際際滷

際際滷Share a Scribd company logo

CISO-Fundamentals

Gary Hayslip CISSP, CISA, CRISC, CCSK
Gary Hayslip CISSP, CISA, CRISC, CCSK

The document discusses the role of the Chief Information Security Officer (CISO) and proposes recommendations for implementing an effective yet affordable cyber security program. It recommends that companies focus on doing the security basics well, such as keeping software updated, limiting access to data, and employing security monitoring. The document also advocates for a balanced approach using frameworks like NIST and implementing controls across people, processes, policies, products, and privacy. Following cybersecurity best practices and tenets around areas like secure backups, access management, data security, and risk management can help reduce security incidents by over 90%.

1 of 2
Downloaded 17 times
CISO Fundamentals Getting back to the cyber basics, stabilizing the environment. The urgent need for a unified cyber security protection profile is highlighted by recent high profile reports of companies being hacked, critical infrastructure being compromised, intellectual property (IP) being stolen, and the rise of ransomware (CryptoLocker). Companies are realizing that the risks associated with the loss of IP/data, money, privacy, and tarnished reputation/brand name from cyber-attacks are intensifying and accelerating in todays hyper-connected environment. These risks include disruption of business operations, data corruption and theft, unknown legal liabilities, and loss of financial stability. The role of the Chief Information Security Officer (CISO) is to remain vigilant on the cyber fundamentals: malware outbreaks, data breaches, protecting data / privacy, continuous monitoring, and risk management. When small businesses dont have a CISO, these risks and their impacts are more amplified in a small business day-to-day operations, cash-flow, clientele, among others. The need for a common cyber profile raises a few questions: what are the key cyber protections to implement? and can we afford to implement them? We say the answer is YES, using an overall risk management approach and following the recommendations below. This article proposes an effective and affordable path to implement an adequate and well proven level of cyber security operations. The security threats we presently face are very real. The news only shows the high visibility attacks (SONY, Target, Home Depot, etc), and leaves out the fact that on average we will all eventually be breached (or already have been and dont know it yet). So with that said, we believe that businesses must understand they cannot buy cyber security, instead they must manage their cyber ecosystem using the 5Ps of any endeavor = people, processes, policy, product and now privacy, too. The standard cyber security suite today can be effective if maintained, enabling business owners to focus on business operations, mitigating critical risks, protecting privacy and minimizing legal liabilities. We recommend organizations stay current on cyber threats and mitigations by associating with their business sector Information Sharing & Analysis Centers (ISAC), the local FBI outreach, and US-CERT. We recap the current security threat by using two representative threat summaries to highlight our recommended protections. FORBES magazine listed key security vulnerabilities as: social engineering, advanced persistent threats, internal threats, bring your own device, browser based attacks, botnets, targeted malware, and the cloud. The 2014 Verizon data breach reports top threats were: point of sale intrusions, web application attacks, cyber espionage, card skimmers, insider misuse and crime ware. The threats these organizational reports list can seem overwhelming, and the complexity of the many types of cyber capabilities and functions (illustrated below) can look daunting, but the cyber solution to minimizing over 90+% of most security incidents is implementing the security basics, and doing them well. Know, maintain and monitor your security baseline, while also stabilizing the cyber environment!
Best practices in organizational protection use a balanced cyber security approach within an enterprise risk management framework (RMF) accommodating the 5Ps. Since nearly all security incidents are associated with NOT doing the security basics (e.g., keeping product settings and patches current, effectively controlling data/network access, etc.), companies must implement a security continuous monitoring (SCM) capability to watch for and manage any improper settings and scan for abnormal behavior. The organizations risk management plan (RMP) is another critically important tool to balance risks, resources, and priorities to support the key mission essential functions of the business. For the business sector there are many security guides that offer best practice security controls (including: keep software updated, educate employees, monitor social media, employ effective passwords, limit access to sensitive data, and control downloaded apps), where the CISO must understand, integrate and efficiently manage them all, providing affordable protection to all stakeholders. The balanced and integrated security approach premise we promote is that companies can be well protected (to at least a notional due diligence level) based on implementing a few key guidelines: (a) NIST SP800-53A (rev 4) security and privacy controls and specifically their NISTIR 7621 (Rev1) (SMB security - the absolutely necessary & highly recommended actions therein), and (b) both the NSA top ten and SANS top 20 security controls. These sets of controls collectively define a defendable due diligence security posture. The business environment needs a high infrastructure and data protection profile, with effective SCM, while not encumbering the users productivity. Embed the following cyber tenets into your RMP for maximum protection: Employ well proven security products, which entails at least: anti-virus, firewall, VPN, IDS, encryption (with robust key management) and SCM (note - buy security programs from only formal, approved product lists). Continuously manage, monitor, mitigate and automate your IT/security baseline (use tools, dashboards) the key here is visibility - as you cant manage what you dont see. These five activities can reduce security incidents by well over 90%: o Effective application upgrade and patch management; o Controlling network and data access (enforce least privilege); o Application whitelisting / secure configurations; o Current hardware and software inventories; and o Employing SCM / SIEM (on premise and the cloud). Secure backup is paramount, using multiple locations most if not all storage should be encrypted, address cloud security in SLAs. In fact, encrypt all data at rest and in motion (external connections). Manage access to the company, both physical and virtual - use strong passwords, changing periodically (not too often) - consider a token/biometrics for sensitive data. Strictly limit privileged access. As IP / data defines your business, focus on data security, privacy by design categorize it and know where it is use Data Loss Prevention / Data Rights Management to manage access and track key data. Proactively manage business risk using your RMP, complemented with a well-communicated, enforced security policy. Use cyber insurance to transfer known accepted and unknown risks - base your coverage on a current risk assessment (ISO 27000 series) use the policy to harmonize management, broker and council. Robust resiliency and recovery have a Business Continuity Plan and an incident response plan. Provide ongoing training and education on security awareness and business risks, tailored to all key stakeholders. Make the training personal, with natural work applications, as it will last longer. KNOW your security status / metrics periodically, independently test and assess: the security suite, ongoing processes including back-ups, security policy enforcement, and all major elements in your RMP. As business leadership becomes more cyber aware, a CISO must be able to translate the above overall cyber tenets into C-suite language operational impact, costs, revenues, value and market share (brand, etc). A CISO will typically have to fulfill these requirements with minimal resources, so they must be creative in implementing an effective, affordable cyber ecosystem. We believe by implementing these cyber tenets, a CISO can be an effective risk communicator throughout the organization, from the C-Suite to the shop floor. To efficiently imbue effective and affordable cyber security and privacy into your business and enhance the value proposition, contact Mike at Mike.Davis.SD@gmail.com and Gary at ghayslip@gmail.com. For a much more detailed overview on what really matters in cyber security and take advantage of many other cyber and privacy resources / links see http://www.sciap.org/blog1/?page_id=1184

Recommended

So you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessSo you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to Success
Gary Hayslip CISSP, CISA, CRISC, CCSK
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-Effectiveness
Ayham Kochaji
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security program
William Godwin
Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game plan
Securestorm
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
Securestorm
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
Amir Hossein Zargaran
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptx
Piyush Jain
Information security governance
Information security governanceInformation security governance
Information security governance
Koen Maris
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
Piyush Jain
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performance
Abhishek Sood
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
AdilsonSuende
PCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian HonanPCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
Tripwire
From Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIROFrom Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIRO
Priyanka Aash
SOC for Cybersecurity Overview
SOC for Cybersecurity OverviewSOC for Cybersecurity Overview
SOC for Cybersecurity Overview
Brian Matteson, CISSP CISA
4 Cyber Security KPIs
4 Cyber Security KPIs4 Cyber Security KPIs
4 Cyber Security KPIs
Steven Aiello
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
Mohammad Ashfaqur Rahman
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Tripwire
Avoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of ITAvoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of IT
Envision Technology Advisors
Information security principles
Information security principlesInformation security principles
Information security principles
Dan Morrill
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & Strategy
Tony Hauxwell
A Guide to Managed Security Services
A Guide to Managed Security ServicesA Guide to Managed Security Services
A Guide to Managed Security Services
Graham Mann
Security services mind map
Security services mind mapSecurity services mind map
Security services mind map
David Kennedy
Cyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its AnalysisCyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its Analysis
Rahul Neel Mani
10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security Risks10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security Risks
Heimdal Security
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
UBM_Design_Central
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integration
Michael Nickle
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
Karyl Scott
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management
DMIMarketing

More Related Content

What's hot (20)

Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
Piyush Jain
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performance
Abhishek Sood
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
AdilsonSuende
PCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian HonanPCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
Tripwire
From Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIROFrom Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIRO
Priyanka Aash
SOC for Cybersecurity Overview
SOC for Cybersecurity OverviewSOC for Cybersecurity Overview
SOC for Cybersecurity Overview
Brian Matteson, CISSP CISA
4 Cyber Security KPIs
4 Cyber Security KPIs4 Cyber Security KPIs
4 Cyber Security KPIs
Steven Aiello
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
Mohammad Ashfaqur Rahman
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Tripwire
Avoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of ITAvoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of IT
Envision Technology Advisors
Information security principles
Information security principlesInformation security principles
Information security principles
Dan Morrill
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & Strategy
Tony Hauxwell
A Guide to Managed Security Services
A Guide to Managed Security ServicesA Guide to Managed Security Services
A Guide to Managed Security Services
Graham Mann
Security services mind map
Security services mind mapSecurity services mind map
Security services mind map
David Kennedy
Cyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its AnalysisCyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its Analysis
Rahul Neel Mani
10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security Risks10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security Risks
Heimdal Security
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
UBM_Design_Central
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integration
Michael Nickle
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
Piyush Jain
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performance
Abhishek Sood
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
AdilsonSuende
PCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian HonanPCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
Tripwire
From Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIROFrom Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIRO
Priyanka Aash
SOC for Cybersecurity Overview
SOC for Cybersecurity OverviewSOC for Cybersecurity Overview
SOC for Cybersecurity Overview
Brian Matteson, CISSP CISA
4 Cyber Security KPIs
4 Cyber Security KPIs4 Cyber Security KPIs
4 Cyber Security KPIs
Steven Aiello
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
Mohammad Ashfaqur Rahman
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Tripwire
Avoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of ITAvoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of IT
Envision Technology Advisors
Information security principles
Information security principlesInformation security principles
Information security principles
Dan Morrill
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & Strategy
Tony Hauxwell
A Guide to Managed Security Services
A Guide to Managed Security ServicesA Guide to Managed Security Services
A Guide to Managed Security Services
Graham Mann
Security services mind map
Security services mind mapSecurity services mind map
Security services mind map
David Kennedy
Cyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its AnalysisCyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its Analysis
Rahul Neel Mani
10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security Risks10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security Risks
Heimdal Security
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
UBM_Design_Central
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integration
Michael Nickle
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO

Similar to CISO-Fundamentals (20)

What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
Karyl Scott
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management
DMIMarketing
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
DMIMarketing
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
Kaspersky
Cyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityCyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe Security
Rahul Tyagi
Small Business Playbook for Security and Compliance Success.pdf
Small Business Playbook for Security and Compliance Success.pdfSmall Business Playbook for Security and Compliance Success.pdf
Small Business Playbook for Security and Compliance Success.pdf
elizabethrdusek
Small Business Playbook for Security and Compliance Success.pptx
Small Business Playbook for Security and Compliance Success.pptxSmall Business Playbook for Security and Compliance Success.pptx
Small Business Playbook for Security and Compliance Success.pptx
elizabethrdusek
What are the key cybersecurity KPIs that businesses.pptx
What are the key cybersecurity KPIs that businesses.pptxWhat are the key cybersecurity KPIs that businesses.pptx
What are the key cybersecurity KPIs that businesses.pptx
Simublade
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
Anil
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
Anil
Cyber Security Audit.pdf
Cyber Security Audit.pdfCyber Security Audit.pdf
Cyber Security Audit.pdf
Vograce
Linked in misti_rs_1.0
Linked in misti_rs_1.0Linked in misti_rs_1.0
Linked in misti_rs_1.0
Vincent Toms
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
Fahmi Albaheth
Weakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainWeakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chain
Sanjay Chadha, CPA, CA
Cyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadCyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor upload
savassociates1
Measures to Avoid Cyber-attacks
Measures to Avoid Cyber-attacksMeasures to Avoid Cyber-attacks
Measures to Avoid Cyber-attacks
Skillmine Technology Consulting
Measure To Avoid Cyber Attacks
Measure To Avoid Cyber AttacksMeasure To Avoid Cyber Attacks
Measure To Avoid Cyber Attacks
Skillmine Technology Consulting
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015
Accounting_Whitepapers
Building and implementing a successful information security policy
Building and implementing a successful information security policyBuilding and implementing a successful information security policy
Building and implementing a successful information security policy
RossMob1
SBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic TechnologiesSBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic Technologies
EMC
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
Karyl Scott
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management
DMIMarketing
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
DMIMarketing
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
Kaspersky
Cyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityCyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe Security
Rahul Tyagi
Small Business Playbook for Security and Compliance Success.pdf
Small Business Playbook for Security and Compliance Success.pdfSmall Business Playbook for Security and Compliance Success.pdf
Small Business Playbook for Security and Compliance Success.pdf
elizabethrdusek
Small Business Playbook for Security and Compliance Success.pptx
Small Business Playbook for Security and Compliance Success.pptxSmall Business Playbook for Security and Compliance Success.pptx
Small Business Playbook for Security and Compliance Success.pptx
elizabethrdusek
What are the key cybersecurity KPIs that businesses.pptx
What are the key cybersecurity KPIs that businesses.pptxWhat are the key cybersecurity KPIs that businesses.pptx
What are the key cybersecurity KPIs that businesses.pptx
Simublade
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
Anil
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
Anil
Cyber Security Audit.pdf
Cyber Security Audit.pdfCyber Security Audit.pdf
Cyber Security Audit.pdf
Vograce
Linked in misti_rs_1.0
Linked in misti_rs_1.0Linked in misti_rs_1.0
Linked in misti_rs_1.0
Vincent Toms
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
Fahmi Albaheth
Weakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainWeakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chain
Sanjay Chadha, CPA, CA
Cyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadCyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor upload
savassociates1
Measures to Avoid Cyber-attacks
Measures to Avoid Cyber-attacksMeasures to Avoid Cyber-attacks
Measures to Avoid Cyber-attacks
Skillmine Technology Consulting
Measure To Avoid Cyber Attacks
Measure To Avoid Cyber AttacksMeasure To Avoid Cyber Attacks
Measure To Avoid Cyber Attacks
Skillmine Technology Consulting
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015
Accounting_Whitepapers
Building and implementing a successful information security policy
Building and implementing a successful information security policyBuilding and implementing a successful information security policy
Building and implementing a successful information security policy
RossMob1
SBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic TechnologiesSBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic Technologies
EMC

CISO-Fundamentals

  • 1. CISO Fundamentals Getting back to the cyber basics, stabilizing the environment. The urgent need for a unified cyber security protection profile is highlighted by recent high profile reports of companies being hacked, critical infrastructure being compromised, intellectual property (IP) being stolen, and the rise of ransomware (CryptoLocker). Companies are realizing that the risks associated with the loss of IP/data, money, privacy, and tarnished reputation/brand name from cyber-attacks are intensifying and accelerating in todays hyper-connected environment. These risks include disruption of business operations, data corruption and theft, unknown legal liabilities, and loss of financial stability. The role of the Chief Information Security Officer (CISO) is to remain vigilant on the cyber fundamentals: malware outbreaks, data breaches, protecting data / privacy, continuous monitoring, and risk management. When small businesses dont have a CISO, these risks and their impacts are more amplified in a small business day-to-day operations, cash-flow, clientele, among others. The need for a common cyber profile raises a few questions: what are the key cyber protections to implement? and can we afford to implement them? We say the answer is YES, using an overall risk management approach and following the recommendations below. This article proposes an effective and affordable path to implement an adequate and well proven level of cyber security operations. The security threats we presently face are very real. The news only shows the high visibility attacks (SONY, Target, Home Depot, etc), and leaves out the fact that on average we will all eventually be breached (or already have been and dont know it yet). So with that said, we believe that businesses must understand they cannot buy cyber security, instead they must manage their cyber ecosystem using the 5Ps of any endeavor = people, processes, policy, product and now privacy, too. The standard cyber security suite today can be effective if maintained, enabling business owners to focus on business operations, mitigating critical risks, protecting privacy and minimizing legal liabilities. We recommend organizations stay current on cyber threats and mitigations by associating with their business sector Information Sharing & Analysis Centers (ISAC), the local FBI outreach, and US-CERT. We recap the current security threat by using two representative threat summaries to highlight our recommended protections. FORBES magazine listed key security vulnerabilities as: social engineering, advanced persistent threats, internal threats, bring your own device, browser based attacks, botnets, targeted malware, and the cloud. The 2014 Verizon data breach reports top threats were: point of sale intrusions, web application attacks, cyber espionage, card skimmers, insider misuse and crime ware. The threats these organizational reports list can seem overwhelming, and the complexity of the many types of cyber capabilities and functions (illustrated below) can look daunting, but the cyber solution to minimizing over 90+% of most security incidents is implementing the security basics, and doing them well. Know, maintain and monitor your security baseline, while also stabilizing the cyber environment!
  • 2. Best practices in organizational protection use a balanced cyber security approach within an enterprise risk management framework (RMF) accommodating the 5Ps. Since nearly all security incidents are associated with NOT doing the security basics (e.g., keeping product settings and patches current, effectively controlling data/network access, etc.), companies must implement a security continuous monitoring (SCM) capability to watch for and manage any improper settings and scan for abnormal behavior. The organizations risk management plan (RMP) is another critically important tool to balance risks, resources, and priorities to support the key mission essential functions of the business. For the business sector there are many security guides that offer best practice security controls (including: keep software updated, educate employees, monitor social media, employ effective passwords, limit access to sensitive data, and control downloaded apps), where the CISO must understand, integrate and efficiently manage them all, providing affordable protection to all stakeholders. The balanced and integrated security approach premise we promote is that companies can be well protected (to at least a notional due diligence level) based on implementing a few key guidelines: (a) NIST SP800-53A (rev 4) security and privacy controls and specifically their NISTIR 7621 (Rev1) (SMB security - the absolutely necessary & highly recommended actions therein), and (b) both the NSA top ten and SANS top 20 security controls. These sets of controls collectively define a defendable due diligence security posture. The business environment needs a high infrastructure and data protection profile, with effective SCM, while not encumbering the users productivity. Embed the following cyber tenets into your RMP for maximum protection: Employ well proven security products, which entails at least: anti-virus, firewall, VPN, IDS, encryption (with robust key management) and SCM (note - buy security programs from only formal, approved product lists). Continuously manage, monitor, mitigate and automate your IT/security baseline (use tools, dashboards) the key here is visibility - as you cant manage what you dont see. These five activities can reduce security incidents by well over 90%: o Effective application upgrade and patch management; o Controlling network and data access (enforce least privilege); o Application whitelisting / secure configurations; o Current hardware and software inventories; and o Employing SCM / SIEM (on premise and the cloud). Secure backup is paramount, using multiple locations most if not all storage should be encrypted, address cloud security in SLAs. In fact, encrypt all data at rest and in motion (external connections). Manage access to the company, both physical and virtual - use strong passwords, changing periodically (not too often) - consider a token/biometrics for sensitive data. Strictly limit privileged access. As IP / data defines your business, focus on data security, privacy by design categorize it and know where it is use Data Loss Prevention / Data Rights Management to manage access and track key data. Proactively manage business risk using your RMP, complemented with a well-communicated, enforced security policy. Use cyber insurance to transfer known accepted and unknown risks - base your coverage on a current risk assessment (ISO 27000 series) use the policy to harmonize management, broker and council. Robust resiliency and recovery have a Business Continuity Plan and an incident response plan. Provide ongoing training and education on security awareness and business risks, tailored to all key stakeholders. Make the training personal, with natural work applications, as it will last longer. KNOW your security status / metrics periodically, independently test and assess: the security suite, ongoing processes including back-ups, security policy enforcement, and all major elements in your RMP. As business leadership becomes more cyber aware, a CISO must be able to translate the above overall cyber tenets into C-suite language operational impact, costs, revenues, value and market share (brand, etc). A CISO will typically have to fulfill these requirements with minimal resources, so they must be creative in implementing an effective, affordable cyber ecosystem. We believe by implementing these cyber tenets, a CISO can be an effective risk communicator throughout the organization, from the C-Suite to the shop floor. To efficiently imbue effective and affordable cyber security and privacy into your business and enhance the value proposition, contact Mike at Mike.Davis.SD@gmail.com and Gary at ghayslip@gmail.com. For a much more detailed overview on what really matters in cyber security and take advantage of many other cyber and privacy resources / links see http://www.sciap.org/blog1/?page_id=1184
AboutCopyright
息 2025 際際滷