NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Guide by Brian Wrozek
Download as PPTX, PDF3 likes2,174 views
The Texas CISO Council is a collaborative of information security leaders from various industries in Texas, aimed at improving security through shared expertise. The guide outlines essential aspects of information security, including governance, strategy development, and risk management. It emphasizes community-driven solutions and provides resources for security challenges.
NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Guide by Brian Wrozek
- 1. TEXAS CISO COUNCIL Information Security Program Essentials Guide
- 2. About the Council About the Guide Next Steps Agenda
- 3. Who Are We? Business Services Retail Real EstateEnergy Software Education Government Manufacturing Financial Computers & Electronics Consulting Hospitality & Travel The Texas CISO Council is a group of Texas-based, cross-industry information security leaders. We have teamed up to improve information security and share information through voluntary contributions of our expertise, time, and experience to consider security challenges and formulate community-driven solutions.
- 4. Information Security Essentials Guide • Problem ? Solution ! What Did We Do?
- 6. SLT IT RISK CSO http://rafeeqrehman.com/2014/12/14/latest-update-to-ciso-responsibilities-mind-map/ Governance & Organization
- 8. Frameworks
- 10. Measurement & Metric References https://mlblogscountingbaseballs.files.wordpress.com/2012/02/2012-topps-derek-jeter-back.jpg
- 11. What Did We Learn?
- 12. What’s Next?
Editor's Notes
- #2: Welcome and thank the audience and session host.
- #3: Provide your BIO as introduction and give overview of this presentation.
- #4: Co-founded by Brian Engle, former State of Texas Chief Information Security Officer and Philip Beyer, Director of Information Security at The Advisory Board Company. All council members have real-world experience managing information security corporate or governmental functions, or have made substantive contributions to the information security industry. Open membership but more than just a networking opportunity. We wanted to collaborate and produce tangible products that would benefit all. We wanted to help others be successful. We have almost 50 members with a dozen who contributed to the Essentials Guide.
- #5: Problem: There are many similar and overlapping information security control frameworks in place around the globe. There is no simplified reference describing at a high level the essential components of a modern information security program. Solution: Offer a simplified mechanism to validate that an organization has in-place or planned solutions for key elements of an information security program and that the organization has not overlooked critical core competencies or controls. The Guide may also aid an information security professional or business leader to document an approach, support peer reviews, and/or allow a security program owner to present program fundamentals to internal stakeholders, auditors, partners, and vendors. Started in October 2013. Took us a while to get into a rhythm. We all have day jobs and are active in other industry groups. We met on a regular basis in different cities. Once we got serious, we treated it like any other typical project. We have a dedicated coordinator (not an actual PM). We subdivided the guide into sections with a dedicated section owner. We set deadlines. Finished in March 2015.
- #6: The Guide is divided into these 5 main areas with the arrows representing their relationships and dependencies. The bubbles highlight the key topics. Each of the 5 areas are organized into these 5 sections.
- #7: Continues to be a spirited debate on where Information Security should report. We highlight some of the benefits and challenges of reporting into different organizations such as IT, Risk/Compliance, Senior Leader (CSO, Finance, Legal). We also provide some advice on how to create an effective program even if you are not placed in the most ideal location in your company. We briefly describe some of the core components of an information security program. We don’t into every branch of this CISO mind-map otherwise our Guide would rival a NIST standard. The role is dependent on the company culture and executive support among other factors.
- #8: There are multiple inputs into the strategy development process. Some may be given more weight than others depending on your situation. Developing a strategy is more art than science. Typically the output tends to be a more detailed list of priorities for the next calendar year plus an update to a 3 year roadmap.
- #9: There are many different frameworks. Pick one that fits you and your company the best and follow it. Think of them like diet plans. Most will work if you commit to following them. One that is sure to gain in popularity is the new NIST Cybersecurity Framework for Critical Infrastructure.
- #10: Ideally, information security should be just one component within the overall enterprise risk management function.
- #11: There is no single magical metric that can answer the question how secure are you. Different metrics provide different value to different audiences. Put your metrics in some type of visual format besides just tables of text.
- #12: Need to be patient, flexible and persistent. A small, dedicated core group is more effective than trying to get everyone involved. Let others jump in and provide value where and when they could. Need one or two people who pull everything together to give the end product a consistent feel and voice. Need someone to take ownership of the mechanics of the group (scheduling meetings, publishing minutes, etc). Leverage video conferencing and webex but there is no substitute for getting together in person on a regular basis. We did leverage local events so members could leverage their travel arrangements. Get version 1 published and then work on updates.
- #13: Start looking to add more detail to the different 5 sections. We want to add real world case studies and examples. This could lead to additional break-out guides.
- #14: This Guide is offered at no cost or obligation to any organization that seeks to build or improve their information security program. It can be downloaded at our website and you can send an email to this address if you have any questions, suggestions or want to get more involved in the council.