How Can I Sign Nevada Banking Form

Industry sign banking nevada profit and loss statement secure

hello and good morning everyone welcome to the sands institute webcast wrecked casino hack assessment transformational series this is a four part series and today joe sullivan will be kicking us off with the first part business security strategy policies and leadership gone wrong joe welcome to the show thanks laura just one second let me get my video turned on here doesn't seem to be cooperating with me there it goes all right should be able to see me now yeah yes we can okay good afternoon everyone welcome to the webcast this webcast is to illustrate how management 514 fits into the transformational cybersecurity leadership triad along with management 512 security leadership essentials for managers and management 521 leading cyber security change so the background on this is i wrote a three series blog post about a fictional organization called wrecked casino how to rebuild that security program in a post breach scenario i'll give more background on red casino here coming up so this presentation is about how that could have been prevented by utilizing the tools and techniques that we cover in management 514 security strategic planning policy and leadership so management 514 is a five-day course there's no way i can possibly include all those elements into a one-hour presentation so i'm going to approach this by prioritizing the tools and techniques for management 514 pretty much in context with the way i would at wrecked casino had i been hired as a cso before the breach had happened security is not one size fits all context is really important as you try to build your security program i can't take a cookie-cutter approach to security without considering the business factors the values the culture and failed understand what's driving the business and what's important to the business and that's also very much what this presentation is about so i'm joel sullivan i'm a sans instructor i teach management 514 and management 512. been in information security a little bit over 20 years now various different roles uh security leadership and a cso for a bank currently leading a team of penetration testers also worked in incident response and forensics so i've been involved in a lot of different aspects of information security over the years a little background on wrecked casino they're a fictional casino located in las vegas this company doesn't exist they had a ransomware incident they had immature i.t operations there's no incident response capabilities there no formal security program security is kind of built into it they've been in business approximately 20 years when this breach happened you know they thought they were secure because they were in compliance with something called mix that's mics minimum internal control standards imposed on them by the nevada gaming commission so the ransomware came in over email you know there was no spam filtering no anti-malware none of that on the email server was basically wide open once that malware got in it was able to beacon out you know because there were no outbound firewall rules to prevent that it was basically wide open going out of the network memory dump showed that the attackers were using ps exec powershell and some other unknown executable they also observed some rdp connections taking place on the network with a domain administrator account so we know the domain admin account is compromised during this incident they were very siloed right except for a back channel conversation between one of the itt members and a friend of his who was an incident responder at another organization and she was helping them out while she was on vacation right they were very tight-lipped and non-communicative because they were trying to save face they were unsure of what they were doing and what they were dealing with remember there's no incident response here this is new to them it's the first incident they've experienced so far in 20 years up to this point they apparently did a really good job with security but it can only last so long since they were siloed and quiet the rumor mill started to turn out these wild conspiracy theories you know nation state hacked the casino insider threat robbery no one really knew what was going on these rumors were spreading all over town to give you an idea of the environment they were working in there's no policies and procedures there's no documentation no network diagrams no data flow diagrams there's no bcpdr nothing to fail over to and recover to no security awareness or threat intelligence now this is important because previously a casino right up the street from them had already been breached by a nation-state in this story had they been aware of that they could at least understood the importance of security at least done something to secure their network they were totally oblivious to what's going on in the world so at a high level what i'm going to cover in this presentation is my approach for the security program and wrecked casino before the breach happened now i'm going to look at these various phases of strategic strategic planning decipher develop and deliver then we talk about the leadership management competencies to actually lead your team to get all this work done you're going to see these same terms over and over during this presentation i'm going to refer back to these wretch casino had what we call the old school approach to security that old school approach to security relies on the i.t team to secure things as they're deployed right it's heavily based on technical controls such as endpoint protection anti-spam spam filtering and firewall very much perimeter based the it teams secure things as best they can there's no one driving security there's no there's no accountability and what that usually ends up in is security becoming neglected right wreck casino had no monitoring logging as well they couldn't tell when something bad was happening in reality is this attacker was probably on a network for possibly a month or longer they had no idea the new school approach to security is a more holistic approach right we approach that with a business focus and that includes i.t security regulatory compliance the legal and privacy perspectives as a way to manage risk for the organization this takes an understanding of the business concepts and technical concepts right we then take those perspectives and included in strategic planning strategic roadmap design security policy and continual assessment then we have the leadership and management competencies this approach requires an understanding of the business as well as a technology aspect what we're getting into here is enterprise risk management and not just technology-based security i'll take this approach because in today's environment security has to work across the entire organization if you look at responsibilities of security today in most modern organizations you're going to find that they work with legal departments hr departments compliance and business risks just as a few examples and then most businesses today were involved in digital transformation in some way that means initiatives like byod cloud and remote access especially today and along with that goes risk assessments vendor management supply chain chain management insecurity gets involved with all those activities so security is very much not just technology based anymore we're moving out to the entire organization strategic planning is more than just creating a list of things to do in security strategic planning requires an analysis and understanding of the organization that analysis shapes your strategic plan and includes the organization's vision of mission statements the risk appetite and what opportunities do we have for security on this slide three phases the three phases for strategic planning are decipher develop and deliver then you have lead motivate inspire to get your team to actually get the work done all these phases are going to look different depending on what type of organization that you're in keep in mind that my approach during this presentation is probably going to look different than the approach you would take in your organization you have to consider the context and the environment you're working in the maturity the security program and exactly how important is security to the organization my goals for wrecked casino are to build a security plan and a strategic plan the security plan looks at the business objectives in this case customer requirements security compliance and privacy requirements strategic the strategic plan looks at the current state analysis a gap analysis maturity analysis and then all this analysis and research that we do is used to create a roadmap for security for the organization i'll start with the decipher phase the decipher phase is important to understand organizations history you know we have to understand what's happened to god to where it's at now then we have to determine who the stakeholders are then we have to understand the values and culture of the organization because that's that's going to inform how we operate and get the work done during that decipher phase i also want to understand the business strategy and what information assets the casino has that i need to protect part of the deciphering phase is understanding the history of the organization security and technology have evolved a lot of the years and you know just any organization from a historical perspective the security team also needs to take credit for the work that it's done over the years a good way to show that and visualize that is a slide like you see here this shows how the threats have evolved as compared to the investment in technology and security over the years here at wrecked casino so i'd get a slide like this in front of the ceo and i would say mr ceo here's the timeline of 1995 to 2015. on the bottom the blue line that's us we've invested an email anti-virus firewall and a vpn over the course of this timeline technology has you know evolved also we had the first website all the way out to the internet of things a lot of technology changes happened over the years also the threats have changed right we started out with basic threats then we get into organized crime then you have your apts your advanced persistent threats then you have the snowden revelations privacy's watershed moment and then we've had the year of the breach which is still happening continuing more more breaches happen threats keep increasing this is what we're up against this is where we're at this is the truth right this shows from historical perspective what is the state of security and organization this helps show red casino has plateaued from a security perspective in actuality it would more look like a downward trend because unless you're taking care of you know the care feeding optimization investment security you're losing a degree of security every day at some level a slide like this is also beneficial to socialize with the executives and keep in front of the security team so they know where we're at and what's the current state of security as i decipher the organization i'm going to identify some important stakeholders right this is part of the ciphering process as you transform from security technologist to security leader your initiatives are going to impact more people this is why stakeholder management is really important how important is it it can make or break you studies have shown that the majority of initiatives and projects either partially implemented or failed to be implemented were due to poor stakeholder management stakeholder management a lot of organizations is approached like this we get the security team together and go okay who's this initiative going to impact and we come up with a list of people the problem with that is is that it usually only includes the people that security interact with the most and we overlook important stakeholders the other problem with this is is when do we usually do this well about two days before our initiative and it goes live of course now that's that's not the way to approach this and i've seen this in a large organization last year on a thursday night the it team decided it was a good idea to upgrade the exchange server and they upgraded the exchange server the next day email wasn't working everyone was upset they didn't manage their stakeholders they didn't have to change management the orcs their constituents the executives the other people organization loses confidence in the iet team when this happens it's harder to get buy-in on your initiatives and your projects they don't trust you when you do things like this we have to get better at stakeholder management and we can use a tool called the cypoc on the left hand side of this slide is the cypoc tool in the cypoc is suppliers inputs processes outputs and customers and we have we start new processes in the center most technology-based deployments have pretty much the same process requirements design procure build and employ and manage each one of these processes has a corresponding input artifact and a corresponding output artifact the input artifact comes from a supplier the output artifact goes to a customer now let's look at the build and deploy process second from the bottom we start there and then we look at our output artifact what is the output artifact of the build and deploy process well we have the migration plan and production system who gets that the business owner i.t and security teams the vendor managers and help desk now we're going to kind of work backwards that build and deploy process has an input artifact what is that technical requirements and system configuration all right who supplies that vendors architects and engineers and we go down the process the process list and we answer these questions for each one of these and what we end up with is your suppliers on the left hand side highlighted in red and your customers on the right hand side highlighted red these are the stakeholders but we're not done yet we have to manage these stakeholders right because each one of these stakeholders has a power they can exert on our project of initiative they have the power of veto the power of voice and have the power of vote and they have a corresponding level of power and interest so looking at the uh the power interest grid on the right hand side of the slide this four quadrant grid in a left-hand left-hand quadrant on the lower left-hand quadrant you have low power and low interest well we're going to monitor them and that's the server team and the help desk they can give us feedback tell us how we're progressing then we have your end users keep those informed hr and legal to keep satisfied then in the top right high power and high interest the cfo regulator ceo head of security we want to manage those closely as you interact with the stakeholders it's important to understand the values and culture of the organization because that informs how you're going to operate as you work through your projects and your initiatives this process is part of deciphering an organization things like is the culture more conservative or more liberal that's important to understand because if you create a conservative policy in a more liberal liberal organization it's probably not going to be followed i found this out the hard way one morning i had hired a a former co-worker to manage the firewall at the bank where i was a ciso he'd been there about a month and i was at my desk early one morning and an employee we'll call her sue she comes in the door she usually does in front of my office instead of turning down a hall she comes in my office starts yelling and screaming at me eyebrows furrowed arms raised red-faced your guy wouldn't let me in the building this morning he closed the door and made me have to swipe my card well that wasn't the culture here the culture where my friend philip co-worker philip came from that was the culture right that was a terminal offense if you let someone piggy back in so why was she so mad well this was her home away from home for between 15 and 20 years and she came to work one morning and someone said no i'm sorry you can't come in that wasn't acceptable he offended the culture now imagine trying to work again t that with one of your projects or initiatives but it gets worse she goes back to her desk with her co-workers and her department who have been there almost equally as long and tells her story now the entire department is upset with us that's what offending the culture does it's infectious it spreads throughout the organization and this went on it wasn't easy to recover from this two weeks later they were still upset we actually had to go get donuts and bring to them and we caught them in a break room and you apologized for a few single here you know we're really sorry and it was like the whole thing happened again mad yelling screaming it got out of her system and everything got better after that so it's really difficult to recover from offending the culture keep that in mind so you have to be aware of the business strategy and strategic objectives of the business i'll start this with a story there was a restaurant and i envisioned it went down like this the ceo and the marketing team were talking and then the ceo goes we need to find a way to generate more revenue and the marketing team goes i've got this great idea we'll create a mobile application and they can order food online they accumulate points each order accumulates more points they get something for free and then that keeps them coming back and see it goes brilliant make it happen so the marketing team goes out and they spin up a website and it works revenues coming in it's great a security researcher logs in one day and he checks his points and he notices that there's a id in the url he goes well that's interesting let's increment that and he does and he pulls up someone else's account so he decrements it by two and it pulls up someone else's account he goes aha this is an idol vulnerability insecure direct object uh reference it's an oauth top ten so he does the responsible thing and notifies the restaurant and they don't do anything ultimately he reaches out to brian krebs story blows up then they secure it this is what happens if you're not aware of the business objectives in the business strategy you lose opportunities to make security adjustments that could have been prevented for like this so what we have to do is approach this when getting to know the stakeholders they have business strategies and strategic objectives we need to be aware of so we can map that out and visualize it with a slide like this this is how security contributes to the strategic business objectives of the organization this is an approach that executives can understand so let's assume that red casino has a mobile application rollout so their clients can interact with the casino i could show how security enables this project by looking at this mapping to strategic objective slide at the bottom of the row is a learning and growth or security capability this is what security does for the organization we implement access controls such as mobile device management management that enables the business to conduct you know operations remotely you know throughout the casino we have secure mobile applications which enable the customers to order tickets make buffet reservations enter contests get casino updates and news and then the next throw up is what we do in security and how that affects the business processes implementing access controls results in improved security governance mobile device management results in ease of doing business and internal communications secure mobile applications result in increased productivity along with secure mobile applications helping build the company brand the top row is the financial impact the executives are most concerned with this is what they're really interested in we have improved margin increased revenue and we're gaining market share that's important this ultimately this is what builds up from what we do in security keep in mind that in your organization your mapping two strategic objectives is going to look a lot different than mine potentially right for example in a non-profit you will have the mission at the top row and not the financial objectives getting into threat analysis now as i decipher the organization here as the cso i need to understand and identify what the security program needs to protect that means i need to understand what information assets the casino has i'll determine this during technology reviews interviews with other stakeholders business leaders and during that analysis what i'm trying to determine is what are the crown jewels the crown jewels are the most important data to the organization what basically keeps them a business and in security we often overlook that the next step is what are the threats i need to be concerned with and i can do that and understand that identify that with a pest analysis and it gets it comes in the form of this four quadrant grid that you see on the left hand side of this slide the pest analysis looks at the political economic social and technological factors that can impact the scene of the casino from a security perspective or a business perspective the political factors are such as new regulations for the casino breach notification is an example the social we have people demanding more security you know demand for accountability of incidents then to top the top right the economic we have a pandemic economy increased fines for breaches then that cost of increased security and reputation damage from the breach the bottom right quadrant technological the industry is moving to a holistic approach to security right we need to plan to upgrade these older systems and we have to leverage cloud to uh help gain momentum here with our initiatives and we need additional logging monitoring and alerting now along with the threats of course come the threat actors i need to be aware of who are the threat actors and more importantly i need the ceo to understand that we have threat actors and they have certain motivations and i could get a slide like this in front of him to start that conversation that you see on the right hand side we have to deal with nation states now we know this has literally happened with the casino in las vegas in real life it was a political statement was made by the owner of a casino a nation state responded by hacking the casino hacktivists maybe someone loses their savings their money in a casino so they respond by trying to compromise the website organize crime they're motivated by financial gain we've seen enough movies to know that this is a thing people try to steal from the casino competitors now this was a real conversation i had a couple of years ago i was working an incident at a casino well it was in a remote area and there were two casinos in this area they were literally across the street from each other previous to the two weeks up to the incident there was some foreign nationals seen in the casino right different accent different dress and then this incident happened so this was a real conversation we had to look at during the post-mortem could this have been the cause so that's something to keep in mind insider threat espionage grudge you know financial gain we know that's an issue because we literally have cameras in the casino looking down on everyone you know we're looking for someone trying to steal from the casino or do worse damaged systems partners we've seen this in a casino world someone manipulate the algorithm on a slot machine then come in take advantage of those payouts so that's going to be on our radar in the blog post red casino they didn't have any idea who the threat actors were all right there was this previous casino breach and they were totally oblivious to it using this approach and socializing this with the organization i can raise the security awareness of what are the threats and what are the threat actors we need to be concerned with to develop the strategic plan we have to define the current state of security this is where we get into understanding the mission and vision of the organization and using a swot analysis to understand where we're weak and strong so the develop phase looks at the vision and mission the swot analysis we talk about visioning and innovation security frameworks we perform a gap analysis then we start building our security roadmap which is followed by our business case and our policy development process the mission and vision of red casino are important for me to understand at this point the mission is what the casino is doing today security has to contribute to and help enable that mission the vision is what the casino is trying to do long term what it's trying to become security also has to work with and enable that vision without knowing what the vision and mission are security won't be informed to help enable the business you know some organizations don't have a mission or a vision statement so you may see security struggle struggling to figure out what's its role what's its goal or purpose if you're in a situation like that i would recommend getting together with a security team and creating a mission statement for the security team that helps build a more cohesive team and gets everyone working towards the same goal i've done this in two different organizations now the last time i did it the hr department actually came to me and said i don't know what you did but this is the most cohesive team we have an organization that speaks a lot to building that mission to get them on the same page it gets everyone going the same direction it's really beneficial during the develop phase it's a good approach to use a tool called a swot analysis so the swot analysis is a strategic planning tool that looks at the strengths weaknesses and opportunities and threats that we have in security you know i have a sample swot analysis that i put together here for red casino the strengths for wrecked casino are we have available revenue we're interested in progressing the weaknesses are there's no security program in place right now we have outdated technologies there's no business continuity disaster recovery no trained staff the opportunities we can create a formal security program we upgrade technological controls hire competent security staff the threats we kind of alluded to this already we've got some bad actors some insiders some vendors we need to be concerned with that is the swot analysis we're going to keep that in mind as we work through this develop phase part of delivering the strategic plan for security is having a visioning and innovation mindset security needs to be an innovative for the business we need to think about what's the business and what's security going to look like in the future what challenges are we going to face how security going to be implemented let's say the casino of the future goes all virtual right how can security be a differentiator for the from the business from that perspective we need to be thinking about that as we build our security program in the grand scheme of things security has a short shelf life we can't just maintain what we're doing today and expect to work a year or two down the road we have to look for ways to get more from what we have now and how can we scale out with the business and imagine what security looks like in the future without that visioning and innovation mindset and that approach we're going to probably build a tactical plan and not a strategic plan during the development phase i also need to determine how are we going to implement security here at red casino now i want to take a structured approach to implementing security i don't want to take the ad hoc approach that's going to be a recipe for disaster what i need is a recipe for success kind of like a cookbook for security using industry standard frameworks i can prioritize and communicate security in a way that executives and business leaders can understand i know i'm already subject to mix but that's not enough mix is literally minimum internal control standards the minimum is not going to cut it here a better approach would be implemented than this cyber security framework in cis controls so on the left hand side of this slide we have the cis controls maintained by the center for internet security these are the top 20 critical critical controls you can implement now that stop the majority of attacks on the right hand side the slide at the top we have the nist cyber security framework it looks at security from these five different functions that we insecurity basically do identify protect detect respond and recover this helps us ask what are we doing today how are we doing where do we want to go and when do we want to get there now if you look at both these frameworks there's a lot to thought of actions and objectives to implement i can't do all this at once so i'm going to have to take a structured approach over a period of years possibly i also need a way to measure maturity of the security program right to tell how am i doing and answer that question how is security in wrecked casino this is where the capability maturity model comes in it lines out five different levels of security starting with the bottom and going up we have level one initial processes are ad hoc and chaotic we're basically running security with heroics and duct tape level two processes are more defined but we're still reactive level three is where it all comes together and gets more optimized we have incident response we have bcpdr we have security awareness things are going great now level four is in level five levels of maturity what organizations that have found is that security becomes a drag coefficient on the business and it becomes more difficult to get things done then they actually roll back to level three and this is kind of where the better balance is and what the industry's striving for today using the security maturity frameworks like this is an approach that executives and business leaders can understand these are well socialized in ministry and understood so after this analysis i want to meet with the ceo and go this is where we're at this is the maturity state of security and organization and i can visualize that with a slide like this this measures maturity and with the using the cmmi and the nest cyber security framework functions identify protect detect respond and recover so i meet with the ceo and say mr ceo this is where we're at at the bottom we have the five levels of maturity now the red lagging is where we don't want to be the industry is an important question to answer for the executives because this is where our peers are our competitors from a security perspective then you have beyond that which is leading so currently we are lagging in all these five functions right this is the current state dark blue the light blue is a target state this is where we're trying to go so we want to improve beyond lagging and identify but we want to move beyond industry and protect we actually want to lead the industry and detect respond and recover this is where we're at this is where we're trying to go now this is also a good way to visualize areas of under investment or over investment in your security program so this is a good slide to have in your back pocket as you build that security program so we're getting into the strategic roadmap phase of the uh the development phase now now that i have a framework for security maturity i need to build a program within those frameworks the gap analysis is the core of the strategic roadmap process the gap analysis looks at the five functions of the nist cyber security framework and looks at what are we doing today where do we want to go in the future and what do we do to bridge that gap so take a look at we have the top we have the functions then we have the current situation initiatives in the future state so take a look at the respond function second from the bottom so the current situation is there's no incident response capability to limit the damage of an incident now jump out to the future state on the far right we want to be in a position where we can respond to an incident to limit the intrusion and determine the cause how do we get there create a sock you know leverage third party stock incident response team or incident response retainer have threat intelligence and information security sharing pr grams and we'll do this for each of these five functions and it comes up with the initiatives that we're going to pursue to increase our strategic plan for security now take all those initiatives that we identified then i'll create a multi-phase roadmap and i'll present a plan for security for the next three years remember that i can't do all this at once right there's too much to do and i have limited budget and resources at this point i'm new to the organization so in the first year we're going to work on security policy and governance then we get into the vulnerability vulnerability management program and that takes us into the second year then we have data loss prevention at the end of year one takes us across years two and three then in year two to year three we're getting to cloud devsecops and a security operations center because we're a 24x7 365 casino we need a sock right the next item on the agenda is to get buy-in and budget for the strategic plan the best approach to build a security business case i didn't really get into security business cases on here because most organizations have a formal template or approach they want you to follow so it's best to follow that one but i will talk about three good approaches for including in that case you want to look at what business initiatives can security align with and enable for example the secure mobile applications right if we're trying to roll out secure mobile applications as an organization security can help enable that i can include that point in my business case what's the cost of security versus the cost of a breach that's another way of approaching this then what revenue can we gain from a security initiative if that going back to that mobile application initiative if that's the initiative and the customers can make reservations and order tickets and all that that's going to result in increased revenue i can include that aspect in my business case just some approaches to keep in mind there from a business case perspective getting into policy development now in the development phase as the cso at wrecked casino my job is to enact change policy is one of the most powerful tools i have my disposal to help steer the organization in a certain direction enacting change is not a fast process right every organization has a pace at which it adapts and accepts change this is something i have to keep in mind at wrecked casino there's no security program here right there's a lot of change that needs to take place i'm not going to be able to change everything i want in the first year the second year or possibly even the third year changing culture is a slow process and it can take a number of years to accomplish so what is policy policy is the best security no money can buy let me explain policy is a preventive administrative control in most cases in some cases it's more effective than technical controls that you can have right and it starts with the risk assessment and what does all this cost literally the time it takes to do the risk assessment and create the policies right we need policies to enact change but we also need techno technical controls head count hardware and all that takes budget but i'm the new sea salt red casino may not get that budget at first they're not going to throw the keys to the kingdom at me as soon as i walk through the door hand me a blank check or throw you know loads of money i'm gonna have to win the trust and confidence of the executive team and the business leaders as their trust in me grows i can expect my security budget to grow along with that as well until then policy is the best tool i have to drive the security program at this point you don't want to wait till bad things happen to start creating your policies right you don't want to wait until oh they rebooted the system during the course of the day and then go well apparently we need a policy for that we want to do risk assessments and identify what policies we need to have in place now another way a good way to approach that is with tabletop exercises walking through a ransomware incident or employee termination it took 48 hours instead of the one hour you know what happened they have vip in remote access walking through tabletops like that helps you identify where your deficient policies and procedures i have an example risk assessment here on this slide just glancing at it we know provisioning and access control is the first high risk item in red we have employees are bypassing the involvement of it and information security clearly we need a policy for that going down to the next one threat prevention there's only signature-based threat prevention for malware detection in the cloud so we need a threat prevention policy for cloud services this is the approach we want to take as we create our policies we want to identify them before we need them so my approach to creating the policies is going to be with security and compliance baked in by design all the policies i create are going to have the regulations the laws the compliance frameworks and everything else that we need to follow and i'll also include any slas or contractual obligations that the casino has in this case i know about mix right but there's also pci gpdr any other associated laws that we have to follow especially if we're a geographically dispersed organization as an information security leader i can't possibly keep up with all that so i'm going to work with the business risk and the legal departments because that's their job is to keep up with all these risks and legalities we have to be aware of i'm going to include them in a policy development process so that's concluded in there we don't overlook that so this slide is an example of just a baseline set of policies in a typical organization right i'm going to start here just kind of as a reminder what i should be looking for in my risk assessments and what policies should be thinking about that we need after i identify those i'm going to what policies i am i got to figure out which ones do i implement first and that's an easy question to answer it's the ones that reduce the most risk first right and i'm not just going to sit at my desk and churn all these out all in the silo by myself i'm going to meet with other business owners in the organizations other business leaders and get their input how's this going to affect the work you do what kind of wording do you want in this policy do we need a policy steward over here right after that's all done and worked out you know we might consider just doing a policy steering committee would be a better approach then when they're pushed through to approval and are ratified we will start socializing them through the organizations posters newsletters annual policy reviews security awareness programs you know there are multiple ways we can do this but we need to make the organization aware of the policies we have so they know what to do to protect them from doing the wrong thing with the strategic plan for security in place we now have to look at how to deliver that program this gets into security metrics marketing plan executive communications policy assessment policy management there's a lot of depth to all these topics you see in the deliver phase while this topic list is shorter than the other two phases in this day of management 514 in this phase really sets the stage for making a transition from security technologist to security leader right delivering on a strategic plan for security means showing your value capabilities as a security leader this is where you get to prove yourself i'm only going to cover a few key points from this phase the reason for that is is that wrecked casino is really immature from a security perspective right now the goal here is to get the strategic plan developed and get the work started if you look at security metrics marketing executive communications policy development assessment that takes more time and you have to mature that over time and it takes more context to apply to that just developing the plan that's the reason why i'm just going to highlight a few aspects of these to deliver on a strategic plan for security i have to communicate the state of security in a way that everyone can understand metrics is the best language that uh it's a universal language right so i'm going to use a simple metrics dashboard this is because metrics programs take a while to build up you just can't do it in a few months or a few weeks this is going to take some time so i'll look at this from the perspective of the the five functions of the nest cyber security framework where are we at identify protect detect respond and recover when the ceo glances at this immediately he's going to see the red and ask well what's going on here well i recover you know that perspective that function we're in the red we're not doing so well but we're trending up and i'll highlight why we're in the red and what we're doing to make things better and the same thing at the very top you know we're in the yellow uh managing risk to systems access data capabilities i will highlight out there why we're in yellow and why we're trending up what we're doing to make it better anytime there's an anomaly in your metrics program you want to answer those questions why is it doing this and what are we doing to make it better over time as the metrics program matures i'll enter i'll present kpis balance scorecards and metrics dashboards and socialize those throughout the organization and i'm only going to share metrics which have business strategies of business drivers business drivers behind them and not just metrics for the shape the sake of sharing the metrics so we also have to market for security now to give us delivering phase we need to market for security to build our brand and what is our brand it's our products and services our capabilities right that from a high level perspective things like we in security provide secure email we provide secure cloud storage we need to market to our constituents so they're aware of this so if they need those things they can make the appropriate request and we can provision them for them if we don't make them aware they'll go get this on their own and what you end up with is shadow i.t and you don't want that right we also have to market for our initiatives this is what we're doing in security to make things better this is how it's going to impact you and this is how you're going to change what you're doing now to to line up with this and not encounter all this that you could possibly encounter then we have to market for employee retention we want to keep the people we have in the organization we also want to recruit people right so we're going to market this is what we're doing in security all these cool and great things we want to market to maintain and establish relationships for the organizations that's internal relationships and external relationships our clients and our customers and vendors as well there's a lot of things to do with marketing for security you want to keep in mind as you market your marketing initiatives you have to know your audience we have to know what our goal and purpose is we have to shape our message accordingly for each one of those audiences when you're communicating with executives you know you want to use concrete terms and avoid acronyms and don't bury the lead start with what's important to the executives first and then follow up with what security did now that i've done all this research and analysis i've come up with a strategic plan for security i have to lead motivate inspire my team to get the work done leadership and management competencies and management 514 gets into building effective teams team dynamics team engagement and actually leading the change leading teams and individuals is one of the most challenging things that security leaders are going to incur right this most challenging thing we have to do we have all these tools for understanding the organization like pets swat road maps and we don't have that for people it takes consistent effort to build these leadership and management competencies we have to really focus on that things like we can use things like personality assessments we can send individuals that have direct reports to security leader training or management training right that you can't just go get security and leadership management companies from a vendor and you can't just take a class and come out a leader you have to really focus on that but i need to keep a few things in mind and that's building a positive team culture uh inclusion and diversity and the acceptance of others i don't want a toxic environment they want them to understand the importance of security and actually what the business does right i want them to connect those two i need to be aware when burnout is a problem that's another thing sometimes your team starts to get burnt out from all these psychological and mental factors to go along with life you have to reboot your security team member and bring them back so they can start working good right this happens this happens a lot people get burned out i also need to understand where each team member is in their career and what skill sets they have because that's going to change my my leadership style and my management style for each individual i won't take the same approach with a seasoned veteran that i will with a new hire because that won't work and vice versa so to close out the presentation what would it look like at wrecked casino today right we have a security program in place security awareness is raised we have grc and policies incident response is operationalized when that malware comes in and that end user sees it due to security awareness program they don't click on the link they they send it to information security go like is this is this bad can you check this out this ransomware.exe looks bad insecurity goes yeah that's bad good catch right many security programs do this every single day and nothing is ever mentioned we've got to get better at calling value calling this out when we make these wins like this that has value to it using your metrics programs and start socializing that with your executives and your business leaders so management 514 is just a third of the triad of the courses that make up the path for becoming a transformational cyber security leader there's also management 512 security leadership essentials for managers and management 521 leading cybersecurity change and building a cybersecurity-based culture these are these three courses along with management 514 provide the path for leading security in today's modern organizations this is part one of a four part series right be sure to check out the upcoming webcasts part two with kevin garvey kevin garvey rather episode management 512 on february 10th we have part three with lance spitzner maps to management 521 on february 17th and then you have myself kevin garvey lance spitzner and russell eubanks on february 21st where we are the 24th rather where we will answer all the questions about the series explain the perspectives of how this all comes together to create a transformational cyber security leader and i thank you all for attending the presentations and we'll open it up for q a yes joe we have a couple of questions the first one how about privacy in the mix as security plus privacy is the path forward and this was when you were on the maturity model slide so i'm sorry i was trying to yeah you were you were on the maturity model slide okay the question was how about privacy in the mix as security plus privacy is the path forward privacy we have to take account into a privacy especially today privacy is a big issue and i wrote a blog post a personal blog post about this with uh about signal to move the signal the gist of it was privacy is gone right there's no way we're possibly going to get total enamel and then eliminate it and then i can't talk anymore anonymity and privacy at this point with the amount of data that's already been exposed and the data that's being collected on us the most that we can hope for at this point right is to get something like gpdr we actually have control over how our data is used i think that's our best approach for privacy go ng forward hope that answers your question there perfect the next question i'd like to ask about cyber security capability maturity model program how good is it in comparison with the others the cyber security capability maturity model now the cmmi was actually created for uh secure development for for software right we've adopted the principles for that for cyber security because a lot of those same principles can be adopted and lined out with your security program so there's a difference between those two we're just modifying it for information and not the software development process terrific the last question we have can you clarify the roles of maturity assessment and risk assessment as part of your strategic planning process so risk assessment is i'm going to look at things like an employee termination process what are each steps what's the risk if we don't do the employee termination process in this window what's the bad things that can happen that's what i'm going to do what was the other part of that sorry oh sorry let me go back to it um let's see can you clarify the rules of maturity assessment and risk assessment as part of your strategic planning process so during the risk assessment process what are my goals for employee termination how long is it going to take me to mature that to where i can terminate an employee within like say five hours may not have everything i need right i may have a one-person security team i've seen that in a lot of organizations where they're overworked they're overwhelmed so my goal is maturity like in three months four months six months one year or two year where do i want that employee termination to be and what's the risk i'm going to incur what's the risk reduction over that process you line that out present your executives so they can make that business decision on what they want to invest in your security program just as one example great we have another question can you elaborate the mapping between risk assessment nist csf cis controls threat modeling slash pest cmmi in deriving key strategic planning key metrics that would take a while to to kind of explain i'll tell you what i'll do i will save that question i'll actually answer that in the following blog post for this webcast how's that that sounds great and so everybody knows there will be a follow-up blog post for this and in the chat i'm putting the link to the blog post about the triads which includes information about the upcoming webcasts and blog posts for this transformational uh series as well as the march operational series and if anyone has any other questions we'll give it a few seconds to see if anyone types anything in all right we'll be on the lookout for the blog to be posted and we hope to see you or have you with us again next week joe thank you so much for your time and you all have a wonderful rest of your day thanks everyone have a good day you