The CISO Checklist

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what if I accomplished would make this the best year ever what if I accomplished over the next four months would change the entire trajectory of my career or my life Welcome To Life of a ciso I'm Dr Eric Cole your host and we'll be taking you on a journey each week on what it takes to be a ciso and what are solutions that you can Implement today if you are currently a chief information security officer or if you want to be one in the future this is life of a ciso [Music] welcome welcome welcome welcome to this week's edition of life of a system with yours truly Dr E is in the house hope you're doing awesome hope you're enjoying uh the transition from Summer into fall right we're heading into September all right four months left in the year and I know you are crushing it but as always it's never too late to reset it's never too late to go in and say okay what do I want to accomplish for the rest of this year the way that I like to do it is a little different with four months left what if I accomplished would make this the best year ever what if I accomplished over the next four months would change the entire trajectory of my career or my life it's just a different shift because often we go in and we want to set these goals and the reality is when you set goals or resolutions or whatever you want to call them and you don't accomplish them it's one simple reason they weren't that important to you because if they would that important to you if they were that critical if they became non-negotiables and you went all in ride or die trust me you would have got them done and you would have exceeded them so so the problem isn't with goal setting a resolution that's what everyone says the problem is no the problem has nothing to do with the problem is you're not getting passionate enough about who you need to become everyone focuses on the what or the why the reality is yes you might like a nicer car but is it really that important to you is it really that important that you're going to change your entire life your structure uh your lifestyle you're willing to give up golf and work a part-time job in order to get that probably not right so not that important to you but when you go in and it's life-changing when you make it you're becoming a different person you are changing the trajectory of your life the trajectory of your career on who you are going to become you are making changes that go beyond driving a car that's 10K more than what you're currently driving right it is changing the trajectory of your life there's a different energy there's a different Focus there's a different excitement so if you're one of those folks that struggle or have a little difficulty in that area of targets try getting more energy and more passion around it but what I want to do is get you more passionate about being a world-class Chief Information Security Officer I don't want you to be average I don't want you to be good now here's the problem the problem today is there's such a demand for chief information security officers this is one of those sort of overnight regulations SEC European regulations and others all of a sudden overnight started saying You must have a ciso you must have a chief information security officer so all of a sudden companies either started anointing people within taking one of their best technical people and saying you are now chief of Bank security officer boom go forth and Conquer and the problem is they're a security engineer and they're going to act like a security engineer and they're going to behave like a security engineer and they're not going to be a system but the problem with the regulations and the compliance and a lot of the different laws out there is all they say is you must have a Cisco you on your org chart must have somebody that has those four letters next to their name they don't Define what the job is who it is how it works or anything else so in many of these companies they have somebody with the title but nobody playing the role and companies are starting to realize that's hurting them because if there's nobody who's really a chief officer whose focus on a business standpoint making sure cyber security is implemented correctly in this current day and age with all the threats and all the targets and everything going out there it's going to hurt the organization so then you have these companies that now are saying okay randomly taking a security engineer who's super good at techie and trying to make them a strategic chief officer doesn't work so now you're looking for a real Chief Information Security Officer the problem is because it's such a new area there's very few people with experience in that so those with experience are very valuable and those that are really good are compensated extremely well in that area but now you have all these companies that need a chief information security officer so they're going to have to bring somebody in as what we call a first timer they currently are an SSO but they might be a deputy they might be a information security officer they might be a manager and they're going in and giving them that chance because there's so many opportunities out there which means it's very easy to get a job being average so unfortunately a lot of people like okay let's just do the minimum do the basics and become a good Chief Information Security Officer and you will have a good job and a good salary I don't want that for you I look at you I'm looking in your eyes I'm looking in your eyes I see greatness I want you to be world class I want you to be the one who writes the books I want you to be the one who's giving the Keynotes I want you to be the thought leader I want you to be the one that when somebody at a fortune 10 company when the CEO of a fortune 10 company starts saying we need the best Chief Information Security Officer out there everybody they talk to says your name you have to hire X that's what I want for you that's my vision for you now you can do one of two things you can accept the Baton I'm handing that baton to you you can accept the Baton and you can become that version or you could sit there and go I don't know if I want that come on Eric you you don't know me I'm not sure if I want to put in that energy and effort and you can drop the Baton but that choice is yours I I will give you everything you need I will set you up I will encourage you I will support you and here's the problem I and I'm not just saying this is not superficial I truly believe that's true for you we might not have met in person but trust me there's a reason you're listening to this podcast there's a reason you found this podcast there's a reason you are continually listening now even after everything I said for the first eight minutes so trust me if you are still listening there is something special about you there is something unique about you you have everything it needs to be that world-class so that everybody wants that everybody wants on their stages that everybody wants at their company but here's the simple truth I can believe in you and I can support you but if you don't believe your world class and you're not going to show up as world class that's all that matters my beliefs don't matter so you need to get the conviction you need to go deep and realize how great you really are and you need to own it you need to own that greatness because until you own it and it's not from an arrogance it's not from a cocky it's from you truly are the best you are truly a world class ciso so what I'd like to cover today is sort of what I call the ciso checklist because the questions I get the most whether I'm doing individual coaching with my high-end clients whether I'm doing group coaching whether I'm on stage whether I'm on a panel whether I'm in a group whether I meet somebody at an airport all the questions that I usually get revolve around this Eric how do I turn a company around if they weren't really security Centric or Eric I know I really was not stepping up over the last year and I I had the title but I wasn't really a ciso what do I need to do to step into that role or Eric I'm a brand new sister what do I do in the first 90 days and all those types of questions are basically around how do we systemize the role of a ciso what are the core steps components or pieces that need to be in place in order for an organization to truly step up and own and Implement security the way they're supposed to so first and foremost first and foremost the first item you must have in place is a buy-in and conviction from the executive team on what the risk posture for the organization is now this is the core the core group your CEO coocfo maybe uh uh Chief legal officer and a company it's maybe four or five people but you need to sit with them and say okay we all know or maybe you don't and you need to educate but a hundred percent security doesn't exist the only way we could have 100 security zero functionality which means if we have a functional business that's making money there's going to be risks so we need to figure out right here right now what is our risk tolerance what risks are we willing to accept and what risk are we not willing to accept because this is the fundamental problem where companies struggle if there's not an agreement on what is acceptable level of risk then basically it's the Wild West and all risk is allowed because if there's not a risk tolerance here's the problem if there's not a list that says okay here's the line below the line okay we don't need to know about it we're giving you Authority Mr or Mrs cisso that any risk below this line you will work out with the business owner it's acceptable they will manage it they will control it and we're good and we don't need to hear about it but any risks above the line that you informed the business owner is not acceptable and they decide to do it anyway they decide not to listen to you and do it anyway then those need to be brought to us and we need to be made aware of them and we need to go in and decide whether that was a correct or not a correct decision and now it's only three or four or five of these so because it's a small number they actually can manage and process them correctly but here's the issue if there's no risk posture if there's no risk tolerance if there's no line that says what is or is not acceptable risk then every risk has to be brought to them hundreds of risks get brought to them it's too much it's overwhelming it's outside their pay grade they should not be deciding on small little risk and they have ignoring it and then every risk becomes acceptable and that's these companies that you sit back and say how did that happen did you ever look at some of these big breaches where billion dollar companies that have hundreds of people working in security and they spend Millions upon Millions upon Millions a year and they do what appears to be a very silly item that is a risk that should have never ever ever been allowed or tolerated and you sit there and go how did that happen and I just told you it happened because there was no risk posture there was no risk tolerance and then if there's no risk tolerance or risk posture then all risk is allowed and all risk becomes acceptable so that's the first thing that has to be done on a Cisco checklist you have to get that agreement then it needs to be socialized with the board and then it needs to be socialized with all the executives across the business going and saying hey just so everyone's aware this is the current risk poster or risk tolerance that our organization allows security is going to work with you if it's below this you you can accept or manage it will make you aware but we're good but if you go above it and you decide not to listen to us then it's going to be brought to the executives we're not telling on you we're not going behind your back we're just letting you know the current stance we're taking in this organization this is how we're approaching risk so I sort of implied it there but the second step is to actually have a risk management and approval process in place that your executives are a part of this is the other big problem most companies the way they run it today and the reason why you see these horrendous horrific breaches is because it's simple business executives have all the authority but the ciso has all the responsibility so and there's no response there there's no risk tolerance so essentially these business owners go in and say we're going to do this crazy crazy thing and the system is like no too risky unacceptable not gonna do it and they go tough you don't control us I don't report to you I report to the CEO and you can go ahead and tell them because once again Nova's Talent so there's hundreds of risks so it just becomes noise and they ignore all of them and guess what happens they do it because there's Financial driven against it there's a financial Revenue number so they do it a major breach happens what happens we see it all the time they fire the ciso they basically say oh the ciso didn't do their job they didn't Implement effective security and the reality is there's no risk management or escalation program in place and the system is completely broken so first thing world-class systems do is they have a risk posture the executives agree with second thing they do is they socialize and build out the risk management and escalation program across the entire company and they do training against it the training is simple right now the way most Executives think is this they ask one question what is the value or benefit we get from doing this and if there's any any Financial benefit to doing it they do it here's the problem they completely ignore the risk so all you want to do is train them very simple to ask additional questions so what every executive should be trained on is what is the value or benefit of doing this what is the risk of exposure then is the value of benefit worth the risk or exposure that's all security is that's the simplest easiest way of doing security we make it so complicated we add so many layers we confuse the matter but it's really that simple cyber security is not yes or no cyber security is about risk management that's why the first several items in the system checklist are all about getting your risk outs in order it's really simple what is value and benefit what is the risk and exposure and is the value of benefit worth the risk of exposure it's really that simple and if you can get your Executives all trained on thinking that way all of a sudden your life becomes a whole lot easier next on the ciso checklist a prioritized list of business assets you must have a list of all your business assets you can call them business processes tied to business assets but you must have a list of all the business processes all of the Assets in your organization in a map to those business processes and you must have them prioritized this is the number one number two number three number four that's the other huge problem companies are spending Millions upon millions in some cases hundreds of Millions on security they have 300 people doing it but they're fixing the wrong problem they're not focused in on the right area because there's no prioritized list once again you sit there and go how can a system that has 500 million records of all a company's customers pii plus plus be connected to the internet not patch not updated simple passwords I mean and you see going how in the world could that possibly have occurred and simple there was no prioritized list so they're just doing a lot of random things that are good but they're not doing the right things that really matter to the organization so we need to flip that we need to go in and have a prioritized list now once again you'll notice my ciso checklist a lot of this involves the core executives because security has to start at the top this is where security is broken it's not a technical problem cyber security is not a technical problem i t is a technical problem i t is much simpler i t you don't have to do all this you don't have to do postures prioritize those or anything else it's quite simple you go in you look at redundancy you make sure there's enough redundancy and if there's not enough redundancy and fellow if you buy more technology it is a pure play technical problem where the system breaks is when people think cyber security is a technical problem and we just buy more stuff and it fixes the issue it doesn't it is a business problem it is a strategic problem and it requires us understanding the business knowing the business and getting the executives in the business involved so they have to help create that prioritized list and it's really easy here's why if you go to the head of marketing and you say what's the most critical app say marketing and if you go to sales and say what's the most critical app what are they going to say sales right so the only people that truly can prioritize across the entire business are the executives so we then have to have our prioritized list of critical business processes and assets so we have a risk poster we have a risk management and escalation policy and we have our prioritized list of assets that is what I call the core if you don't have that you're going to struggle if you don't have that you're going to misuse resources if you don't have that you're going to have a hard time securing and protecting an organization those are the core areas then the next thing on your checklist is remove and get rid of unacceptable risks have your lists of non-negotiables for example when I run a business when I'm a ciso or a vso or help out in those areas it's simple any system that's directly connected to the internet so any system that has visibility to the internet whether it's e whether it's a web server whether it's content whatever it is but if it's a system that people can directly connect to from the internet it must be fully patched and it cannot contain critical data non negotiable non-negotiable there's never a situation where we allow that to happen why too big a risk too big a risks too big exposure and it's not necessary there's no reason why publicly facing systems cannot be patched and there's absolutely no reason why publicly faces systems should not have critical data so create your list of non-negotiables other non-negotiables could be all endpoint systems must have behavioral based analytics on it now you control the Baseline you control the image so some of those are a little more easy but once again a more sensitive one you might decide based on the risk and all the work you did that one of your non-negotiables or simple no BYOD no personal devices if somebody is going to use their personal device for work we would rather buy it control it manage it and only use it for work related activity that additional cost is worth the benefit of using personal devices with personal information on it and personal leakage and personal exposure once again I'm not saying these last couple these are examples of non-negotiables you need to create your own so these are just examples of what you need to do you then have to have your list of non-negotiables and then the last thing you need to do on your ciso checklist is know where your critical data is yes we put together a list prioritized but do you really know where your critical data is located with most of our clients here's what happens I go what is your critical data and where is it located and they go oh this is our critical data and it's located on three servers great guess what it is located on three servers but it's also located on two others that they're not aware of so now it's located on five servers but they only think it's on three so they're going to put all their energy and effort on focusing on three and ignore the two so the other key thing is data discovery you need to know where your critical data is and where it's located so you can properly protect control and secure it so there's always more that can be done and you can add to that but that's sort of my core ciso checklist God ever resposter risk management with escalation prioritized list of critical assets gotta have your list of non-negotiables that you socialize and then you have to know control and manage your data you do those five things and you're going to have a solid physician of solid foundation to build the rest of your cyber security program from I hope you enjoyed this episode of Life of assiso please make sure you follow me on social uh Dr d r e r i c c o l e on Instagram and other accounts and if I can help you take your career to that next level you want to go quicker and faster than the free resources I also have some coaching programs I'd love to get you involved in so Reach Out we'd love to hear from you otherwise we'll catch you next week on life of mrso good [Music]
Info
Channel: Dr Eric Cole
Views: 2,131
Rating: undefined out of 5
Keywords:
Id: B8YLo2KVwgU
Channel Id: undefined
Length: 26min 57sec (1617 seconds)
Published: Thu Sep 07 2023
Related Videos
BEING A CISO
Dr Eric Cole
1.1K
The Key Weapon of a CISO: RISK
Dr Eric Cole
979
Prioritizing cloud security: CISOs' roadmap to C-suite buy-in
Wiz
1.4K
The 6 Disciplines of Strategic Thinking For Leaders | Michael Watkins
Great Leadership With Jacob Morgan
19K
Creating a CISO Roadmap
Dr Eric Cole
295
First 90 Days as a CISO | Seat at the Table
SANS Institute
3.3K
How to become a World Class CISO (Chief Information Security Officer) | Life of a CISO Episode 1
Dr Eric Cole
29K
Building a Cybersecurity Framework
IBM Technology
23K
How to Get Your First CISO Job (Without Having Experience)
Dr Eric Cole
3.3K
A CISO’s Guide to an Effective Cybersecurity Metrics Program
Cyber Risk Collaborative - A CRA Resource
3.4K
Master Practical Risk Assessment Techniques : Step-by-Step Guide 2024
Prabh Nair
12K
How the role of a CISO has changed | Cyber Work Podcast
Infosec
1.2K
How World Class CISOs Manage Risk | Does a CISO need to be technical?
Dr Eric Cole
3.8K
C _ _ O + _ I S _ = CISO
Dr Eric Cole
586
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.