How Do You Spell CISO? - What's a CISO Do? part 2

   A while back I started a new job as a CISO.  It's the second time I've held that title at an organization.  What's interesting about that is that both time it was a new position to the organization.  I wrote about my initial thoughts and plans in a post here.  I expanded upon those ideas in a follow-up post here.  This post will round out this series.  They will also serve as the "outline" of a talk I'll be doing at Secure360 this year.

   For those of you who are not familiar with Secure360, it's THE upper midwest US security conference.  There's still time to register, come on out and enjoy!

   There are many demands on the CISO.  But part of the art of the position is to juggle the more granular tasks with overall priorities while trying to be strategic.

   If you've spent some time learning the business and creating alignment then it time to create your security strategic plan.

   All organizations need to know where they are going.  Your security program also needs vision and direction.

Strategic Planning.  People use the word "strategy" in different ways.  To me, strategy refers to a long-term, high-level goal or outcome.  The timeframe should be 3-5 years and the strategies do not contain a lot of detail.

   Here's a graphic I've used to show the relationship of strategic hierarchy terms:

    A key to security strategy is the use of a high-level framework.  There are many available, well-known and vetted frameworks including: NIST (and the 800 series), CObIT and HITRUST.  I'm a big fan of the maturity model in CObIT.  I've written a bit about this in the past.

   We used a number of different sources as input to the strategic planning process:

• information from business leaders (as described in part 1) - for alignment and risks
• information from the baseline (also in part 1) - for an understanding of maturity and gaps
• a threat modeling session - I will perhaps need to explain this in more depth at another time.  Basically, we brought the security team together to brainstorm a list of: assets, actors, actions.  These led to a number of threat scenarios.  These were then reviewed for impact and likelihood - basically a form of risk assessment.
• visioning - Another item that will probably need more depth.  We took the 13 high-level control objectives of the HITRUST framework and did a visioning exercise.  We time-traveled 5 years into the future!  And that future security program was Awesome!  The team then described that awesome future program, capabilities and toolset relative to the 13 high-level control objectives.  This was followed, after returning to the present, with a short sanity check dividing the listed items into: shorter-term (0-2.5 years), longer-term (2.5-5 years), and "probably not realistic".

Tactical Planning.  As strategy gives us the "Why?" or outcomes, tactics gets more to the "How?".  Each of the high-level strategies are supported by one or more tactics.  For example, one might have a strategy focused on Risk Management.  The associated tactics for this strategy can include items such as: Establish and cultivate a governance structure for evaluating risk and determining disposition, and/or; align security activities with your chosen framework.

Roadmap.  You need to create a prioritized list more specific proposed projects and activities.  These are then mapped to a timeframe.  You will need to take into account any dependencies among the activities, as well as the resources needed.  Be realistic... don't set yourself up for failure here.  It's always better to under-promise and over-deliver!

   Once you have these pieces of the puzzle, all you need to do is... Execute!

   Of course, there are many other components to a holistic security program.  What other critical pieces do you think need to be considered in the development of a new program?