threats
Decrease the impact of residual risks
Decrease the cost of demonstrating compliance
Reduce business damage due to security failures
Maintaining level of protection with less EBITDA impact
Increase the speed of dealing with a new threat or technology
Decrease the time required to secure a new business application, partner, supplier
Reducing incident cost
Less down time
Fewer customer defections Security as a competitive business factor
Efficiency Effectiveness
#RSAC
Steve Martino, VP InfoSec, Cisco
#RSAC
Sources of Examples
#RSAC
Some Real World Examples
Healthcare – Building Security in Maturity Model (BSIMM) increase in secure app dev life cycle reduced time to market for new app by 30% and reduced software development costs by 15%
Higher Ed - Intrusion Detection Rate increased 46%, corrective actions costs decreased 35%
Financial – reduced PC reimaging due to malware from 4 per week to 1 every 3 months, and will enable the use free of AV on desktops
Services – firewall policy management tools enabled existing staff to reduced new connectivity approval from 2 weeks to 1 day.
#RSAC
Source: Kim Jones, Vantiv CISO at SANS Scottsdale AZ CISO Hot Topics Session
#RSAC
Alan PallerThe SANS Institute
AUGUST 2016, WASHINGTON, DC
Copyright 2016. SANS Institute
So You Just Got Invited To Brief the Board of directors on Security
#RSAC
The Situation
The CIO emails the CISO saying that Board of Directors is meeting next week; they want to be briefed on cybersecurity. You, the CISO, are on the agenda.
A big opportunity? Perhaps.
A high risk moment? Most certainly.
#RSAC
In Their Own Words
Shellye Archambeau
Member of the Board of Directors ofVerizon
Arbitron
Nordstrom
CEO of MetricStream
Answers the questions:
What does the board want to hear in your briefing, and what defines success for you?
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
Examples of BAD Slides ACTUALLY USED IN A FEDERAL Executive BOARD BRIEFING
#RSAC
Agency IT Risk Management (AITRM) Program
ISCM is a risk-based strategy to maintain ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.
Agency’s ISCM Strategy organizes the tools, processes, and information enabled by CDM and RISCS for an effective risk management framework.
Section I: Agency Cybersecurity Program Updates
In FY15, Agency updated its ISCM Strategy to align with new risk management projects and to reinforce an enterprise solution
Agency ISCM Strategy is 100% compliant with NIST ISCM and ongoing authorization guidance
As the Agency IT Risk Management program matures, Agency will revise its ISCM Concept of Operations
#RSAC
Agency IT Risk Management (AITRM) Program
AITRM integrates technical capabilities, reporting requirements, management processes, and the roles and responsibilities essential to mitigating risk, improving risk posture, and enabling risk-based decision making.
AITRM Program integrates risk information from multiple sources to enable an Agency-level, multi-tiered risk management approach:
Section I: Agency Cybersecurity Program Updates
CDM tools
RISCS modules
SOC Incident Management System data
Federal compliance metrics (e.g. FISMA)
IT Security Awareness & Training Center
(ITSATC) compliance data
#RSAC
Four CISOs Who Found Effective Paths
Approaches that have worked:
#RSAC
CISO 1: Board Briefing
Plus:
1) FBI Director to validate the immediacy of the risk
2) CISO of a well known industry leader as a benchmark
Validated metrics of software security
#RSAC
CISO 2: Top Management Update
Continuous quarterly gap analysis vs the 20 Critical Controls
Critical control category
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
QW
Level 2
Level 3
Level 4
Compliant
Compliant In Spirit
Work in Progress
Not appropriate for our culture
Gap with no current plan
Plus: Continuous:
1) Mean time to Detect Incidents” and “Mean time to Contain Incidents
2) 4 key automated vulnerability metrics – rolled up quarterly
#RSAC
CISO 3: Reporting to Cabinet Secretary & Congress
90% risk reduction over 12 months
0.0
200.0
400.0
600.0
800.0
1,000.0
1,200.0
6/1/2008 7/21/2008 9/9/2008 10/29/2008 12/18/2008 2/6/2009 3/28/2009 5/17/2009 7/6/2009 8/25/2009
DomesticSites ForeignSites
89%
Reduction
90%
Reduction
#RSAC
To be credible to management, metrics must be “authoritative and important and reliably measured”
How can you prove your metrics are authoritative and important (and reliably measured)?
“Offense informs defense!”The big idea:
#RSAC
Who Understands Offense?
Would they be willing to combine their knowledge of attacks and offense to define the most important defensive investments CIOs must make to block all known attacks?
NSA Red Teams
NSA Blue Teams
DoD Cyber Crime Center (DC3)
US-CERT
Top Commercial Pen Testers
Top Forensics Teams
JTF-GNO
Air Force OSI
Army Research Lab.
Dept. of Energy National Laboratories
Sandia
Los Alamos
#RSAC
CISO 4: Major Utility
Let’s start with the results:
The Chairman of the Board told the CIO: “That’s the first time a security person has made sense.”
And then he made the CISO’s budget “base” meaning it is funded automatically just like emergency power line repairs.
#RSAC
20 Critical Security Controls
Sample Red/Yellow/Green Metric
1 23
4
5
6
7
89
10111213
14
15
16
17
18
1920
Protection From the Most Likely Attack VectorsPrevention
Detection & Response
Identity, Access, Governance & Architecture
#RSAC
Auditor Buy-in
ONE More benefit from using the validated critical controls
#RSAC
Summary
CISO’s perspective doesn’t necessarily match the Board of Directors’ perspective
What do I need to do? How much is enough? Whom can I trust to answer those questions?
What seems to work: Externally validated, prioritized framework (the Critical Controls) with a 3-year plan
Continuously showing improvement in important metric
#RSAC
When You Get Back to Work
Make sure you are collecting the right security metrics so you can demonstrate value, improvement, danger – and connection to business goals.
Take advantage of any transitions coming:Moving to Windows 10, cloud services, mobile apps, agile dev, etc.M&A, re-org, new C-level management.Audit results
Prioritize by business impact – shoot for a near term win.
Change something!
Communicate upwards.SuccessesStrategic ObstaclesRecommendations
#RSAC
Resources
SANS What Works: https://www.sans.org/critical-security-controls/case-studies
CIS Critical Security Controls: https://www.cisecurity.org/critical-controls.cfm
By three methods we may learn Wisdom:
1. By reflection, which is noblest
2. By imitation, which is easiest
3. By experience, which is the bitterest
– Confucius