CISO's first 100 days on the job

1. BY DESIGN, NOT BY CHANCE
CISO’S FIRST 100 DAYS
Michael A. Sadeghi, Ph.D. ABD, CISSP

2. AN IMPORTANT GOAL FOR TODAY’S
PRESENTATION

3. WHAT WE COVER TODAY
• Some Infosec facts and statistics
• Key questions for Senior leadership
• Defining the “CISO” terminology
• 360 deg. View of the role
• First 100 days roadmap
• Final thoughts

4. SOME STATISTICS (2018 VERIZON AND WTO REPORTS)
• The cost of cyber intrusion damage is estimated to be about a Trillion
dollars/Yr and increasing. As a comparison, the cost of all natural
disasters in 2017 was $300 Billion
• Economic cost of a major cloud provider taken down is about $50-120
Billion
• Equivalent to the Sandy to Katrina hurricane damages!!!
• In 87% of cases, attackers are able to compromise an organization within
minuets. 68% go undiscovered for months or more!
• 75% of attacks spread from Victim 0 to Victim 1 within 24 hours
• Organized Cybercriminals were behind 50% of all the breaches
• You have 16 min until the first click on the phishing campaign
• Insider attacks are particularly difficult to defend against

5. KEY QUESTIONS TO ASK
• How can you detect a compromise?
• How do you judge the severity of the compromise?
• What is the impact of the compromise to your organization?
• Who is responsible for detecting and reacting to the compromise?
• Who should be informed or involved, and when do you deal with a
compromise when its detected?
• How and when should you communicate a compromise internally or
externally? (Note, sometimes engaging authorities is required by law.)

6. BROAD STROKES
• Good news
• Most typical threat vectors are well understood and are defended
against!
• Rising tide has raised the average IT and information security
implementation
• Bad news
• If you are a targeted industry, the attack vectors are much more extreme
and hard to defend against!
• DoD and Intel, Research and development organizations, HHS, FDA, Medical,
etc.
• Its not a question of IF but WHEN a major breach will occur.

7. DEFINING THE CISO TERMINOLOGY
• Traditional vs. Other/Alternative?
• Difference is in sufficient responsibility and authority
• Wikipedia definition – Key takeaways
• Senior level executive, Responsible for enterprise vision, strategy and
program, to insure information assets and technologies are adequately
protected.
• Typically CISO’s influence reaches the entire organization
• Responds to Incidents, Establish standards, Manage security technologies,
and Direct implementation of policies and procedures

8. CISO CAN COME IN DIFFERENT “FLAVORS”
Traditional
• Most senior manager specifically dedicated to InfoSec
• Is no more than two steps away from the CEO
• Has a staff of SMEs covering each of the areas of the responsibility
• Alternative/Other
• Scope may be limited to a division, business unit or geography
• May be a collateral duty
• May be buried deeper in the hierarchy
• Key question – Is this a Traditional or Alternative role

9. 360 VIEW OF THE ROLE AND RECOMMENDATIONS
Effectiveness starts with understanding

10. THE FIRST 100 DAYS

11. ROADMAP OF THE FIRST 100 DAYS
Days
Communicate
Measure
Act
Plan
Assess
Prepare
-10 0 15 30 45 60 75 90-
100

12. Days
Communicate
Measure
Act
Plan
Assess
Prepare
-10 0 15 30 45 60 75
“Lets do lunch”
PREPARE
• Learn about responsibilities within the constraints of the culture of the
company
• Draft communications to make a great impression on day 1
• Set up meetings with your team and key business, IT leaders and
auditors.
• Use lunch as a relationship building opportunity
• Learn about colleagues and staff
• Colleagues – Be prepared to mend fences and reset expectations
• Assess staff - Any skill deficiencies, any attitude issues?

13. ASSESS
Gain comprehensive insight
• Commitment of the leadership to the security effort – involved vs
committed
• In a Ham and Egg breakfast, Egg is involved and Pig is committed 
• Compile a list of the stakeholders and involvement – Maybe a long list
• Cybersecurity Posture
• Identify the business and IT goals
• Identify people, metrics, technology and financial parameters
• Which security initiatives have been implemented in the last few years?
• Has organization experienced any cyberattack or date breaches? What was the
Days
Communicate
Measure
Act
Plan
Assess
Prepare
-10 0 15 30 45 60 75

14. EXECUTIVE SPONSORSHIP
Do a quick determination of commitment of
executives:
• Committed or Involved ?
• Investment in resources ?
• Willingness to hold people responsible ?
• Direction will be guided by the answer
Education Execution

15. ASSESSMENT METHODOLOGY

16. NIST CYBERSECURITY FRAMEWORK
EVALUATION VS. EXPECTATION EXAMPLE
0 1 2 3 4 5 6
Identify
Protect
Detect
Respond
Recover

17. PLAN
Will define a blueprint for action
• Is leadership involved or committed – Plan action accordingly
• Will define security strategy
• Mission statement
• Strategic goals
• Scope
• Model of operation – Physical, virtual, or hybrid?
• Services – Responsible for the entire network or subset of the network,
specify the details
• Roadmap
• Key performance indicators (KPI) and metrics
• Plan the budget for the next 2-3 months
Days
Communicate
Measure
Act
Plan
Assess
Prepare
-10 0 15 30 45 60 75

18. NIST CYBERSECURITY FRAMEWORK

19. ACT
• Ensure senior management is commitment to the security charter
• Redefine/hire team as necessary
• Get involved in existing projects
• Help Design – Physical, Virtual or Hybrid solution?
• Technology selection is a major part of current and future SOC state
• How SOC will collect data – Centralized Security Information and Event
Management (SIEM) Tool
• Set budgets
• Establish/re-establish security governance processes and forums
Days
Communicate
Measure
Act
Plan
Assess
Prepare
-10 0 15 30 45 60 75

20. EXAMPLE OF MATURE SOC W. LAYERED SECURITY, NETWORK
SEGMENTATION, AND MONITORING TECHOLOGIES

21. INTERNAL SOC
ADVANTAGES DISADVANTAGES
• Dedicated staff • Larger up-front investments
• Known environment, better than third
party
• Higher pressure to show ROI quickly
• Solutions are generally easier to
customize
• Higher potential for collusion between
analyst and attacker
• Potential to be most effective • Less likely to recognize large-scale,
subtle patterns that include multiple
groups
• Most likely to notice correlations
between internal groups
• Can be hard to find competent SOC
analyst
• Logs stored locally

22. OUTSOURCED SOC
ADVANTAGES DISADVANTAGES
• Avoid capital expenses – It’s their
hardware and software
• Contractors will never know your
environment like internal employees
• Exposure to multiple customers in
similar industry segments
• Sending jobs outside the organization
can lower morale
• Often cheaper than inhouse • Lack of dedicated staff to a single client
• Less potential for collusion between
monitoring team and attacker
• Lack of capital retention
• Good security people are often difficult
to find
• Risk of external data mishandling
• Unbiased • Log data not always archived
• Potential to be very scalable & flexible • Log data stored off-premises
• Expertise in monitoring and SIEM tools • Lack of customization
• SLA

23. TECHNOLOGIES TO ADDRESS DIFFERENT
ASPECTS OF THE ATTACK CONTINUUM

24. MEASURE
• Start providing evidence of impact and reports
• Develop an executive reporting framework and
process
• Monitor program and project progress
• Highlight early wins and challenges
Days
Communicate
Measure
Act
Plan
Assess
Prepare
-10 0 15 30 45 60 75 9
1
0

25. FINAL THOUGHTS
Strategic
Effective
Relationshi
Technical
Catalyst for
Risk
Leadership
& Vision

26. THANK YOU!
References:
• Verizon 2018 Data Breach Investigation Report
• 2018 WTO Global Risk Report
• CISCO’s building and operating a successful SOC report
• Gartner’s roadmap for CISOs to succeed
• Co3Systems, Bill Campbell CISO your first 90 days report
Michael A. Sadeghi, Ph.D. ABD. CISSP. |
msadeghi@edgeworktech.com