Briefing the board lessons learned from cisos and directors

#RSAC
SESSION ID:SESSION ID:
#RSAC
John Pescatore
CXO-T11 - Briefing the Board: Lessons
Learned from CISOs and Directors
CXO-T11
Director, Emerging Security Trends
SANS Institute
@john_pescatore
Alan Paller
Research Director
SANS Institute

#RSAC
“Obviously, some people here
do not appreciate the gravity
of our situation.”

#RSAC
Measuring the Right Things –
Having Something Business
Relevant to Say to the Board
John Pescatore, SANS

#RSAC
Driving Security Change By Communicating Upwards
We mostly know what to do in security,
and we can learn how to do our part.
The biggest obstacle to success is getting
others to do their part.
Support from above is the most powerful
force to break through.
Goal: Learn how to inform CEOs and
Boards and convince them to back
strategies to drive change.

#RSAC
What (Actually) Works?
Separate the hype from the reality of
briefing the board
John and Alan’s centuries years of
experience
Discussions with Directors and CISOs
Sessions in Scottsdale AZ, San Diego,
Washington DC (2)

#RSAC
Why Do Some Do Better Than Others?
980 breaches in 2016
What did the other 9,020 of the F10000 do
differently?
(781 in 2015)
On average, 36K records exposed per
breach
What did those who limited breach size do
differently?
(Average = 215K in 2015)
Almost invariably, the organizations with
the least cyber incident impact have the
strongest CISOs and security teams.
Source: Identity Theft Resource Center

#RSAC
Characteristics of Cybersecurity Success
Understand vulnerabilities and threats – critical table stakes
Know demands of particular industry/vertical/organization
Balancing demands
Reduce threat impact to business
Reduce security impact to business
Ability to effectively communicate and drive action
Within the team
Across the organization
Upwards
Measurable results, connecting action to change to business benefit.

#RSAC
Shellye Archambeau
Director Verizon,
Nordstrom
Steve Martino
VP CISO Cisco
Kim Jones
CISO Vantiv
Gary Hayslip
CISO City of San Diego
Jason Callahan
CISO Illumina

#RSAC
Nick Fick
Director Dartmouth
University
Suzanne Vautrinot
Director Wells Fargo,
Symantec
Josh Davis
Qualcomm

#RSAC
Avoiding the same old noise…

#RSAC
Focus on protecting the
business first
Effectively and efficiently
and quickly
Make sure the solution isn’t
worse than the problem
Business benefits, not
security features
Is it Safe Enough for Us to
Self-insure?

#RSAC
Useful Security Metrics Can:
Drive change
Increase efficiency
Increase effectiveness
Give Warning
Action Required
Investment Required
Demonstrate Value
Compete for funds
Motivate workforce
Give the clueless a busy box

#RSAC
Delivering Security Efficiency and Effectiveness
Decrease the cost of dealing with
known threats
Decrease the impact of residual risks
Decrease the cost of demonstrating
compliance
Reduce business damage due to
security failures
Maintaining level of protection with
less EBITDA impact
Increase the speed of dealing with a
new threat or technology
Decrease the time required to secure
a new business application, partner,
supplier
Reducing incident cost
Less down time
Fewer customer defections Security as
a competitive business factor
Efficiency Effectiveness

#RSAC
Steve Martino, VP InfoSec, Cisco

#RSAC
Some Real World Examples
Healthcare – Building Security in Maturity Model (BSIMM) increase in
secure app dev life cycle reduced time to market for new app by 30%
and reduced software development costs by 15%
Higher Ed - Intrusion Detection Rate increased 46%, corrective actions
costs decreased 35%
Financial – reduced PC reimaging due to malware from 4 per week to
1 every 3 months, and will enable the use free of AV on desktops
Services – firewall policy management tools enabled existing staff to
reduced new connectivity approval from 2 weeks to 1 day.

#RSAC
Source: Kim Jones, Vantiv CISO at SANS Scottsdale AZ CISO Hot Topics Session

#RSAC
Alan Paller
The SANS Institute
paller@sans.org
AUGUST 2016, WASHINGTON, DC
Copyright 2016. SANS Institute
So You Just Got Invited To Brief the
Board of directors on Security

#RSAC
The Situation
The CIO emails the CISO saying that Board of Directors
is meeting next week; they want to be briefed on
cybersecurity. You, the CISO, are on the agenda.
A big opportunity? Perhaps.
A high risk moment? Most certainly.

#RSAC
In Their Own Words
Shellye Archambeau
Member of the Board of Directors of
Verizon
Arbitron
Nordstrom
CEO of MetricStream
Answers the questions:
What does the board want to hear in your briefing,
and what defines success for you?

#RSAC
Examples of BAD Slides ACTUALLY USED
IN A FEDERAL Executive BOARD BRIEFING

#RSAC
Agency IT Risk Management (AITRM) Program
ISCM is a risk-based strategy to maintain ongoing awareness
of information security, vulnerabilities, and threats to support
organizational risk management decisions.
Agency’s ISCM Strategy organizes the tools, processes, and
information enabled by CDM and RISCS for an effective risk
management framework.
Section I: Agency Cybersecurity Program Updates
In FY15, Agency updated its ISCM Strategy to align with
new risk management projects and to reinforce an
enterprise solution
Agency ISCM Strategy is 100% compliant with NIST
ISCM and ongoing authorization guidance
As the Agency IT Risk Management program matures,
Agency will revise its ISCM Concept of Operations

#RSAC
Agency IT Risk Management (AITRM) Program
AITRM integrates technical capabilities, reporting
requirements, management processes, and the roles and
responsibilities essential to mitigating risk, improving risk
posture, and enabling risk-based decision making.
AITRM Program integrates risk information from multiple
sources to enable an Agency-level, multi-tiered risk
management approach:
Section I: Agency Cybersecurity Program Updates
CDM tools
RISCS modules
SOC Incident Management System data
Federal compliance metrics (e.g. FISMA)
IT Security Awareness & Training Center
(ITSATC) compliance data

#RSAC
Four CISOs Who Found Effective Paths
Approaches that have worked:

#RSAC
CISO 1: Board Briefing
Plus:
1) FBI Director to validate the
immediacy of the risk
2) CISO of a well known industry
leader as a benchmark
Validated metrics of software security

#RSAC
CISO 2: Top Management Update
Continuous quarterly gap analysis vs the 20 Critical Controls
Critical control category
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
QW
Level 2
Level 3
Level 4
Compliant
Compliant In Spirit
Work in Progress
Not appropriate for our culture
Gap with no current plan
Plus: Continuous:
1) Mean time to
Detect Incidents”
and “Mean time to
Contain Incidents
2) 4 key automated
vulnerability
metrics – rolled up
quarterly

#RSAC
CISO 3: Reporting to Cabinet Secretary & Congress
90% risk reduction
over 12 months
0.0
200.0
400.0
600.0
800.0
1,000.0
1,200.0
6/1/2008 7/21/2008 9/9/2008 10/29/2008 12/18/2008 2/6/2009 3/28/2009 5/17/2009 7/6/2009 8/25/2009
Domestic Sites Foreign Sites
89%
Reduction
90%
Reduction

#RSAC
To be credible to management, metrics must be
“authoritative and important and reliably measured”
How can you prove your metrics are authoritative
and important (and reliably measured)?
“Offense informs defense!”
The big idea:

#RSAC
Who Understands Offense?
Would they be willing to combine their knowledge of attacks
and offense to define the most important defensive
investments CIOs must make to block all known attacks?
NSA Red Teams
NSA Blue Teams
DoD Cyber Crime Center (DC3)
US-CERT
Top Commercial Pen Testers
Top Forensics Teams
JTF-GNO
Air Force OSI
Army Research Lab.
Dept. of Energy National Laboratories
Sandia
Los Alamos

#RSAC
CISO 4: Major Utility
Let’s start with the results:
The Chairman of the Board told the CIO: “That’s
the first time a security person has made sense.”
And then he made the CISO’s budget “base”
meaning it is funded automatically just like
emergency power line repairs.

#RSAC
20 Critical Security Controls
Sample Red/Yellow/Green Metric
1 2
3
4
5
6
7
8
9
101112
13
14
15
16
17
18
19
20
Protection From the Most Likely Attack Vectors
Prevention
Detection & Response
Identity, Access, Governance & Architecture

#RSAC
Auditor Buy-in
ONE More benefit from using the
validated critical controls

#RSAC
Summary
CISO’s perspective doesn’t necessarily match
the Board of Directors’ perspective
What do I need to do? How much is enough? Whom can I trust
to answer those questions?
What seems to work:
Externally validated, prioritized framework (the Critical
Controls) with a 3-year plan
Continuously showing improvement in important metric

#RSAC
When You Get Back to Work
Make sure you are collecting the right security metrics so you can demonstrate
value, improvement, danger – and connection to business goals.
Take advantage of any transitions coming:
Moving to Windows 10, cloud services, mobile apps, agile dev, etc.
M&A, re-org, new C-level management.
Audit results
Prioritize by business impact – shoot for a near term win.
Change something!
Communicate upwards.
Successes
Strategic Obstacles
Recommendations

#RSAC
Resources
SANS What Works: https://www.sans.org/critical-security-controls/case-studies
CIS Critical Security Controls: https://www.cisecurity.org/critical-controls.cfm
By three methods we may learn Wisdom:
1. By reflection, which is noblest
2. By imitation, which is easiest
3. By experience, which is the bitterest
– Confucius

Briefing the board lessons learned from cisos and directors

More Related Content

What's hot (20)

Similar to Briefing the board lessons learned from cisos and directors (20)

More from Priyanka Aash (20)

Recently uploaded (20)

Briefing the board lessons learned from cisos and directors