#*%! my CISO Says Barry Caplin Chief Information Security Official Fairview Health Services Argyle CISO Summit Wed. Nov. 19, 2014 [email protected] [email protected] @bcaplin http://about.me/barrycaplin http://securityandcoffee.blogspot.com
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
#*%! my CISO Says
Barry Caplin Chief Information Security Official
Fairview Health Services
Argyle CISO Summit Wed. Nov. 19, 2014 [email protected] [email protected] @bcaplin http://about.me/barrycaplin http://securityandcoffee.blogspot.com
Barry Caplin Chief Information Security Official
Fairview Health Services
tuff
Argyle CISO Summit Wed. Nov. 19, 2014 [email protected] [email protected] @bcaplin http://about.me/barrycaplin http://securityandcoffee.blogspot.com
Security Isn’t Easy…
We didn’t get into it for the…
And how do we get their attention and support?
Nobody cares about Security… The Challenge of Security Awareness
Why?
Stuff happens…
• Security viewed as a negative • Avoidance v. “risk”
– Delays – Cost – Extra work – “Gotchas”
Issues
It Can’t Be Just…
We need sensible controls…
… early in the process…
Good CISO/Bad CISO
Governance Governance… We don’t need no stinkin’ governance!
Bad CISO
“Badges?...”
Governance Develop a clear strategy using an industry standard framework.
Policy All Security Policy is the same. I got mine from a book.
“Hello Mr. Anderson”
Bad CISO
Policy Policies are based on solid principles, but adapted to fit the organization.
“Fate, it seems, is not without a sense of irony.”
Compliance We write the policies. We make people sign an oath. Done.
“So there is a point you will not go beyond.”
Bad CISO
Compliance We must make (understandable) policies. We must teach. We must assess, measure and report.
“It's like a finger pointing away to the moon...”
Awareness Users will know what they have to do or be eliminated. Bad CISO
“The successful criminal brain is always superior. It has to be.”
Awareness Users can talk to Security. We teach. We answer questions.
“Shaken, not stirred”
Senior Management I say what they want to hear. They’re not listening anyway.
Bad CISO
“Why make a trillion when we could make... billions?”
Senior Management Give them the info they need and they will be an engaged partner.
“Smashing Baby!”
Bad CISO
“Your lack of faith is disturbing”
Business Needs I buy the best known security products because they’ve got to be good.
“The Force is strong with this one.”
Business Need Working together we find control- and cost-effective security products that work and are usable.
Stuff I Say…
KISS
Stuff I Say…
No one has “read and understood” • but definitely still responsible • Simple, direct language in policy • Compliance via education
Stuff I Say…
You pay by the word • Keep policies short and sweet • If not, you’ll pay on the compliance-effort side
Stuff I Say…
People want to do the right thing • but what is the right thing? • Understandable policy • Simple rules
Stuff I Say…
Do What Makes Sense • Risk Management approach • Seek out and destroy meaningless policy/controls/practices
Stuff I Say…
Iterative Improvement • Maturity model • CObIT, SEI CMMI
Stuff I Say…
Automation! • Metrics • Tools • Reporting
Stuff I Say…
What is the business need? • Find out business need in plain business language
Stuff I Say…
Have Fun!
about.me/barrycaplin
Securityandcoffee .blogspot.com
@bcaplin
Related Documents
