SlideShare a Scribd company logo

CISO Platform Security Maturity Model

Priyanka Aash, profile picture
Priyanka Aash

The document discusses the challenges of existing security models, highlighting their complexity and lack of prioritization. It introduces the CISO Platform Security Strategy Model (CP-SSM), which aims to offer a minimalist and focused approach to security strategy through threat modeling and prioritization. Key elements include a threat repository, prioritization guidelines, and a mapping between threats and controls.

Technology
1 of 13
1
2
3
4
5
6
7
8
9
10
11
12
13
CISO Platform Security Strategy Model ( CP-SSM ) Bikash Barai
CISO Platform Security Maturity Model
Challenges with existing models • Too heavy to be intimidating - Too many steps • Cannot be done incrementally – Needs big bang approach • Very few SABSA professionals and very few implementation • Does not produce a prioritized list of security activities
Goodness Criteria • Should help to eliminate • Should help to focus • Should be simple • Should be easy to remember
Introducing CP-SSM
Goals of CP-SSM • Light • Minimalist • Focused
Steps • Create Business Architecture (High Level) • Strategic Threat Modeling • Elimination: Bucket and Prune • Mapping: Threats to 4 types of controls • Priority Bucketing of Activities
Key Elements • CP- Threat Repository • Threat Prioritization Guideline – Available – Benchmark, Risk Management Model • CP - Control Repository – Not available • CP- Threat to Control Map – Not available • CP- Activity/Control Priority Map
Threat Repository • Taxonomy – Software (26 sub class) – Hardware (3) – Physical Security (3) – Supply Chain (2) – Human (3) • Industry or vertical specific top N listing
CISO Platform Threat – Control Map • Threat: SQL Injection Attack – Detection: WAF, SAST, DAST, IAST, RASP – Prevention: Secure Coding, WAF, RASP – Response: SIEM, SOC Response Process – Prediction: TI (External and Internal)
Prioritization Matrix Prevention Detection Response Prediction High Risk 1 1 2 3 Medium Risk 2 2 2 3 Low Risk 3 3 3 3
Next Steps • Utilize the model (loosely) for building an Appsec Program - Post Lunch • Create Community Projects – Threat Repository (Comprehensive + Top N) – Threat Control
Thank You @bikashbarai1

More Related Content

PPTX
Enterprise Security Architecture Design
Priyanka Aash
 
PDF
SACON Orientation
Priyanka Aash
 
PDF
Zachman Enterprise Security Architecture
Joaquin Marques
 
PPTX
Enterprise Security Architecture
Priyanka Aash
 
PDF
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
PPTX
Risk Management Strategy (RMF v2)
Amy Nicewick, CISSP, CCSP, CEH
 
PDF
SABSA vs. TOGAF in a RMF NIST 800-30 context
David Sweigert
 
PDF
Enterprise Security Architecture
Priyanka Aash
 
Enterprise Security Architecture Design
Priyanka Aash
 
SACON Orientation
Priyanka Aash
 
Zachman Enterprise Security Architecture
Joaquin Marques
 
Enterprise Security Architecture
Priyanka Aash
 
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
Risk Management Strategy (RMF v2)
Amy Nicewick, CISSP, CCSP, CEH
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
David Sweigert
 
Enterprise Security Architecture
Priyanka Aash
 

What's hot (20)

PPTX
Conceptual security architecture
MubashirAslam5
 
PPTX
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
Allen Baranov
 
PPTX
SABSA Implementation(Part II)_ver1-0
Maganathin Veeraragaloo
 
PPTX
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
Manoj Purandare ☁
 
PDF
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
Christina33713
 
PPTX
Security architecture frameworks
John Arnold
 
PPTX
Does Anyone Remember Enterprise Security Architecture?
rbrockway
 
PDF
Security Patterns How To Make Security Arch Easy To Consume
Jeff Johnson
 
PPT
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
PDF
Security services mind map
David Kennedy
 
PPTX
Building a SOC - hackmiami 2018
Jose Hernandez
 
PPTX
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 
PPTX
Chapter 1 Security Framework
Karthikeyan Dhayalan
 
PPTX
Soc
Mukesh Chaudhari
 
PPT
Uac sales pres_20_apr09-2
lousifers
 
PDF
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
PPTX
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
 
PDF
Chapter 10 security standart
newbie2019
 
PPTX
SABSA overview
SABSAcourses
 
PPTX
Secure Design: Threat Modeling
Cigital
 
Conceptual security architecture
MubashirAslam5
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
Allen Baranov
 
SABSA Implementation(Part II)_ver1-0
Maganathin Veeraragaloo
 
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
Manoj Purandare ☁
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
Christina33713
 
Security architecture frameworks
John Arnold
 
Does Anyone Remember Enterprise Security Architecture?
rbrockway
 
Security Patterns How To Make Security Arch Easy To Consume
Jeff Johnson
 
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
Security services mind map
David Kennedy
 
Building a SOC - hackmiami 2018
Jose Hernandez
 
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 
Chapter 1 Security Framework
Karthikeyan Dhayalan
 
Soc
Mukesh Chaudhari
 
Uac sales pres_20_apr09-2
lousifers
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
 
Chapter 10 security standart
newbie2019
 
SABSA overview
SABSAcourses
 
Secure Design: Threat Modeling
Cigital
 
Ad

Similar to CISO Platform Security Maturity Model (20)

PDF
Visualizing BI technical cyber risks. Enterprise Risk and Security
BiZZdesign
 
PDF
ACS-security-2821-001 Lecture Note 13.pdf
Mostafa Taghizade
 
PPT
System development chapter six power point
jamsibro140
 
PPSX
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
MardhaniAR
 
PPTX
Becoming a better pen tester overview
Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
PPTX
SABSA Implementation(Part III)_ver1-0
Maganathin Veeraragaloo
 
PPTX
CONTEXTUAL ARCHITECTURE.pptx
Pandiya Rajan
 
PPTX
Shah Sheik Building a CSoC v1.2 DEFCAMP.pptx
mohamadchiri
 
PDF
Forgotten world - Corporate Business Application Systems
ERPScan
 
PPTX
iDEAFest Enteprise InfoSec Program Lessons Learned
Michael King
 
PPTX
DevSecOps - London Gathering : June 2018
Michael Man
 
PPTX
Threat modelling(system + enterprise)
abhimanyubhogwan
 
PPTX
RMMM Plan
Ankit Bahuguna
 
PPT
Mis 9
Md. Mashiur Rahman
 
PPT
Risk Based Security and Self Protection Powerpoint
randalje86
 
PPTX
Material Unwanted Events - Critical Control Mangement
SAMTRAC International
 
PDF
Patterns (and Anti-Patterns) for Developing Machine Learning Systems
University College Cork
 
PDF
Implementing SAP security in 5 steps
ERPScan
 
PPTX
Cyber Scotland Connect: What is Security Engineering?
Harry McLaren
 
PPT
Ch+14
Mahumapelo
 
Visualizing BI technical cyber risks. Enterprise Risk and Security
BiZZdesign
 
ACS-security-2821-001 Lecture Note 13.pdf
Mostafa Taghizade
 
System development chapter six power point
jamsibro140
 
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
MardhaniAR
 
Becoming a better pen tester overview
Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
SABSA Implementation(Part III)_ver1-0
Maganathin Veeraragaloo
 
CONTEXTUAL ARCHITECTURE.pptx
Pandiya Rajan
 
Shah Sheik Building a CSoC v1.2 DEFCAMP.pptx
mohamadchiri
 
Forgotten world - Corporate Business Application Systems
ERPScan
 
iDEAFest Enteprise InfoSec Program Lessons Learned
Michael King
 
DevSecOps - London Gathering : June 2018
Michael Man
 
Threat modelling(system + enterprise)
abhimanyubhogwan
 
RMMM Plan
Ankit Bahuguna
 
Mis 9
Md. Mashiur Rahman
 
Risk Based Security and Self Protection Powerpoint
randalje86
 
Material Unwanted Events - Critical Control Mangement
SAMTRAC International
 
Patterns (and Anti-Patterns) for Developing Machine Learning Systems
University College Cork
 
Implementing SAP security in 5 steps
ERPScan
 
Cyber Scotland Connect: What is Security Engineering?
Harry McLaren
 
Ch+14
Mahumapelo
 
Ad

More from Priyanka Aash (20)

PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
PDF
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
Priyanka Aash
 
PDF
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 
PDF
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
Priyanka Aash
 
PDF
Lessons Learned from Developing Secure AI Workflows.pdf
Priyanka Aash
 
PDF
Cyber Defense Matrix Workshop - RSA Conference
Priyanka Aash
 
PDF
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
Priyanka Aash
 
PDF
Securing AI - There Is No Try, Only Do!.pdf
Priyanka Aash
 
PDF
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
Priyanka Aash
 
PDF
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
Priyanka Aash
 
PDF
10 Key Challenges for AI within the EU Data Protection Framework.pdf
Priyanka Aash
 
PDF
Techniques for Automatic Device Identification and Network Assignment.pdf
Priyanka Aash
 
PDF
Keynote : Presentation on SASE Technology
Priyanka Aash
 
PDF
Keynote : AI & Future Of Offensive Security
Priyanka Aash
 
PDF
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
PDF
Demystifying Neural Networks And Building Cybersecurity Applications
Priyanka Aash
 
PDF
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
Priyanka Aash
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
Priyanka Aash
 
Lessons Learned from Developing Secure AI Workflows.pdf
Priyanka Aash
 
Cyber Defense Matrix Workshop - RSA Conference
Priyanka Aash
 
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
Priyanka Aash
 
Securing AI - There Is No Try, Only Do!.pdf
Priyanka Aash
 
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
Priyanka Aash
 
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
Priyanka Aash
 
10 Key Challenges for AI within the EU Data Protection Framework.pdf
Priyanka Aash
 
Techniques for Automatic Device Identification and Network Assignment.pdf
Priyanka Aash
 
Keynote : Presentation on SASE Technology
Priyanka Aash
 
Keynote : AI & Future Of Offensive Security
Priyanka Aash
 
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
Demystifying Neural Networks And Building Cybersecurity Applications
Priyanka Aash
 
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 

Recently uploaded (20)

PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
KodekX | Application Modernization Development
KodekX
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Teaching material agriculture food technology
LiaRayya
 
Cloud computing and distributed systems.
kkkkkhan
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Encapsulation theory and applications.pdf
gurumoop
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 

CISO Platform Security Maturity Model

  • 1. CISO Platform Security Strategy Model ( CP-SSM ) Bikash Barai
  • 3. Challenges with existing models • Too heavy to be intimidating - Too many steps • Cannot be done incrementally – Needs big bang approach • Very few SABSA professionals and very few implementation • Does not produce a prioritized list of security activities
  • 4. Goodness Criteria • Should help to eliminate • Should help to focus • Should be simple • Should be easy to remember
  • 6. Goals of CP-SSM • Light • Minimalist • Focused
  • 7. Steps • Create Business Architecture (High Level) • Strategic Threat Modeling • Elimination: Bucket and Prune • Mapping: Threats to 4 types of controls • Priority Bucketing of Activities
  • 8. Key Elements • CP- Threat Repository • Threat Prioritization Guideline – Available – Benchmark, Risk Management Model • CP - Control Repository – Not available • CP- Threat to Control Map – Not available • CP- Activity/Control Priority Map
  • 9. Threat Repository • Taxonomy – Software (26 sub class) – Hardware (3) – Physical Security (3) – Supply Chain (2) – Human (3) • Industry or vertical specific top N listing
  • 10. CISO Platform Threat – Control Map • Threat: SQL Injection Attack – Detection: WAF, SAST, DAST, IAST, RASP – Prevention: Secure Coding, WAF, RASP – Response: SIEM, SOC Response Process – Prediction: TI (External and Internal)
  • 11. Prioritization Matrix Prevention Detection Response Prediction High Risk 1 1 2 3 Medium Risk 2 2 2 3 Low Risk 3 3 3 3
  • 12. Next Steps • Utilize the model (loosely) for building an Appsec Program - Post Lunch • Create Community Projects – Threat Repository (Comprehensive + Top N) – Threat Control