SlideShare a Scribd company logo

Linked in misti_rs_1.0

Download as PPTX, PDF
V
Vincent Toms

The CISO Europe meeting 2017 - MISTI covered topics on tooling, time to fix operations, strategy, governance, communication, compliance, and cyber risks. Key points included scoping expectations before buying tools, performing root cause analysis before new detections, simplifying IT environments, and installing recent software patches. On strategy, presenters discussed assessing cyber maturity, aligning cyber strategy with corporate strategy using SWOT analyses. Regarding risks, they advised thinking like criminals and having industry-specific controls. For global crime, information sharing across borders in a timely manner with authorities and stakeholders was deemed essential, as was taking a multidisciplinary approach. The overall lesson was that cyber crime prevention requires respect, integrity and compassion.

Related slideshows

Websense
WebsenseWebsense
Websense
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attention
 
1 of 13
CISO Meeting 2017 MISTI Quick overview [lessons learned and tips and tricks] Tooling, “Time to Fix” & Operation  Expectation, scoping, consequences - before buying  Root cause analysis – before new (detection) tool  Simplify IT environment – reduce dependencies  Software patch (security) – install most recent  Less is more Strategy, Governance & Communication  Cyber maturity insight – organizational/C-level  Cyber strategy alignment - w/ Corporate Strategy  SWOT & Balanced Scorecard – analysis from business  Security (structural) benefits – create insight Compliance, Controls & Cyber Risks  Start thinking as a Cyber criminal  Basic understanding cyber risk components  Profiling your organization – Intrusion paths/attackers  Branch/ Industry specific control framework  Integrated approach - when mitigating risks  Testing the (internal) controls - use majority levels  Cyber risk register – create/maintain Global crime - Global approach: Information share & joint effort  Essential Cross- border corporation - timely information exchange with involved authorities, CISO’s, ethical hackers and other stakeholders  Global multidisciplinary approach - needed/advisable. Cyber Governance, Risk & Controls
Still a gap to bridge between the Board of Directors and the CISO. The corporate strategy, governance, priority of business/ organization is not always aligned with the focus area, domain & activities of the security organization. 1. Strategy, Governance & Communication “Non- or minimal Alignment between the Corporate Strategy and Cyber Strategy” GDI.Foundation
Tips & Tricks 1. When creating the Cyber strategy first gain insight in the Cyber maturity level (rating) of the organization, IT product or service and controls. To create awareness for the board in understanding the current level and what it takes to achieve a higher level of cyber resilience. 2. Align the cyber strategy with the corporate strategy of the organization and business unit(s). 3. Make use of the business SWOT analyses a/o BSC (Balance Score Card) to align your security actions with the business goals. It helps the business in recognizing the benefits but also the risks when making the decision to invest or not to invest in security. 4. Also give insight (Business Case) into the (structural) benefits for the business when the necessary cyber security improvements are executed . Not only the threats. 1. Strategy, Governance & Communication GDI.Foundation
Main focus of many organizations is on "old" compliance rules and controls. You cannot get “in control” of cyber risks when the control frameworks & compliance checks are still based on the “old” IT world. 2. Compliance, Controls & Cyber Risk “An other approach is needed in tackling cyber crime and reducing cyber risks” GDI.Foundation
Tips & Tricks 1. Widen your scope and start thinking as a Cyber Criminal. What you think is “in control” is not necessary the scope of a cyber criminal. 2. Understand the basics about cyber risk, the risk components and controls as well as the cohesion between these elements when reducing the cyber risk. 3. Profiling your organization, intrusion paths and attackers and check the hardening and connectivity requirement. 4. Make (or use) branch / industry specific controls. Cyber Security is more than controls concerning the CIA of data (focus of current information security frameworks). The controls should be aligned with the industry / market where the organization operates in and the cyber risks they are confronted with. 5. Use an integrated approach when dealing with cyber risks and controls. The integrated approach gives insight into the effectiveness of the mix of controls and safeguards the cohesion between the controls and cyber risk(s). 6. When testing the (internal) controls use majority levels. It creates a better overview of the effectiveness of the current controls and what is needed. It also helps the auditors in giving assurance. 7. Make sure you have a (corporate) cyber risk register to keep track of the detected vulnerabilities (risks) and the agreed improvement actions with the risk owner/ business when mitigating the risk. 2. Compliance, Controls & Cyber Risk GDI.Foundation
Knowledge of vulnerabilities does not mean they are solved on time. There can be a difference in priority of security (threats) and priority of the business. Impact of a thread is sometimes underestimated by the business owners and also depends on the risk appetite as well as maturity level of the organization. 3. Tooling, “Time to Fix” & Organization “ A new tool is not always the solution if you don’t know the root cause” GDI.Foundation
Tips & Tricks 1. Level up the expectation, scoping and consequences together with the business before buying a (new) tool or executing a pentest. 2. Less is more: give focus and priorities the countermeasures together with the business. 3. Root cause analysis before introducing another “new” detection tool. It might have an organizational or procedural cause that cannot be fixed by a tool. 4. Try to simplify IT environment and reduce the dependency between the IT components, devices etc. e.g use virtualization, BGP (Border Gateway Protocol) when isolating services/ environments. This will also reduce the impact of malware & ransomware and makes “on time” patching more possible. 5. Control & make sure you have the most recent (security) software patch! 3. Tooling, “Time to Fix” & Organization GDI.Foundation
Internet gives access to a world of information and resources. But the internet is also a global highway for organizations and criminals. The speed of new vulnerabilities, new knowledge of criminals and the professionalization of criminal organizations is increasing rapidly. 4. Global crime needs a global approach “ In time Information sharing is essential to prevent misuse and to reduce the impact of cyber crime” GDI.Foundation
Tips & Tricks 1. A global and centralized exchange platform to share information will create effective cross- border cooperation between the involved authorities, CISO’s, ethical hackers and others. Cross- border corporation and timely exchange of information is essential to achieve a higher cyber resilience and to act on time. 2. Besides cross-border cooperation, a holistic and multidisciplinary approach is more than advisable when dealing with (future) cyber risk. The best results are delivered when all the different expertise e.g. psychologist, sociologist, IT specialist, security, architects etc. are combined and the professionals work together. The challenge is how to work together and inform each other in a global world. 4. Global crime needs a global approach GDI.Foundation
GDI.Foundation “Cyber Crime prevention starts with RESPECT, INTEGRITY & COMPASSION as a basic ATTITUDE” The most important “Lesson Learned”
Summary CISO Europe meeting 2017 - MISTI Tooling, “Time to Fix” & Operation  Expectation, scoping, consequences - before buying  Root cause analysis – before new (detection) tool  Simplify IT environment – reduce dependencies  Software patch (security) – install most recent  Less is more Strategy, Governance & Communication  Cyber maturity insight – organizational/C-level  Cyber strategy alignment - w/ Corporate Strategy  SWOT & Balanced Scorecard – analysis from business  Security (structural) benefits – create insight Compliance, Controls & Cyber Risks  Start thinking as a Cyber criminal  Basic understanding cyber risk components  Profiling your organization – Intrusion paths/attackers  Branch/ Industry specific control framework  Integrated approach - when mitigating risks  Testing the (internal) controls - use majority levels  Cyber risk register – create/maintain Global crime - Global approach: Information share & joint effort  Essential Cross- border corporation - timely information exchange with involved authorities, CISO’s, ethical hackers and other stakeholders  Global multidisciplinary approach - needed/advisable. Cyber Governance, Risk & Controls
vincent@gdi.foundation https://nl.linkedin.com/in/vincenttoms GDI.Foundation Contactinfo GDI.Foundation A safer Internet for everybody & everywhere
• MISTI's 14th annual CISO Europe Conference & Roundtable http://cisoeurope.misti.com/ • Cyber Capacity Maturity Model (Oxford) https://www.thegfce.com/initiatives/a/assessing-and-developing-cybersecurity- capability/documents/publications/2017/02/13/cybersecurity-cmm-for-nations • Article: On (the Emergence of ) Cyber Security Science and its Challenges for Cyber Security Education https://www.csacademy.nl/images/MP-IST-122-12-paper-published.pdf • Guidance for Information Security Maturity Model (NBA) https://drive.google.com/drive/folders/0B5UPpltmS97FWDdZaVVSX1NHSms • CSIRT Maturity Quick Scan (NCSC) https://check.ncsc.nl/ • Measuring SOC capability & maturity https://soc-cmm.com/ • See for more information “ Risk Management ISO3001, ISO27001 & Cyber Security Framework (NIST) http://www.iso27001security.com/html/toolkit.html & https://www.nist.gov/cyberframework/draft-version-11 • Report “ Exploration sharing cybersecurity information in the top- sectors” https://www.rijksoverheid.nl/binaries/rijksoverheid/documenten/rapporten/2017/03/07/verkenning-cybersecurity-informatiedeling- binnen-de-topsectoren/Cybersecurity+Informatiedeling+binnen+de+Topsectoren.pdf • “A model how to map your Cyber Maturity with the security level of your IT service/ Device” https://drive.google.com/file/d/0B5UPpltmS97FakM4YnVnZUFIMm8/view References / sources GDI.Foundation

More Related Content

Linked in misti_rs_1.0

  • 1. CISO Meeting 2017 MISTI Quick overview [lessons learned and tips and tricks] Tooling, “Time to Fix” & Operation  Expectation, scoping, consequences - before buying  Root cause analysis – before new (detection) tool  Simplify IT environment – reduce dependencies  Software patch (security) – install most recent  Less is more Strategy, Governance & Communication  Cyber maturity insight – organizational/C-level  Cyber strategy alignment - w/ Corporate Strategy  SWOT & Balanced Scorecard – analysis from business  Security (structural) benefits – create insight Compliance, Controls & Cyber Risks  Start thinking as a Cyber criminal  Basic understanding cyber risk components  Profiling your organization – Intrusion paths/attackers  Branch/ Industry specific control framework  Integrated approach - when mitigating risks  Testing the (internal) controls - use majority levels  Cyber risk register – create/maintain Global crime - Global approach: Information share & joint effort  Essential Cross- border corporation - timely information exchange with involved authorities, CISO’s, ethical hackers and other stakeholders  Global multidisciplinary approach - needed/advisable. Cyber Governance, Risk & Controls
  • 2. Still a gap to bridge between the Board of Directors and the CISO. The corporate strategy, governance, priority of business/ organization is not always aligned with the focus area, domain & activities of the security organization. 1. Strategy, Governance & Communication “Non- or minimal Alignment between the Corporate Strategy and Cyber Strategy” GDI.Foundation
  • 3. Tips & Tricks 1. When creating the Cyber strategy first gain insight in the Cyber maturity level (rating) of the organization, IT product or service and controls. To create awareness for the board in understanding the current level and what it takes to achieve a higher level of cyber resilience. 2. Align the cyber strategy with the corporate strategy of the organization and business unit(s). 3. Make use of the business SWOT analyses a/o BSC (Balance Score Card) to align your security actions with the business goals. It helps the business in recognizing the benefits but also the risks when making the decision to invest or not to invest in security. 4. Also give insight (Business Case) into the (structural) benefits for the business when the necessary cyber security improvements are executed . Not only the threats. 1. Strategy, Governance & Communication GDI.Foundation
  • 4. Main focus of many organizations is on "old" compliance rules and controls. You cannot get “in control” of cyber risks when the control frameworks & compliance checks are still based on the “old” IT world. 2. Compliance, Controls & Cyber Risk “An other approach is needed in tackling cyber crime and reducing cyber risks” GDI.Foundation
  • 5. Tips & Tricks 1. Widen your scope and start thinking as a Cyber Criminal. What you think is “in control” is not necessary the scope of a cyber criminal. 2. Understand the basics about cyber risk, the risk components and controls as well as the cohesion between these elements when reducing the cyber risk. 3. Profiling your organization, intrusion paths and attackers and check the hardening and connectivity requirement. 4. Make (or use) branch / industry specific controls. Cyber Security is more than controls concerning the CIA of data (focus of current information security frameworks). The controls should be aligned with the industry / market where the organization operates in and the cyber risks they are confronted with. 5. Use an integrated approach when dealing with cyber risks and controls. The integrated approach gives insight into the effectiveness of the mix of controls and safeguards the cohesion between the controls and cyber risk(s). 6. When testing the (internal) controls use majority levels. It creates a better overview of the effectiveness of the current controls and what is needed. It also helps the auditors in giving assurance. 7. Make sure you have a (corporate) cyber risk register to keep track of the detected vulnerabilities (risks) and the agreed improvement actions with the risk owner/ business when mitigating the risk. 2. Compliance, Controls & Cyber Risk GDI.Foundation
  • 6. Knowledge of vulnerabilities does not mean they are solved on time. There can be a difference in priority of security (threats) and priority of the business. Impact of a thread is sometimes underestimated by the business owners and also depends on the risk appetite as well as maturity level of the organization. 3. Tooling, “Time to Fix” & Organization “ A new tool is not always the solution if you don’t know the root cause” GDI.Foundation
  • 7. Tips & Tricks 1. Level up the expectation, scoping and consequences together with the business before buying a (new) tool or executing a pentest. 2. Less is more: give focus and priorities the countermeasures together with the business. 3. Root cause analysis before introducing another “new” detection tool. It might have an organizational or procedural cause that cannot be fixed by a tool. 4. Try to simplify IT environment and reduce the dependency between the IT components, devices etc. e.g use virtualization, BGP (Border Gateway Protocol) when isolating services/ environments. This will also reduce the impact of malware & ransomware and makes “on time” patching more possible. 5. Control & make sure you have the most recent (security) software patch! 3. Tooling, “Time to Fix” & Organization GDI.Foundation
  • 8. Internet gives access to a world of information and resources. But the internet is also a global highway for organizations and criminals. The speed of new vulnerabilities, new knowledge of criminals and the professionalization of criminal organizations is increasing rapidly. 4. Global crime needs a global approach “ In time Information sharing is essential to prevent misuse and to reduce the impact of cyber crime” GDI.Foundation
  • 9. Tips & Tricks 1. A global and centralized exchange platform to share information will create effective cross- border cooperation between the involved authorities, CISO’s, ethical hackers and others. Cross- border corporation and timely exchange of information is essential to achieve a higher cyber resilience and to act on time. 2. Besides cross-border cooperation, a holistic and multidisciplinary approach is more than advisable when dealing with (future) cyber risk. The best results are delivered when all the different expertise e.g. psychologist, sociologist, IT specialist, security, architects etc. are combined and the professionals work together. The challenge is how to work together and inform each other in a global world. 4. Global crime needs a global approach GDI.Foundation
  • 10. GDI.Foundation “Cyber Crime prevention starts with RESPECT, INTEGRITY & COMPASSION as a basic ATTITUDE” The most important “Lesson Learned”
  • 11. Summary CISO Europe meeting 2017 - MISTI Tooling, “Time to Fix” & Operation  Expectation, scoping, consequences - before buying  Root cause analysis – before new (detection) tool  Simplify IT environment – reduce dependencies  Software patch (security) – install most recent  Less is more Strategy, Governance & Communication  Cyber maturity insight – organizational/C-level  Cyber strategy alignment - w/ Corporate Strategy  SWOT & Balanced Scorecard – analysis from business  Security (structural) benefits – create insight Compliance, Controls & Cyber Risks  Start thinking as a Cyber criminal  Basic understanding cyber risk components  Profiling your organization – Intrusion paths/attackers  Branch/ Industry specific control framework  Integrated approach - when mitigating risks  Testing the (internal) controls - use majority levels  Cyber risk register – create/maintain Global crime - Global approach: Information share & joint effort  Essential Cross- border corporation - timely information exchange with involved authorities, CISO’s, ethical hackers and other stakeholders  Global multidisciplinary approach - needed/advisable. Cyber Governance, Risk & Controls
  • 13. • MISTI's 14th annual CISO Europe Conference & Roundtable http://cisoeurope.misti.com/ • Cyber Capacity Maturity Model (Oxford) https://www.thegfce.com/initiatives/a/assessing-and-developing-cybersecurity- capability/documents/publications/2017/02/13/cybersecurity-cmm-for-nations • Article: On (the Emergence of ) Cyber Security Science and its Challenges for Cyber Security Education https://www.csacademy.nl/images/MP-IST-122-12-paper-published.pdf • Guidance for Information Security Maturity Model (NBA) https://drive.google.com/drive/folders/0B5UPpltmS97FWDdZaVVSX1NHSms • CSIRT Maturity Quick Scan (NCSC) https://check.ncsc.nl/ • Measuring SOC capability & maturity https://soc-cmm.com/ • See for more information “ Risk Management ISO3001, ISO27001 & Cyber Security Framework (NIST) http://www.iso27001security.com/html/toolkit.html & https://www.nist.gov/cyberframework/draft-version-11 • Report “ Exploration sharing cybersecurity information in the top- sectors” https://www.rijksoverheid.nl/binaries/rijksoverheid/documenten/rapporten/2017/03/07/verkenning-cybersecurity-informatiedeling- binnen-de-topsectoren/Cybersecurity+Informatiedeling+binnen+de+Topsectoren.pdf • “A model how to map your Cyber Maturity with the security level of your IT service/ Device” https://drive.google.com/file/d/0B5UPpltmS97FakM4YnVnZUFIMm8/view References / sources GDI.Foundation

Editor's Notes

  1. Aanpassen alignment
  2. Aanpassen alignment