Category Archives: Blog
InfoSec Leaders Handbook is Published – Edition 1
The books is published and is available for download from main page of this web site (https://infosecleadershandbook.wordpress.com/) . It is also available in print form from amazon.com at http://www.amazon.com/Information-Security-Leaders-Handbook-Fundamental/dp/1492160369/. Please read and post your review and critique.
CISO Strategy Building Blocks
CISO is not an easy role to be in. The scope of CISO responsibilities spans almost all aspects of business in the form of risk management. This includes but not limited to security operations, compliance, architecture, business partners, legal, Human Resources, compliance, and overall risk management. The following diagram shows some of these areas.
Managing everything with limited resources and a continuous battle of cost justification takes a lot of discipline. Prioritization, continuous risk assessment, establishing partnerships, and managing expectations are keys to a CISO success. Create an ongoing Plan-Do-Check-Act cycle and delegate as much as you can. Base your strategy on data, and create short-term tactical as well as long-term strategic goals.
This book is an effort to share the knowledge by learning from experiences of successful CISOs who are able to an order to this chaos.
Suggested Actions
- Find Time to Strategize – Don’t get bogged by day-to-day work. Find some time to think about strategy.
- Set Priorities – Set priorities, as it would be difficult to focus on everything at the same time. You can set your priorities with a 3-year roadmap (or something similar).
- Security is Shared Responsibility – Security is everybody’s responsibility. Find partners within your IT organization who can share some responsibilities. For example, network team may help in security operations. Server and desktop teams will have a stake in identity management. Partner with application development for secure coding practices.
- Focus on Risk – Focus on risk and not on specific technologies.
- Strategy and Tactics – Determine short-term and long-term goals that give best value for reducing risk.
- Avoid Complexity – Complexity is enemy of security. There is always a simpler way of doing things. If things look complex to people, most probably they are. Find ways to simplify them.
Draft PDF Availability
A draft PDF version of the book will be available in next week. Register as blog follower on top-right corner to keep yourself updated about the draft.
Align Corporate and Information Security Goals
Let us face it: In addition to strategy, everyone needs goals and objective to get things done and to measure progress/performance. In a typical organization, the CEO has a list of goals and objectives that trickle down through chain of leadership. Objective for IT leaders are usually derived from CEO objectives. Understanding the organizational objectives as well as the personalities of your CEO and CIO helps in creating and aligning the information security strategy.
Most of the business objectives fall into one of the following areas:
- Business goals (e.g. increase revenue by X percent, open 20 new retail locations, mobile workforce)
- Industry drivers (e.g. use of mobile apps, enable video, be compliant with a new standard)
- Internal issues and improvements (e.g. improve response time of banking application)
Success of information security program is to manage risk while supporting the corporate goals and objectives. Understanding corporate objectives is the first step towards achieving this success.
Suggested Actions
- Goal Alignment – Find annual goals and objectives of your CEO and CIO. Make sure your strategy and projects are tied to one or more of these objectives.
- Personality Understanding – Understand CIO and CEO personalities, their approach towards IT and information security, do they like to build internal resources or rely more on vendors, etc. Take notes of important personality traits.
- Periodic Review – There may be a periodic review of corporate goals and objectives. Be part of this review and demonstrate how information security is helping in achieving corporate objectives. Risk management and information security budget management can be easily tied to organizational objectives. Schedule a quarterly review meeting for information security strategy.
- Mutual Cooperation – It is much easy to bundle security objectives with corporate goals. For example, if there is a planned redesign of an ecommerce application, you may be able to implement/enhance identity management as part of it.
You can use a mind map like the following to list corporate objectives and tie information security objectives with corporate objectives.
Remember it does not need to be a fancy mind map. Many times you can draw this type of maps on your white board simply by using dry erase markers.
Learn Organization’s Business
The primary reason of existence of any business is to make money. The reason for existence of information security team in an organization is to effectively manage the business risk related to information security. Any great CISO (or a person in a leadership position) must understand how the organization’s business works. Note that I am using “business” as a loose term. In case of government organizations, the business may be providing certain services to your constituents. The key thing to understand is that every organization has a purpose and the information security has to support that purpose. The only exceptions to this are the vendors of information security products and services where information security itself is the primary business. So unless you are working for an information security company, the primary business of your organization is something other than information security and you must understand it thoroughly.
Learning business boils down to only two things:
- How your organization earns money?
- Where the money is spent?
The corporate strategy and organizational structure controls these two major objectives. As an information security professional, the more you understand company’s business, the more effective you will be to put information security in the context.
Suggested Actions
Following is a list of basic information that you should know about the business of your organization.
- Organizational Structure – Review organizational charts, find who is who in your organization. You must know the key people in the organization who you are going to interact with.
- Lines of Business – Find if there are multiple lines of business and their share in overall business revenue and profit.
- Products and Services – Get to know Products and Services offered by your organization and their respective revenue. Find any future products and services that are in the pipeline.
- Major Business Partners – Find who are major business partners?
- Budget Cycle – When budget process starts and how projects are approved?
- Important Customers – Who are the largest customers?
- Role of Technology – How important role technology plays in the business? What major technologies are in currently being used?
- Geography – Is your organization engaged in international business? How many people it employs and where?
- Major Competitors – Find who are major competitors of your organization.
- Stock Information – If you are part of a publically traded company, find its stock and quarterly reports. How your stock has been fluctuating in past 12 months and why.
Following is a sample mind map. You can draw your own or expand on it. This will create a picture of the business in your mind and make it easy for you understand corporate dynamics.
Know Data, Insist for Data
Avoid fixing problems that don’t exist. It is imperative that decisions (and opinions) are made based upon data and facts. There was a time in information security industry when data was not readily available. A number of reliable sources of data are available now and there is no reason to make decisions based upon market hype, aggressive vendor marketing, or personal likes/dislikes. Some of these data sources include research reports from security vendors, industry analysis, and online data gathering web sites. All of this can help you make informed decisions. Collecting and mining data from within your organization will also be of great value to you.
Some of the data sources are as follows and there are many more from reputable organizations.
- Verizon DBIR – Data Breach Investigation Report (DBIR) from Verizon is published on an annual basis and contains result of large number of data breach investigations.
- Arbor DDoS Survey Report – Arbor Networks publishes a comprehensive survey report about DDoS activity.
- DatalossDB – DatalossDB is an online source to record known data breaches (datalossdb.org).
- Analyst Reports – Gartner, Forrester and other industry analysts publish they analysis about information security on an ongoing basis.
- Security Vendors – Many security vendors including Imperva, Spider Labs/Trustwave, Cisco, Symantec, etc publish their own reports about information security that include useful data.
- Internal Data Sources – You have data coming from your internal systems including system logs, IDS/IPS alerts, Firewall permit/deny logs, successful/failed logins, Net flow data, FIM[1] and WAF[2] Logs.
Use these data sources for education and awareness in your monthly/quarterly leadership meetings as well as for building business cases for your projects.
Suggested Actions
- Subscriptions – Subscribe to external data sources to make informed decisions and build business cases.
- Visualization Tools – Use visualization tools and the security data for internal education and awareness purposes.
- Bust Wrong Assertions – Insist on data to backup assertions made by information security team members as well by people outside information security. You can save tremendous amount of money and time by avoiding solutions and projects that have little to no value.
- Communicate – Communicate data findings to the IT and business leadership. It will bring credibility to the information security team.
InfoSec Leaders Handbook 