CISO DRG Vol 2: Chapter 18 – Building Your Strategic Plan

by | Jan 12, 2020

Introduction

While drafting and editing the material for this book, we thought we could offer additional value by providing an essay on each topic by all three authors, independently edited, to preserve their unique perspective and voice.

It is a technique that was intended to provide multiple viewpoints that would both explore the topics more thoroughly and provide options for readers to use these different viewpoints to help them solve different problems depending on their needs at the time.

We appreciate your tolerance with our construct, and hope we’ve achieved what we intended. In this final chapter, we’ve decided to stitch together our combined perspective and present an integrated essay on building your strategic plan.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  What components should the CISO use in developing their cybersecurity strategic plan?

♦  How should the CISO align their strategic plan to the organization’s business objectives?

♦  What steps can the CISO use to leverage the cybersecurity strategic plan for future growth?

Strategic Plan – Bonney, Hayslip & Stamper

How Did I Get into This?

There are many ways you may have come into this responsibility. In larger companies, you may have been the subject of a recruiting process or an internal vetting process. You may be replacing someone or inheriting an issue with board visibility. In this case, you’re probably going to have something in place. In the best case you can carry forward most of the existing plan, but you may be faced with a complete overhaul.

If you’re coming into the position at a smaller company, you could still be subject to an internal vetting process, perhaps as the former “network” or “compliance” person. In this case, you’re likely to have at most a bare skeleton of a plan. It might not be much more than a budget or an organization chart, possibly just a list of services the other IT managers are looking forward to getting off their plates.

We are drawing attention to the latter condition because as we mentioned in the preface to Volume 1, cybercrime will continue to move “down the food chain” as more relative economic value is managed via interconnected computer networks. As a result, many smaller to medium-sized organizations have requirements to have specific security practices and capabilities in place given regulatory obligations or increased diligence necessitated by the organization’s customers and other stakeholders. CISOs hired or promoted by these companies will be scrambling to build security programs from scratch.

We’ll cover the building blocks of a sound strategic plan, aligning the plan to the organization’s business objectives, and using the strategic plan as a roadmap for the future of your cybersecurity function. While we walk through developing the plan, we’ll continue to offer both a complete treatment grounded in best practice and reveal our thought process to maintain the instructional approach to ensure this is helpful to CISOs just stepping into the role.

Structure of Your Strategic Plan

The cybersecurity strategic plan needs to be concise and easy to understand and reflect realistic expectations for funding that are in line with what the organization can afford. The plan document is not the place to surface a 300% increase in funding. That is a discussion that should already have taken place between you and the management team and, as appropriate, the board. The document should be organized in a methodical manner that makes it easy for the stakeholders to read and its objectives should be aligned with current business functions and processes. We recommend the following structure:

1.  MissionStatement – This is the declaration of the organization’s core purpose that normally doesn’t change over time.

Example: Develop and execute a proactive, company-wide security program based on Organization’s strategic business objectives.

2.  Vision Statement – An aspirational description of what the organization would like to achieve or accomplish in the mid-term or long-term future.

Example: Incorporate a continuous security mindset into all aspects of our business functions.

3.  Introduction – This is a statement describing the business and the environment in which the security program currently operates. The executive leadership team typically will use this section to communicate broad information about the cybersecurity program and its critical role in the strategic plan for the business and key stakeholders.

4.  Governance – This portion of the document will explain how the strategic plan will be implemented, who will audit the process, and what committees or personnel will be part of the overall process of assessing its effectiveness and recommending changes to it over time. This is a long-term plan, and there should be a documented process of how this plan will be managed and audited and who will be responsible for it over time.

5.  Strategic Objectives – The strategic objectives define how the cybersecurity organization should invest its time and resources to manage the security risks discovered in the assessment and SWOT data previously described. In laying out the objectives, the CISO is assuming there will be sufficient resources for people, processes, and technology. The objectives typically are arrayed over a one- to a three-year timeline. Understand that timelines can be shortened with additional resources. Each objective will have several initiatives, derived from the analyzed security gap data, which need to be completed to achieve the objective.

Objective Examples:

♦  Improved Security of System and Network Services

♦  Proactive Risk Management

♦  Business Process Enablement

♦  Security Incident Management

Your objectives will typically mirror the gaps found in your assessment and the improvements or investments you want to make in currently effective processes that you want to continue to mature.

6.  Key Initiatives – An initiative will state what objectives it satisfies when completed, it will have a description of the security/risk issues it will alleviate, and it should state the benefits it brings to the business when completed.

The following is an example of an initiative:

Initiative 1 – Security Policy, Standards, and Guidelines Framework

Enables Objectives – Improved security of system and network services, proactive risk management and crisis and security incident management.

Description – Develop, approve, and launch a suite of information security policies, standards, and guidelines based on the ISO/IEC27001 code of best practices for information security. These policies will formally establish the organization’s Cybersecurity Program and set forth employee responsibility for information protection. The policy, standards, and guideline framework will also take into consideration the multitude of Federal, State, and Industry regulations that govern the use of personal, financial, customer, and vendor data managed by the business.

Key Benefits

♦  Clear security baselines for all departments

♦  Policy-based foundation to measure results

♦  Consistent application of security controls across the enterprise

Developing Your Plan

We’ve mentioned throughout these two volumes that how you approach any task is going to depend on the needs of the organization. Part of your value to the organization is that you bring your experience and your human network to help the organization assess and adjust to reality, and plan for the future. As with other divisions within your organization, your strategic plan should address your current state cybersecurity practices, near-term objectives to be addressed in the next 12 months, midterm objectives to be addressed in the next 18-24 months, and long-term objectives to be addressed over the next three years.

We’ve also mentioned that cybersecurity is not something you can do in a vacuum. It is very much a contact sport. Resist the temptation to hide away and work on your plan in isolation. Engage with your business partners and involve all of your stakeholders in the process of identifying the priorities for your strategic plan. The role of the CISO is to help the organization reduce the inherent risks of its business model and mitigate the residual risks that cannot be avoided. You exist to serve the business, not the other way around. Determine what the management teams need and what the board needs from your cybersecurity program and develop a strategic plan to deliver that.

Recognize, however, that these stakeholders may not be familiar with the more “formal” language of enterprise risk management (ERM) or other risk-management practices we’ve expounded on in the CISO Desk Reference Guide. The founder’s family or close-knit executive teams often dominate many smaller to medium-sized organizations. They are confronting globalization, new competitors, enhanced regulatory oversight, and several other factors that strain their capabilities to understand what the risk environment is for the organization. Tailor your discovery to your audience. Your job is to help these stakeholders navigate this environment in a manner that is financially prudent for the organization, while also reflecting the security “debt” that you may have inherited.

In each of the previous chapters, we’ve given you a series of assignments that, taken together, should provide the bulk of your discovery. The next step is to determine how to apply this information and come up with a plan that emphasizes your strengths, shores up your weaknesses, and buys you the time you need to implement the program the organization needs. One tool you might consider using is a Strengths, Weaknesses, Opportunities, and Threats (SWOT) analysis. In figure 1 we show a typical set of definitions for a SWOT analysis that you can use to assess capabilities.

Bill Bonney

Email: bill@cisodrg.com

Gary Hayslip

Email: gary@cisodrg.com

Matt Stamper

Email: matt@cisodrg.com

Our Progress in Cybersecurity Culture Is Improving, Now What’s Next?

by | Jan 20, 2020

Tricia Griffith, CEO of Progressive, the large insurance provider, said: “With the right people, culture, and values, you can accomplish great things.” [1]

Several excellent analogies can be used to describe the global challenge we face in cyberspace. We can describe it as modern piracy, given the history of piracy impacting so many people while it was rampant, its criminal nature, and its use in proxy wars between the great naval powers of the 17th and 18th centuries. It could be thought of as similar to infectious disease, given how often software viruses are proximate to fraud and sabotage and how wide-spread and destructive these viruses are and how they spread through contact. It can be considered akin to unbridled marketplace competition as perhaps the emerging industrialists envisioned their battlefield in the 18th and 19th centuries. And, of course, it can be thought of more directly as outright war, where skirmishes and battles are fought by and for nation states with catastrophic collateral damage being inflicted on citizens the world over.

In each case, the common first step in fighting back is to change the culture. Whether it’s to band governments together to defeat a common enemy, create a public/private cooperative, or develop a sense of civic duty through education and public discourse, causing a culture change is often the first step in turning the tide.

With that as the backdrop, let’s think about how we’re doing in this culture change we know we need. ISACA® and the CMMI Institute tapped the power of their combined community to look at how we’re doing at developing and adopting a cybersecurity culture. The 2018 ISACA/CMMI Culture of Cybersecurity Research looks at more than 30 data points, and with almost 5,000 respondents over small, medium and large organizations, this survey is extremely valuable at helping us assess where we are.

To make the shift we need requires three distinct steps or phases. First, we need to create awareness of the problem in a way that makes it real to the entire workforce. It needs to be personal. People need to understand why it matters, not just to their organization, but to them. Next, teach people basic self-defense. They need to know what they should do to protect themselves.  Then finally, we need to develop within the workforce a sense of unity of purpose and make real to them the shared outcomes we want to achieve.

From the research, we see that 87% of respondents believe that establishing a stronger cybersecurity culture will improve profitability or viability. We also learn that almost 8 in 10 believe those without such a culture experience more breaches and more than 7 in 10 think they would be more susceptible to phishing. I think this is great; it means we are motivated to make the changes we need to the cyberculture we have, and we believe it is essential to the organization, not the regulators, that we do so.

Coming back to our three steps, we also see from the research that fully 96% of respondents already have or expect to have employee training in place by the end of next year. We can assume then if you are reading this you likely have a program in place. Most importantly, the topic most often addressed is cyber risk awareness, cited by 8 in 10 respondents. Your task now is to make sure this awareness program establishes the connection for the workforce of how cyber hygiene impacts them personally. You’re not alone. Barely 3 in 10 believe their workforce understands their role in cybersecurity completely or very well.

Conversely, around 5 in 10 believe they somewhat understand their role and almost 2 in 10 (19%) fall into the not at all and minimal categories. I think we need to move a good many people from “somewhat” to “very well” to create the momentum we need toward a sense of unity around the outcomes we want. 3 in 10 can’t well create a draft for their teammates, but perhaps 6 or 7 in 10 can. We agree this is important, 41% of respondents agree that the lack of employee buy-in or understanding is the most critical inhibitor for achieving the desired cybersecurity culture.

Of course, measuring our progress is essential. First, make the tweaks to your program to make it personal to all workers. Then, add regular assessments to gauge how the workforce is responding. Less than 3 in 10 organizations do that now. Moving the bar on this metric will significantly improve the effectiveness of your cybersecurity awareness program. Engage with the workforce, measure phishing click-throughs, reward successful outcomes, and make sure you have consistent executive sponsorship. If executive management can motivate the workforce to improve product quality and increase sales, they can certainly accomplish the great things that Ms. Griffith believes a great culture can achieve by driving a change in the cybersecurity culture.

1. Tricia Griffith Quotes. BrainyQuote.com, Xplore Inc, 2018. https://www.brainyquote.com/quotes/tricia_griffith_852303, accessed September 27, 2018.

This article was originally published in ISACA in October, 2018

How Digital Natives Are Shaping the Future of Data Privacy

by | Jan 8, 2020

With the California Consumer Privacy Act (CCPA) going into effect on January 1, 2020, I think it’s timely to look at how digital natives may change the way we view data privacy altogether. If you were a toddler when Voyager 1 and 2 buzzed Saturn in 1980 and 1981 respectively, you are a digital native, as is anyone who came along after you. Maybe you started high school when email and file-sharing started going mainstream, and by the time you graduated, The New York Times had a homepage, at least one of your parents was likely online, and we, consumers at large, were beginning to experience FOMO (fear of missing out) if we weren’t online.

Ubiquitous tracking and big data pools as we know them today weren’t even a glimmer in a mad data scientist’s eye back then — and yet, people born before we learned who shot J.R. (or digital immigrants, as they came to be known) had already been making privacy mistakes for years.

Privacy Habits of the Past

Although the term was coined in the 1960s, identity theft has been with us for much longer. This author shares a name with a notorious horse thief, born Henry McCarty in the 19th century American Wild West. This scoundrel misappropriated the name William Bonney from an obituary in a New Jersey newspaper before he went west and famously fell into considerable mischief.

Two generations after his demise, the U.S. government began handing out identifiers for the new Social Security program. That’s where the trouble began in earnest. Many states put that number on their state-issued driver’s licenses — and this practice wasn’t banned until 2005. When Medicare came along in the 1960s, the Social Security number (SSN) was used as an identifier for each recipient. It was convenient, and it seemed like a good idea at the time, but the practice was officially ended in 2017.

Another habit we all got into long before digital natives started tagging themselves in hundreds of social media photos was putting our driver’s license numbers, addresses and phone numbers on the face of our checks. Credit cards weren’t widely accepted at grocery stores until the late 1990s, and who wanted to carry cash? None of us wanted to wait in long lines while the cashier wrote our phone and driver’s license numbers on our check to guard against fraud. It was easier and faster to have the info printed right on the check when we ordered them. The banks knew all about it. It was convenient, and yes, it seemed like a good idea at the time.

As we started using credit cards more broadly, we found ways of getting into even more privacy trouble. Rewards programs started sprouting like weeds. There were airline miles, discounts at the check stand and loyalty points for every possible purchase. Now, we coin new currencies faster than influencers gain followers. For 15 percent off, we allow our pharmacy, grocer, clothier and online retailer to track everything we buy, and we’d dutifully bark our phone number at clerks with people all around us to make sure we got credit for every purchase.

Digital natives certainly aren’t alone in posting photos, videos and online journals from their own social media accounts. While it might be easier for someone who grew up with the technology to post a fully captioned photo that tags five friends or colleagues, the consequences seem to vary more by the reach of the social profile in question than demographic factors. These consequences can range from varying degrees of embarrassment to ostracization and severe career impact. Sharing photos, videos and inner thoughts seemed like a good idea at the time — just like sharing SSNs, driver’s license numbers and phone numbers did before.

Data Privacy Expectations Are Rapidly Evolving

Our collective attitude toward data privacy is changing as we learn more about how maintaining data privacy is both desirable and difficult. We are now more attuned to the effects of sharing and the consequences of subtle privacy violations. In short, we’re in an era of rapidly evolving data privacy expectations. We’re increasingly turning to regulators to help us corral entities who would sell pieces of our information that we wouldn’t necessarily share on our own. Partly due to the experiences of digital natives, we are reconsidering the rules of data sovereignty.

As the consequences of data sharing become more evident (think public shaming versus identity theft) and long-lasting (searches often expose events going back decades), we are recognizing that our online images and thoughts can define us and should be owned by us, regardless of whether we fully understood the impact of sharing them. If a musical group can stop a political campaign from using its song or an actor can stop a merchant from using their image in an advertisement, it is my opinion that each of us should be able to determine how our images and musings may be used by collectors and whether to allow their collection at all.

The Berne Convention, which was adopted way back in 1886, established that publication alone is enough to establish a copyright. I’d assert that it’s not much of a stretch to extend that to what we publish about ourselves, whether that information is generated intentionally or as a byproduct of living in the digital age.

Should We Have Personal Sovereignty Over Our Data?

Regulators alone cannot solve this problem. It seems to me that what digital natives have asked us to do — sometimes explicitly, but often indirectly — is create the technical means to grant and revoke permission to collect, access, use and share the data we all produce.

Regulators could force each covered entity to create processes whereby current data subjects can request agency over their data privacy. New technologies could be created to encode each atomic unit of data and establish clear ownership. With options such as blockchain and smart contracts, I believe we could honor evolving data privacy expectations and enable data subjects to set or change the rules to which data brokers and users must adhere. If those parties fail to act in accordance with those rules, they could be prohibited from using that data.

Certainly, this concept has a more complex application when it comes to the digital exhaust we create (think location data and log data) as opposed to data elements that are more obviously descriptive, but this seems like more of an architectural challenge than one of scale to me. After all, we’ve managed to solve the scale problem for collection and use. As I see it, giving data subjects sovereignty over their data seems like a logical next step for our time — one that might just remain a good idea as we look back on this time years from now.

This article was originally published on Security Intelligence on Jan 8, 2020