Wednesday, August 9, 2017

Tools to use to approach CISO strategy and how

A 10 step approach to identifying  critical pieces used to build a CISO’s strategic plan, and where to look for answers:

(Steps 1 through 9 prepare us for step 10.)

 1. Know your role

            (What to ask or what resources can help you find answers):

Job description, charter, org chart, who you report to, who reports to you, objectives, how your performance will be rated, what does this organization believe that the CISO role must achieve
2. Know your Audience

Who are the stakeholders, what are their backgrounds, what do they think is important, what do they think your role is, what do they think your role is not, do their perspectives require reshaping
3. Know your Organization

What sector(s), what flagship product or service, are they for profit, nonprofit, publicly traded, member owned, or government; what regulations govern their practices, who are their customers, where do their customers exist, CEO or board member’s vision

4. What’s your budget

Size of org, IT budget, IT Security budget, budget for HW, SW, outsourcing, training, cyber insurance policy, incident response reserves, cybersecurity premium and coverage
5. How many are on your team

The resources on your team and those who report to you are not necessarily the same answer. Projectized, functional or matrix-based organization?
6. Timelines/deadlines imposed upon you

Internal goals, litigation prep, DoD directive 8570.01 IAT proficiency levels of staff, PCI-DSS, new product delivery support, SDLC, EOL, fiscal year-end, new budget approval window, audits, ISO certifying deadlines
7. What do you have, how is it configured and where are the concerns

CMDB, Inventory, survey, assessment, policy, federated services, penetration testing

8. How are those concerns remediated and continuously monitored

Periodic reinvestigation, patch management plan, CMDB manager, change management logs, SIEM, SOC

9. What Protections/Defenses are in Place:

9a. How are your team of Admins and Security Professions securely managed

Privileged account management, Identity and Access Management, Multi-Factor Authentication, Change management, role overlap, checks and balances, mandatory vacations, monitoring and analysis of audit logs

9b. Tools, software, solutions, protective measures for:

Email; Web-Browser; Malware; Network Ports; Data Recovery Capability; Network Device settings; Boundary; Data Encryption; Multi-factor Authentication;  Wireless Access Points; Account Monitoring & Control; Application, Platform, OS-level software; Mobile Device Management, Policy, Threat Awareness & Training

9c. Penetration tests and red team exercises

9d. Incident Response Management Plan, and/or Cybersecurity Insurance
10. Where to harness efforts in the future

            This is the first place you begin to affirmatively plan after addressing 1-9, by putting pieces together to build a strategy that meets scope, budget, and time constraints unique to the organization. Once step 9 is reached, one will feel more self-assured and reliant that, “you know what you’re doing and where you’re  going with this.” Fact is, “how to build a strategy” is a question that is not answerable without first ascertaining these details. Failing to do so falls into the trap of beginning to offer solutions to problems that an organization either does not need solved, or is ill equipped to solve without reshaping of the answers to steps 1-9.

Bonus Step 11.

Do you really even want this job anymore? Are you going to be compensated appropriately to execute on the strategy formulated in step 10?

These ten steps assume that Risk is a function of vulnerability, threat, and consequences, divided by the controls in place.

They help posture toward adherence with CIS CSC, NIST, PCI, ISO or other frameworks, and help prepare for compliance with regulations that govern your organization. Steps 7-9 map directly to foundational CIS Critical Security Controls and NIST 800-53 Risk Management Framework, as ratified by FISMA law. The article conveys views and opinions but does not constitute legal advice.

You’ve likely followed these steps before, and many more. What’s your opinion on an approach to preparing CISO strategy?

No comments:

Post a Comment