CISO 90 Day Plan - OWASP
Transcript of CISO 90 Day Plan - OWASP
![Page 1: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/1.jpg)
CISO90DayPlan
NelsonChen,M.SC.ITCISSP,CISA,CISM
![Page 2: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/2.jpg)
Agenda
• Whyarewehere?• Days0–30• Days31–60• Days61–90• Days90+• Infinity&Beyond
![Page 3: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/3.jpg)
AvoidingReallyBadNews!
<Your Company Name Here>
Data Breach!
![Page 4: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/4.jpg)
Don’tbetheBlocker!
MAYBE
![Page 5: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/5.jpg)
Don’tbetheProphetofDoom
![Page 6: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/6.jpg)
ToughestPartoftheJob
![Page 7: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/7.jpg)
CISOPost-Breach
![Page 8: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/8.jpg)
0-30
EstablishingRelationships&Trust
![Page 9: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/9.jpg)
SellingCISOasaService
• Businessenablement• FUDisnottheonlypitch• Education• Sharedresponsibility• Getsupportandbuy-in• AddValue!
![Page 10: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/10.jpg)
TakingInitialInventory• OrganizationalStructure-Who’swho– Execs,BULeaders,ITOps,InternalAudit
• ExistingPolicies,Processes,etc.• ExistingTechnologies• Where’stheData?• HistoricalSecurityIncidents• ShadowIT
![Page 11: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/11.jpg)
LeadingTowardsBetterSecurity
![Page 12: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/12.jpg)
ServantLeadership
![Page 13: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/13.jpg)
SecuritySurroundsus,PenetratesusandBindsusTogether
![Page 14: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/14.jpg)
31-60
Prioritizing&ProjectKickoff
![Page 15: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/15.jpg)
BacktoBasics-CIATriad
Keepingitsecret
Keepingittogether
CentralOregonCommunityCollege
Keepingitup
![Page 16: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/16.jpg)
Fox-inorFox-out?
![Page 17: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/17.jpg)
TeamorCommittee?
![Page 18: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/18.jpg)
SecurityTeamBuilding• BUInfoSecOfficers–Legal,Finance,Sales,Marketing,HR,Development,IT,etc
• Committeedriven• Executivesponsor• Internalauditisyourfriend• Wherearealltheresources?
KissPNG
![Page 19: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/19.jpg)
SecurityCommitteeGoals
• BusinessSecurityMissionStatement• AligningsecuritywitheachBU
-whatareweprotecting?
• Takingdetailedinventory– Processes,Systems,Data,People
• Budgetize,Prioritize,Projectize• ReportingdirectlytoC-levels
KissPNG
![Page 20: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/20.jpg)
SecurityAssessment&GapAnalysis
• CapabilityMaturityModel(CMMI)• CybermaturityPlatform
![Page 21: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/21.jpg)
CMMIInstitute
Level5
Initial
Level1
Processesareunpredictable,poorlycontrolled,reactive.
Managed
Level2
Processesareplanned,documented,performed,monitored,andcontrolledattheprojectlevel.Oftenreactive.
Defined
Level3Processesarewellcharacterizedandunderstood.Processes,standards,procedures,tools,etc.aredefinedattheorganizational(OrganizationX)level.Proactive.
QuantitativelyManaged
Level4Processesarecontrolledusingstatisticalandotherquantitativetechniques.
Optimizing
Processperformancecontinuallyimprovedthroughincrementalandinnovativetechnologicalimprovements.
CMMI–5Levels
![Page 22: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/22.jpg)
WTF-OMGCompliance
![Page 23: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/23.jpg)
HowandWheretoFocus?
TheCybersecurityHubonTwitter
![Page 24: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/24.jpg)
CriticalBusinessProcesses
Apttus
![Page 25: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/25.jpg)
PatchManagementisParamount!
NationalLibraryofAustrailia
![Page 26: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/26.jpg)
DataInventory• What,where,why,when&how• Followthedatatrail• Backups• End-usercomputers• Storagemedia• Archivedapplications• What’sintheCloud?
![Page 27: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/27.jpg)
DataClassification
• Public,Internal,Confidential,Secret• PII:Customer&Employee• DefinedRepositories• CommensurateSecurityLevels• ManagedDataLifeCycle
![Page 28: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/28.jpg)
SecurityPolicy• ComplianceDriven• BusinessDriven• Ownership• 3rdparty• CustomerInput• Training• ControlsDesign&Mapping
– CloudControlsMatrix(CCM)-CloudSecurityAlliance
![Page 29: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/29.jpg)
61-90
BuildingSecureFoundations
![Page 30: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/30.jpg)
SecurityvsSecurityOperations
SecOps
Wordpress
![Page 31: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/31.jpg)
SecurityAwarenessTraining
• BusinessUnitRelevance• JointdeliverywithBU-ISO• Compliancedriven• Sec-Dev-OpsTraining• Relevant3rdPartytraining
![Page 32: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/32.jpg)
ApplicationSecurity• Everycompanyisatechnologycompany
• In-housevs3rdParty• SecureSDLC• Training• yourWebapp!
Verizon2018DBIR
![Page 33: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/33.jpg)
BusinessContinuity
• BusinessProcessDriven• DisasterRecovery– DefinedRTOs&RPOs
• BackupStrategy• DenialofService• Testing
StepupIT
![Page 34: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/34.jpg)
PreparefortheWorst
![Page 35: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/35.jpg)
DataBreachPreparedness• BreachScenarioPlanning• Table-topExercises• DecisionTree• Detection&Logging• ContactLists• Time-to-Notify• Bitcoins?!
DataBreachResponse
Plan
INCASEOFEMERGENCYBREAKGLASS
![Page 36: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/36.jpg)
Customer-FacingSecurity
• SecuringClientServices• SupportingSales• CustomerSecurityCompliance• VendorSecurityQuestionnaires• LegalAgreements–SecurityLanguage
![Page 37: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/37.jpg)
90+
![Page 38: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/38.jpg)
SecurityisaBoard-levelProblem
![Page 39: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/39.jpg)
Andamessagefromthe
• OnNovember1,2018,DataBreachNotificationLawswillbeenforcedinCanada
![Page 40: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/40.jpg)
KEEPCALMDOTHE
RIGHTTHINGANDCYA
![Page 41: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/41.jpg)
TheTribeHasSpoken…
NOT ME
![Page 42: CISO 90 Day Plan - OWASP](https://reader030.fdocuments.us/reader030/viewer/2022012022/6169c2ee11a7b741a34b1271/html5/thumbnails/42.jpg)
ChiefI’mtheScapegoatOfficer
Questions?