The CISO Guide – How Do You Spell CISO?
Download as PPT, PDF2 likes1,009 views
This document summarizes Barry Caplin's presentation on his role as Chief Information Security Officer (CISO) at Fairview Health Services. The summary includes: 1) Barry Caplin discusses his strategies for learning about Fairview's business, establishing a culture of security, and baselining the organization's security when he first took the CISO role. 2) He outlines his approaches to strategic planning, tactical planning, and developing a security roadmap for Fairview. 3) The presentation covers executing the plans, using metrics and risk communication, and providing ongoing reports to Fairview's Board of Directors.
The CISO Guide – How Do You Spell CISO?
- 1. BA RRY CA PLIN H O W D O YO U SPELL CISO ? W ED . M A Y 14, 2014, 11A Like what you hear? Tweet it using: #Sec360
- 2. How Do You Spell CISO? Secure360 Wed. May 14, 2014 bcaplin1@fairview.org bc@bjb.org @bcaplin http://about.me/barrycaplin http://securityandcoffee.blogspot.com Barry Caplin Chief Information Security Official Fairview Health Services
- 4. Fairview Overview • Not-for-profit established in 1906 • Academic Health System since 1997 partnership with University of Minnesota • >22K employees • >3,300 aligned physicians Employed, faculty, independent • 7 hospitals/medical centers (>2,500 staffed beds) • 40-plus primary care clinics • 55-plus specialty clinics • 47 senior housing locations • 30-plus retail pharmacies 4 2012 data •5.7 million outpatient encounters •74,649 inpatient admissions •$2.8 billion total assets •$3.2 billion total revenue
- 5. Who is Fairview? A partnership of North Memorial and Fairview
- 6. Did you ever think about…Did you ever think about…
- 7. ChallengesChallenges • Keep it simple • Keep it High Level • Don’t let ‘em pull you in to the weeds
- 9. First QuarterFirst Quarter • Learn the Business • Culture of Security • Baseline the Organization
- 10. Learn the BusinessLearn the Business Business/Ops lead – not Security or IT •Do you know? − Industry − Niche − Mission/Vision − Why/What/How − The Organization
- 11. Learn the BusinessLearn the Business • Ask Questions • Org Charts • Get Out of the Building! • 1:1’s; Divisional meetings; Leaders; C-suite
- 12. Learn the BusinessLearn the Business • Agenda − Introduction − learn about the business area, − what works and what doesn't, − partnership opportunities, − what can I do for you? • Establish your office; Create Champions
- 13. A Culture of SecurityA Culture of Security A journey of a thousand miles begins with a single step. - Lao-tzu, The Way of Lao-tzu Chinese philosopher (604 BC - 531 BC) You gotta start somewhere. - Me
- 14. A Culture of SecurityA Culture of Security • Is there existing training? • Train for Compliance • Awareness to reinforce • Create Evangelists
- 15. A Culture of SecurityA Culture of Security • Be Relevant • Connect to the Business • Seek out and Destroy controls that add no value
- 16. Baseline the OrganizationBaseline the Organization Helps you: •Know where things stand •Show progress
- 17. Baseline the OrganizationBaseline the Organization Methods: •Compare against known standard •Maturity Model CObIT Security Baseline CObIT Maturity Assessment Tool Gartner IT Score Homegrown
- 18. In your spare time…In your spare time… • Low hanging fruit • Other duties as assigned
- 19. Second QuarterSecond Quarter • Strategic Planning • Tactical Planning • Roadmap
- 20. Security is not a Project…. It’s a Lifestyle! 20
- 22. Strategic PlanningStrategic Planning • High-level • Outcomes • Framework − NIST − CObIT − HITRUST − ISO27001
- 23. Strategic PlanningStrategic Planning • Business info + • Baseline analysis + • Risk Assessment + − Threat Assessment Assets; Actors; Actions • Vision = − Time Travel
- 24. Threat Modeling/AssessmentThreat Modeling/Assessment • Elevation of Privilege http://www.microsoft.com/security/sdl/adopt/ • Cntl-Alt-Hack http://www.controlalthack.com/ • UW Security Cards http://securitycards.cs.washington.edu/
- 25. Tactical PlanningTactical Planning • Tactics are “How?” − Support each strategy − More granular − Shorter timeframe (1-3 yrs.)
- 26. Strategy/Tactics
- 27. RoadmapRoadmap
- 28. Third Quarter…Third Quarter… • Execute! • Metrics/KPIs/KRIs • Communicating Risk • BoD Reports
- 29. ……And BeyondAnd Beyond The “game” never ends. •Iterative processes •Support the “bridges” •Living documents •Review and refine
Editor's Notes
- #4: Talk based on 7 parts of 5 part blog series (blog link, twitter link) Check out my about.me, with links to twitter feed and Security and Coffee blog.