Linked in misti_rs_1.0
- 1. CISO Meeting 2017 MISTI
Quick overview [lessons learned and tips and tricks]
Tooling, “Time to Fix” & Operation
Expectation, scoping, consequences - before buying
Root cause analysis – before new (detection) tool
Simplify IT environment – reduce dependencies
Software patch (security) – install most recent
Less is more
Strategy, Governance & Communication
Cyber maturity insight – organizational/C-level
Cyber strategy alignment - w/ Corporate Strategy
SWOT & Balanced Scorecard – analysis from business
Security (structural) benefits – create insight
Compliance, Controls & Cyber Risks
Start thinking as a Cyber criminal
Basic understanding cyber risk components
Profiling your organization – Intrusion paths/attackers
Branch/ Industry specific control framework
Integrated approach - when mitigating risks
Testing the (internal) controls - use majority levels
Cyber risk register – create/maintain
Global crime - Global approach:
Information share & joint effort
Essential Cross- border corporation - timely
information exchange with involved authorities,
CISO’s, ethical hackers and other stakeholders
Global multidisciplinary approach -
needed/advisable.
Cyber Governance,
Risk & Controls
- 2. Still a gap to bridge between the Board of Directors and the CISO.
The corporate strategy, governance, priority of business/ organization is not always aligned with
the focus area, domain & activities of the security organization.
1. Strategy, Governance & Communication
“Non- or minimal Alignment
between the
Corporate Strategy and Cyber Strategy”
GDI.Foundation
- 3. Tips & Tricks
1. When creating the Cyber strategy first gain insight in the Cyber maturity level
(rating) of the organization, IT product or service and controls. To create
awareness for the board in understanding the current level and what it takes to
achieve a higher level of cyber resilience.
2. Align the cyber strategy with the corporate strategy of the organization and
business unit(s).
3. Make use of the business SWOT analyses a/o BSC (Balance Score Card) to align
your security actions with the business goals. It helps the business in recognizing
the benefits but also the risks when making the decision to invest or not to invest
in security.
4. Also give insight (Business Case) into the (structural) benefits for the business
when the necessary cyber security improvements are executed . Not only the
threats.
1. Strategy, Governance & Communication
GDI.Foundation
- 4. Main focus of many organizations is on "old" compliance rules and controls.
You cannot get “in control” of cyber risks when the control frameworks & compliance
checks are still based on the “old” IT world.
2. Compliance, Controls & Cyber Risk
“An other approach is needed in
tackling cyber crime and reducing
cyber risks”
GDI.Foundation
- 5. Tips & Tricks
1. Widen your scope and start thinking as a Cyber Criminal. What you think is “in control”
is not necessary the scope of a cyber criminal.
2. Understand the basics about cyber risk, the risk components and controls as well as the
cohesion between these elements when reducing the cyber risk.
3. Profiling your organization, intrusion paths and attackers and check the hardening and
connectivity requirement.
4. Make (or use) branch / industry specific controls. Cyber Security is more than controls
concerning the CIA of data (focus of current information security frameworks). The
controls should be aligned with the industry / market where the organization operates
in and the cyber risks they are confronted with.
5. Use an integrated approach when dealing with cyber risks and controls. The integrated
approach gives insight into the effectiveness of the mix of controls and safeguards the
cohesion between the controls and cyber risk(s).
6. When testing the (internal) controls use majority levels. It creates a better overview of
the effectiveness of the current controls and what is needed. It also helps the auditors
in giving assurance.
7. Make sure you have a (corporate) cyber risk register to keep track of the detected
vulnerabilities (risks) and the agreed improvement actions with the risk owner/ business
when mitigating the risk.
2. Compliance, Controls & Cyber Risk
GDI.Foundation
- 6. Knowledge of vulnerabilities does not mean they are solved on time.
There can be a difference in priority of security (threats) and priority of the business.
Impact of a thread is sometimes underestimated by the business owners and also
depends on the risk appetite as well as maturity level of the organization.
3. Tooling, “Time to Fix” & Organization
“ A new tool is not always the solution
if you don’t know the root cause”
GDI.Foundation
- 7. Tips & Tricks
1. Level up the expectation, scoping and consequences together with the
business before buying a (new) tool or executing a pentest.
2. Less is more: give focus and priorities the countermeasures together with the
business.
3. Root cause analysis before introducing another “new” detection tool. It might
have an organizational or procedural cause that cannot be fixed by a tool.
4. Try to simplify IT environment and reduce the dependency between the IT
components, devices etc. e.g use virtualization, BGP (Border Gateway
Protocol) when isolating services/ environments. This will also reduce the
impact of malware & ransomware and makes “on time” patching more
possible.
5. Control & make sure you have the most recent (security) software patch!
3. Tooling, “Time to Fix” & Organization
GDI.Foundation
- 8. Internet gives access to a world of information and resources.
But the internet is also a global highway for organizations and criminals. The speed of
new vulnerabilities, new knowledge of criminals and the professionalization of criminal
organizations is increasing rapidly.
4. Global crime needs a global approach
“ In time Information sharing is
essential to prevent misuse and to
reduce the impact of cyber crime”
GDI.Foundation
- 9. Tips & Tricks
1. A global and centralized exchange platform to share information will create
effective cross- border cooperation between the involved authorities, CISO’s,
ethical hackers and others. Cross- border corporation and timely exchange of
information is essential to achieve a higher cyber resilience and to act on time.
2. Besides cross-border cooperation, a holistic and multidisciplinary approach is
more than advisable when dealing with (future) cyber risk. The best results are
delivered when all the different expertise e.g. psychologist, sociologist, IT specialist,
security, architects etc. are combined and the professionals work together. The
challenge is how to work together and inform each other in a global world.
4. Global crime needs a global approach
GDI.Foundation
- 11. Summary
CISO Europe meeting 2017 - MISTI
Tooling, “Time to Fix” & Operation
Expectation, scoping, consequences - before buying
Root cause analysis – before new (detection) tool
Simplify IT environment – reduce dependencies
Software patch (security) – install most recent
Less is more
Strategy, Governance & Communication
Cyber maturity insight – organizational/C-level
Cyber strategy alignment - w/ Corporate Strategy
SWOT & Balanced Scorecard – analysis from business
Security (structural) benefits – create insight
Compliance, Controls & Cyber Risks
Start thinking as a Cyber criminal
Basic understanding cyber risk components
Profiling your organization – Intrusion paths/attackers
Branch/ Industry specific control framework
Integrated approach - when mitigating risks
Testing the (internal) controls - use majority levels
Cyber risk register – create/maintain
Global crime - Global approach:
Information share & joint effort
Essential Cross- border corporation - timely
information exchange with involved authorities,
CISO’s, ethical hackers and other stakeholders
Global multidisciplinary approach -
needed/advisable.
Cyber Governance,
Risk & Controls
- 13. • MISTI's 14th annual CISO Europe Conference & Roundtable http://cisoeurope.misti.com/
• Cyber Capacity Maturity Model (Oxford) https://www.thegfce.com/initiatives/a/assessing-and-developing-cybersecurity-
capability/documents/publications/2017/02/13/cybersecurity-cmm-for-nations
• Article: On (the Emergence of ) Cyber Security Science and its Challenges for Cyber Security Education
https://www.csacademy.nl/images/MP-IST-122-12-paper-published.pdf
• Guidance for Information Security Maturity Model (NBA) https://drive.google.com/drive/folders/0B5UPpltmS97FWDdZaVVSX1NHSms
• CSIRT Maturity Quick Scan (NCSC) https://check.ncsc.nl/
• Measuring SOC capability & maturity https://soc-cmm.com/
• See for more information “ Risk Management ISO3001, ISO27001 & Cyber Security Framework (NIST)
http://www.iso27001security.com/html/toolkit.html & https://www.nist.gov/cyberframework/draft-version-11
• Report “ Exploration sharing cybersecurity information in the top- sectors”
https://www.rijksoverheid.nl/binaries/rijksoverheid/documenten/rapporten/2017/03/07/verkenning-cybersecurity-informatiedeling-
binnen-de-topsectoren/Cybersecurity+Informatiedeling+binnen+de+Topsectoren.pdf
• “A model how to map your Cyber Maturity with the security level of your IT service/ Device”
https://drive.google.com/file/d/0B5UPpltmS97FakM4YnVnZUFIMm8/view
References / sources
GDI.Foundation
Editor's Notes
- Aanpassen alignment
- Aanpassen alignment