`` The First 90 Days of Chief Information Security Officer (CISO) Prepared for a graduate course: Information Security for Managers Abstract The change in IT networks in the recent years has changed the role, definition and the scope of skills and responsibilities of a CISO. This paper provides an overview of the changing environments and the current state of a CISO. The paper presents the first 90 days plan of a CISO crucial to determine the success of a new CISO at the organization. The 90 days plan consists of five phases: Preparation, Assessment, Planning, Execution and Measurement. Each phase includes multiple steps and recommends a set of actions a CISO may perform. It is recommended that the five phases plan is the minimum requirement to achieve success in the position of a CISO today. 2014 Esia Yosupov NYU Poly – School of Engineering 12/13/2014
10
Embed
The First 90 Days of Chief Information Security Officer (CISO)
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
``
The First 90 Days of Chief Information Security Officer (CISO) Prepared for a graduate course: Information Security for Managers Abstract The change in IT networks in the recent years has changed the role, definition and the scope of skills and responsibilities of a CISO. This paper provides an overview of the changing environments and the current state of a CISO. The paper presents the first 90 days plan of a CISO crucial to determine the success of a new CISO at the organization. The 90 days plan consists of five phases: Preparation, Assessment, Planning, Execution and Measurement. Each phase includes multiple steps and recommends a set of actions a CISO may perform. It is recommended that the five phases plan is the minimum requirement to achieve success in the position of a CISO today.
2014
Esia Yosupov NYU Poly – School of Engineering
12/13/2014
Esia Yosupov
1 �
The First 90 Days of Chief Information Security Officer (CISO) Prepared for a graduate course: Information Security for Managers
Introduction
In today’s global economy, the goal of nearly every company is to have access to its information
while ensuring Confidentiality, Integrity and Availability. While, technological advancements
enabled businesses to operate faster and more efficiently, it resulted in addition in complexity to
the IT network environment. As IT network environment has become more complicated, the
role of an Information Security Officer (CISO) has become a daunting task that has evolved
radically over the last few years.
Multiple factors contributed to the change in the role of an Information Security Officer (CISO).
The scale of change has shifted primarily because of a range of high-profile trends, as products
and technologies are more consumer-based (Deign, 2014). The recent trend such as Bring Your
Own Device (BYOD), although is often referred to as one single model, there are many
interpretations. Potential based on the model implemented, cost savings and security challenges
vary greatly. Other trends include cloud computing and mobility. The increasing use of mobile
devices in particular, has become a relatively easy target for Cybercriminals. According to Cisco’s
2013 global mobile data forecast, there are more than 7 billion connected devices in the world.
By 2018, it is predicted to be nearly 1.4 mobile devices per capita, translated to over 10 billion
mobile-connected devices (Cisco, 2014). All those trends have blurred the boundaries between
corporate networks and the outside world, therefore making the role of a CISO more difficult
and challenging.
Another factor changing the role of an Information Security Officer (CISO) that has increasingly
caught many organizations attention are the number of high-profile security breaches such as
Target and Niemen Marcus Data Breaches, in the late 2013, causing data theft of millions of
consumers, and billions in dollars losses. According to the Global State of Information Security Survey 2015, Figure 1, the costs of incidents report an increase of 92% over 2013 (PwC, 2014).
Henceforth, increasing Cybersecurity threats are requiring a close attention from the top
executive’s level in particular from the Chief Security Officer (CISO). This paper presents the
first 90 days plan of a Chief Security Officer in an organization. The first months are critical for
his\her success or failure in the position. Successful individuals will be the ones who establish a
Esia Yosupov
2 �
Figure 1: Incidents are more costly to large organizations. Average financial losses due to security incidents, 2013–2014
personal brand of credibility and leadership who lays the ground foundation for a security
program. New CISOs who will approach the role with a strong plan for the first 90 days are likely to enjoy success.
Target audience
This paper is intended to all IT professionals who are aiming to become Chief Security Officers
or currently holding the Chief Security Officer position. It is not a technical paper and doesn’t
cover technical strategies or plans. In addition, other non-technical professionals from different
departments are encouraged to read this paper to get an idea of the scope of a CISO role and understand its importance.
The Evolution of the CISO
Before the role of a Chief Security Officer (CISO) was created, most organizations relied on
professionals in the IT department to cover the security of their infrastructure. It is only after
the September 11th, 2001 event and the United States Patriotic Act in October 2001 that the
federal government required a dedicated role that is solely devoted to the IT Security of the
organization, both physical and non-physical. By 2001, only 47% of companies, in both private
a government sectors, acknowledged the existence of an employee dedicated to the organization
security (Cho, 2003). By 2009, the number of CISOs a as a security executive grew to 85% in large organizations.
Over the past years, the responsibilities and the skills needed to become a CISO have evolved
dramatically. From an individual of who has in depth technical skills dealing with IT security
administration, to performing high-level risk management. A talented individual who is a
Esia Yosupov
3 �
Leader, business-oriented with exceptional communication skills. A decade ago, the focus of
security professional in the organization dealt with firewalls, antivirus signatures, spyware and
detections of mischievous activities on the web on a smaller scale (Brenner, 2010). Today, the
majority the responsibilities changed to looking at the big picture and designing the program
that balances acceptable risks as cybercrimes are happening on a global scale. Today,
Cybercriminals aim to harm systems, steal identities for monetary reasons. Figure 2 shows the
number of detected incidents in year
2013 and 2014. There is a significant
increase in incidents detection
especially in larger companies (PwC, 2014).
There are two situations in which a
new CISO may be hired. The first
situation is where a company does not
have a dedicated employee to manage
the IT networks, in other words the
CISO position was never created. Due
to the recent security breaches making
headlines, they are concerned and realized the importance of the role. They seek to mitigate the
risk of being the next cybercriminals target. The second situation is where a company may not
have CISO or replacing one, may seek to recover from a data breach. In either situation, a new
CISO is entering a new leadership position. To enjoy success, a new CISO has to have a solid
plan of actions. A new CISO is hired because the company understands its importance and
values the position. Therefore, to get the most out of it, a CISO will prepare and plan for his new role. The initial plan should consist of the first three months of the position.
The Five Phases of a New CISO Plan
The first 90 days of a Chief Information Security Officer (CISO) include five phases, which are
crucial to determine the success of the new CISO at the organization. The five phases include:
Preparation, Assessment, Planning, Execution and Measurement. Each phase includes multiple
steps and recommends a set of actions a CISO may perform. The five phases are described
consecutively, however phases may overlap, and some phases may require more time than
others. The following five phases are required, at minimum, to enjoy success in the first ninety days of the role of a Chief Information Security Officer (CISO).
Figure 2: Large companies detect more incidents. Detected security incidents by company size (revenue)
Esia Yosupov
4 �
The First 90 Days
Phase I: Preparation (days 0-15)
The Preparation phase provides an organizational overview, what type of industry does it
operate in, learns organizational structure, and establishes mutual agreement on expectations
and role responsibilities. The role of an Information Security Officer (CISO) interacts with
almost every department in the organization. Therefore, the first step is to be visible\known
among all management, senior stakeholders and new staff. Scheduling a departmental meeting,
in the very first days, with all the key leaders in the organization to introduce the new CISO may
be a good start. During the meeting (maybe couple of meetings will be needed) the goal is to
collect as much information and to get a broad picture of what the organization is all about. It is
the best opportunity to discuss security topics and concerns, just like an open communication thread. The new CISO should be approachable and display enthusiasm for the new role.
As we learned in the new defined Information Security Officer (CISO) skills and responsibilities,
another important goal is to build relationships with new staff and stakeholders. Building
political capital by listening to employees, displaying empathy, and gathering their goals and
objectives to help them be successful when building the future Information Security Roadmap and Strategy.
Another action to perform is to get to know the security team skill sets to better utilize technical
skills and identify Star performers (who may later be part of the security program lead). This
may be accomplished by creating an inventory of skills (inducing technical and soft skills)
(Fimlaid, 2014). Collecting team members inventory skill by talking to team members, holding
one-on-one meeting, and observing performance. This action is the most important task to find
out what already have and to figure out who can help in the next phases. This action also helps
to avoid underperforming or demotivating employees and ensure employees’ goals are aligned with organizational goals.
Goals • Understand the organization’s business need, role expectations
with management, senior stakeholders and new staff • Develop meaningful relationships with new staff and stakeholders
Esia Yosupov
5 �
Phase II: Assessment (days 16-35)
The Assessment phase uncovers any security standings, security management, management
flaws, weaknesses, and strengths. In this phase the CISO gathers inventory of resources that will
be needed to manage the security organization. It includes but not limited to: people, reports,
available metrics and financial parameters, existing security strategy, policies, standards and
architecture (Scholtz & Byrnes, 2014). A close attention should be paid to anything the previous
CISO (if there was one) may have done well. The inventory of the Information Security Program
should include security staff and their responsibilities, program capabilities and how mature
those capabilities are, and any available metrics on department performance. Along with that,
reviewing budget and associated metrics. Uncovering the capital portfolio and operational expenditure on security management.
Information security High-level, current state Assessment
At this point the assessment is acting at a macro level to identify which elements of the
company's security program are functioning at best performance, and which elements must be
replaced or repaired. In this phase CISO evaluates compliance against industry standards such
as PCI and find out regulatory obligations. If the CISO has the capability, he\she may review and
assess the information security standings. However, there should be also an independent
(qualified Information Security Assessor such as framework ISO27001) performing assessment
to add credibility of any findings and to ensure quality (Fimlaid, 2014). Furthermore, security
assessment may include Penetration Testing and Vulnerability assessment, current audit
findings, security assessment risk, and risk assessment, which are needed to prioritize what remediation efforts to tackle first (Scholtz & Byrnes, 2014).
Goals • Gain a comprehensive insight into the current state of the Security
Program in the organization • Perform a High-level Assessment
• Review Available Metrics and Financial Parameters
Esia Yosupov
6 �
Phase III: Planning (36-60)
The Planning phase transforms all the information gathered in the previous phases into
actionable blueprint. The learned information will be aggregated to formulate an Information
Security strategy. Ultimately, the strategy will include a roadmap to delivering the program,
which includes risk management considerations. For example, some cases it might make sense
to mature an Information Security competency to 90% of the potential capability because the
additional 10% improvement might be costly. Developing this Information Security Roadmap
and being purposeful about investment and return on investment will help gain traction for the
future budget (Fimlaid, 2014). Overall Security Strategy should include a framework such as
27001 or NIST (National Institute of Standards and Technology) for overall industrial competitiveness.
Next is to set up goals and establish a program vision, essential for the success of an Information
Security Program. This could be considered as a prerequisite step to develop overall for
Information Security Program strategy. Is this step, a CISO redefines the new security of the
organization, one that reflects the maturity of the organization’s security and management practices, and that is compatible with the organizational culture (Scholtz & Byrnes, 2014).
Next step is to utilize the obtained budget information from Phase I: Preparation, it is time to
review the operational security budget to understand how spending is improving the program. It
is advised to have a financial analyst to assist with the budget and to develop ROI metrics to
show improvement in the fiscal posture of the Information Security Program. CISO should
communicate and get the agreement form the stakeholders in Phase I to make sure the support.
The goal is to have a plan for the next two to three months.
Next step is to focus on two security issues identified in the security assessment from Phase II:
Assessment. To best select the two key issues to focus on, the following questions may be
considered: what is the risk of failure? Will it be successful within three months? Are current resources and budget available?
Goals • A Draft of the Security Program Vision • Plan for Operational Security Budget for the next two to three
months • Plan the focus on two key issued identified in Phase II • Plan for a Security Awareness Program
Esia Yosupov
7 �
Information Security Awareness Program
Another objective is to ramp up Information Security Awareness Program. Often, CISOs fail to
notice the importance of such a program. Awareness program is not training to employees but it
is a foundation of awareness to both technical and non-technical employees. It is a fairly
challenging task, Security Awareness Program has to continuously develop and keep up-to-date
with interesting content and engaging enough. Nonetheless, it is a must do planning. It is
recommended to collaborate with the marketing department to come up with fresh and new
ideas, and ensure that every member of the security team advocates security to others and maybe delivers an informative resource annually.
Phase IV: Execution (61-80)
The Execution phase delivers visible results of the security program strategy. The Charter draft
encompasses missions and objectives of the security program strategy. The Charter format
should contain enough details that could be converted to an operational plan. Also, a Charter
should be written in a high level, comprehensible by approving parties. Before approaching
Board of Directors or Information Security Steering Committee for Charter approval, it is recommended to have appropriate reviewers to the program.
Considering the Information Security Program strategy and objectives, it is the time to utilize
the Inventory skill, rearranging and placing people in the right place to accomplish the strategy.
Considering the strengths of the selected Star leaders, autonomy should be given. For instance
Senior Leaders would be able to work autonomously and help you coach and provide oversight
to Junior Leaders, while junior leaders might need a little more structure with work plans and
project reviews.
Lastly, participating in existing projects, whether inherited security projects or implementing
new ones. First it ensures that projects stay on track and stay on top of stalled projects.
Depending on company’s needs and overall risk least priority projects can put on hold. Second,
this is a good opportunity to gain some credibility in the team and show a successful
contribution of the CISO role. Besides that, this process should have two objectives: keep the
Goals • Draft an Enterprise Information Security Charter • Select Star Security Team leaders • Implementing Existing Security projects
Esia Yosupov
8 �
team focused on project business value and when needed, to keep team members motivated for
smooth and effective execution phase.
Phase V: Measurement (81-90)
The Measurement phase evaluates whether goals and objectives were met. The Information
Security Program Strategy is a solid platform to track progress of the strategic deliverables, and
tasks. This is an opportunity to provide impact evidence and show achievable results. This
phase overlaps significantly with the Execution phase as a corrective measure. It provides
feedback so that deliverables and objectives can be attuned and produce desired results. Given
all the hard work that was done up to date, this phase is essentially an evidence whether the
CISO have been successful or not. A CISO has to prepare an initial report for Executive
Management and the Steering Committee. This can be used as a component of the overall
Information Security Governance processes. Finally, the key is to continually monitor the Information Security Program deliverables. When needed, modify it or tuned it up.
Conclusions
With the threat of cybercriminals attacking organizations on a global scale, the role of a CISO
has become a challenging position. The importance of a CISO in organizations now is more
important than ever. A CISO may not only be a technologist but also an individual who is a
leader, someone who can see the big picture. Based on current knowledge, the paper presented
the first 90 days of a CISO in terms of the five phases including: Preparation, Assessment,
Planning, Execution and Measurement. Some of the phases may overlap, and some may take
more than others. The five phases plan is a minimum requirement to enjoy success in the role of
a CISO. As seen from the five phases the role of a CISO is to effectively communicate with key
leader and manifest a holistic approach to security goals with are aligned with the business goals and objectives.
Goals • Initial status report for Executive Management and the steering
committee • Monitor Security Program • The Foundations of an effective Security Reporting Framework
Esia Yosupov
9 �
References
Brenner, B. (2010, November 2). The New CISO: How the role has changed in 5 years. Retrieved December 5, 2014, from http://www.csoonline.com
Cho, M. (2003, January 1). Mixing Technology and Business: The Roles and Responsibilities of
the Chief Information Security Officer. Retrieved November 26, 2014, from http://www.sans.org/reading-room/whitepapers/assurance
Cisco. (2014, February 5). Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2013–2018. Retrieved December 5, 2014, from http://www.cisco.com
Deign, J. (2014, January 6). What Might it Take to Be a Chief Security Officer in 2014? Retrieved November 26, 2014, from http://newsroom.cisco.com
Fimlaid, J. (2014, November 18). The First 101 Days as a New CISO - A Chief Information
Security Officer's Playbook. Retrieved November 26, 2014, from https://nuharbor.net
PwC. (2014, September 30). Managing cyber risks in an interconnected world: Key findings
from The Global State of Information Security Survey 2015. Retrieved December 4, 2014, from http://www.pwc.com
Scholtz, T., & Byrnes, C. (2014, June 27). The Chief Information Security Officer's First 100
Days. Retrieved November 26, 2014, from http://www.gartner.com