Structuring the Chief Information Security Officer Organization
Jun 09, 2021and hello from the Carnegie Mellon University campus in Pittsburgh, Pennsylvania, welcome to the Software Engineering Institute webinar series. Our presentation today is about
structuring
thechief
information
security
officer
'sorganization
based on location. We wish you a good day, a good afternoon or a good night. My name is Shane McGraw. I will be your moderator for the presentation and I would like to thank you for attending. We want to make today as interactive as possible, so we will address questions during the presentation and again at the end of the presentation. Submit questions to our event staff at any time using the questions tab in your dashboard.
We will ask some probing questions throughout the presentation and they will also appear as a pop-up on your screen, in fact the first probing question that we like. The question is how did you find out about today's event? Three other tabs I would like to point out are the files, Twitter, and polls tabs. The files tab has pre-presentation slides now as a PDF copy along with other CISO-related jobs and resources. el sei for those of you who use Twitter, make sure you follow on sei News and you'll want to use the hashtag sei webinar once again, you want to follow on sei news and the hashtag is sei webinar and lastly, the survey we asked you to complete leaving the event as your feedback is always greatly appreciated and now I would like to introduce you to our tenet presenters today Julie Allen will be joining us from California and Julia is a Principal Investigator within the Certification Division of the Software Engineering Institute where she has been with the sei since 1992 she served as deputy director and director of operations for three years, as well as acting director for a six-month interim period.
More Interesting Facts About,
structuring the chief information security officer organization...
She has been in the certification division since 1997. She is the author of the Certification Guide for Systems and Network Security. practices and moderator of the
security
certificates for business leaders podcast series dr. mater knotter maja very is a senior member of the technical staff with an affirmative division of the sei. Her current areas of interest and research include operational resilience, cybersecurity and resilience management, critical infrastructure protection and maintenance, preparedness planning, and associated risk management principles and practices. maja very has over 33 years of experience leading and conducting technical commercial research and teaching activities in aerospace defense telecommunications transportation in consulting industries for national and international entities as well as academic environments and now I would like to pass on the presentation Julia Alan Julia once again joining us from California Julie, all yours, go ahead, oh great, now I hope you can hear me.
Okay, thank you very much for that warm welcome and thank you all for joining us today. We are very excited about this work, something we have been working on for some time and we hope you will find it useful too, which is why today's topics are listed here. I'm going to walk you through, no, and together I'm going to walk you through The process that we actually used to determine this candidate structure that we're going to discuss with you, its foundation is four key functions that an IC performed. We also talked about the sources we used to take them to the next level of some functions and activities will present a candidate
organization
al structure and of course we would be remiss if we didn't tell you some ideas on how to take this work and apply it to your own organization.
I hope most of you are familiar with software engineering. Institute and hopefully certified under you are with us today, we are a federally funded research and development center and have been in business for some time with our mission to improve the state of practice and state of the art in software engineering for certifications. cyber security is the name of the game, all aspects of the full lifecycle, from policy and governance to detailed technical practices, controls and forensic investigations, the team that Nada and I are on is called the cyber risk and resilience management team , as indicated by Shane's gracious introductions.
We work on applied research through application with our commercial and federal state partners, both us and international, specifically in the area is embodied in our certified resilience management model resilience management operational risk management and I think one of the unique perspectives that We have As our experience amply demonstrates, it is the integration of cybersecurity and other disciplines that can alter the mission of an organization, so I will start with a process diagram and then a text slide to give you an idea of this structure and how . we developed it we have worked for many years since 1988 we have been in business interacting with
chief
information
securityofficer
s and security professionals around the world, you may know that we were heavily involved in the analysis of high impact cybersecurity incidents and the forensic investigation, particularly on behalf of some of our government clients, so we have very pragmatic tactical experience in dealing with large ongoing and subsequent incidents, and I think we all recognize the expanding risk environment, or we will discuss this with certain extension. has really changed, what if she?Oh, you need to worry. It is no longer enough to think about the traditional aspects of information security protection, but you really need to broaden your thinking not to if it will happen, but to when it will happen and how. you respond to recover and return to normal operations, so all these factors and the years of experience that the certificate has influenced our imports and observations to identify ISO 40c functions that will not break down for you and that serve as the basis for this structure organizational. we'll be discussing, so it's not up to you at this point, thank you Julia for helping us get started, as Julia mentioned, the first thing we're going to discuss today are these four key features that we believe are critical for leading information security organizations of nowadays.
I'm sure you all know that information security teams have traditionally been tasked with protecting and protecting organizations' information assets from cyber risks and attacks. We also know that such strategies are no longer sufficient. We read about cyber intrusions every day. about them and I would be surprised if there are some of you in the audience who have actually experienced it in your organization, there are some small ones, there are big ones, there are some that we know and those that may not be obvious to them. For our organizations, the core message here is that all those traditional schemes, strategies, tools and technology to protect an organization from cyber attacks are absolutely necessary and are no longer sufficient because they often fail from time to time and then fail, sometimes we do not.
We don't know, sometimes it takes us weeks or months to identify them, sometimes someone outside our organization tells us that such things are happening in our company and that there is good industry data on such statistics and therefore a second function very critical to What organizations should consider as part of the information security team is to develop and improve their ability to monitor and detect these types of abnormal activities in their organizations. We want them to become hunters of adversaries that might have penetrated a system or environment and search for them. very explicitly so it is a necessary secondary feature that needs to be implemented, we also don't think it is enough because adversaries are very smart, they are very good at hiding and sometimes it takes some time to identify them while they are doing their job.
We now frequently hear about the setbacks of cyber attacks. They are often the disclosure of private identifying information. They reveal some corporate messages. Maybe they cause some loss of credit card information. All of them mainly are the interception of information or the manufacture or modification. These are things we all hear about. Recently, however, adversaries are becoming interested in other things, they are becoming interested in disrupting or destroying data, shutting down daily operations, causing physical damage to infrastructure, and deleting or destroying data once we realize that and examples of those incidents that we have here. and reading from time to time the recent cyber incidents of Sony Picture is a good example of it, in addition to all the consequences of that cyber incident, Sony's business operations were affected because the cyber intrusion caused damage to the IT infrastructure and , therefore, a The third critical function for information security teams to be fully involved is to respond, recover, and sustain operations once bad things happen, incidents, response type activities, be involved, continuity of the business, being involved with disaster recovery, having coordinated efforts to respond and recover from cyber intrusion defects.
They seem critical, they won't be as effective if they are not supported by a comprehensive set of integrated management governance, perhaps some compliance education and risk management activities, we can throw all the tools and technology at the problem if we don't. Worry about the items listed at the bottom of this structure. If you don't care about people and processes, the other functions won't work as well. These are the four key functions that we now believe are the key components of any information. security team under the direction of a chief information security officer, so at this point I'm going to address the survey questions.
Well, as we mentioned at the beginning, we'll throw in some poll questions throughout the presentation to help us direct the flow of the talk to do I'm sure you're getting everything you need from this presentation and that question is on your screen now asking if these four roles cover your current or planned CISO responsibilities, so we'll give you about 15 seconds to vote for that and well, while doing that, nothing will answer a question from Joseph's queue asking. I think this is because it seems like the top three functions are more of a technical technology and engineering nature and the bottom one is more of a set of critical non-technical functions. activities is a replacement.
I can go learn more to do the activities in the box below. Let me know if you need a repeat. They are looking for the word to do the activities in the box below. Well, I think that's actually a relatively accurate characterization of those four frames. When Julia began our discussion, she referred to a particular body of knowledge, a certified resilience management model that our team was fortunate to have the opportunity to develop, maintain, and a helping organization to implement that body of work. In fact, it's a very good place for organizations and individuals to go if they want to learn about a comprehensive, integrated way of dealing with those people and processing the issues that were focused on that fourth box.
Well, I mean our solution, another quick one coming from Duncan. Asking if those three functions have to be in a SISO organization or could be spread throughout is a great question. In fact, the audience will hear a little more about this as we talk about additional details of the system structure. The idea is that no, not all of those functions. or capabilities or activities should report directly to a chief information security officer. There is a presence of organizational structure in our environment in our organizations that is difficult to change and therefore our study has taken this into consideration, allowing certain functions to be outsourced to other entities. within the organization or even outsourced to external entities, okay, let me cover the survey result very quickly, so the question was do these four functions cover their current or planned sister responsibilities and our results were 61% yes, 37% partially, 2% no, so if you're in that partial or none category, feel free to chime in in the question box with some other responsibilities you have.
They'll choose the otters and Julia's brain in one of those topics too, so feel free to write them down so it's not about you. so I'll pass it on to Julia to continue our conversation. Thanks to neither of you, and Shayne is very grateful, so as promised, we will continue to develop this process to determine the organizational structure. He will talk about our conclusions. create the four key personnel functions, but not the ones described and now what I am going to talk to you about is what we did tobelow and really break them down and put some meat on the bone by considering the series of sources that I'll describe on the next slide and then breaking them down by doing affinity groupings and mapping them to the next level of detail that would ultimately result from the organizational structure, so which I'll tell you a little bit about that, here are the sources that we hopefully consider. many of these are near and dear to some of your daily endeavors.
We have looked at a variety of typical information security policies for large, diverse organizations, both geographically mission-based and diverse in production in the US, there are a whole series of posts. from the national institute of standards and technology specifically 800-53, which is the catalog of security and privacy controls, some of you may be familiar with the myths that work in the cybersecurity framework that they have developed and that I have been promoting for your use in the next bullet number. 40 You may not be so interested in this thing about the workforce, the education, the training, the knowledge, skills and abilities of the workforce, how you put them into a framework because, as we know, all of this is done by people , we take into account the current version of the arenas top 20 we have talked about the Certain resilience management model and several organizations, including the US Department of Energy, have derived Search rmm capability maturity model process models and, Most notably, the Department of Energy's model is the basis for this effort and is noted in many industry-wide research reports on current practice.
The mission is maybe the entire ISO 27000 series and although we didn't specifically assign it, we confirmed that all of its requirements were covered by the combination of these sources, so they were all taken into account and then what we did was we took all of these. we group them by affinity, we break them down into their next level of roles, some role and department and others will walk you through some of those gory details, nothing, so just to give you an idea of the level of detail we went through. and some of these little details are actually available to you if you download our white paper.
We start with those four features that I talked about, those affinity groupings that Julia talked about, we categorize all those key features from all those sources into four. groups and we started peeling away layers of the onion, we asked a question, okay, what needs to be done in certain departments, what needs to be done in certain subfunctions within each department and, as I mentioned a few minutes ago in response to the question we had, actually we did. Consider that each of these function or department tasks could potentially be performed by another entity within your organization outside of this organization.
There is information available and then we verified our work making sure that all those good practice elements that we had extracted from those. The sources that Julia talked about are mapped and nothing has been left out, so this is the level of detail available that ultimately led us to draw a hypothetical orc structure that one can see in your company as the structure of your director of information security, so I have a sample of such a structure and I'll let Julia walk you through it. Well, at this point, Shane, we wanted to see if we had any questions for my listeners?
Let me put it up here for a second. Well, yes, one of Amanda's questions: Are there other sources that should be considered when adapting the methodology discussed in this webinar? I guess they listed some resources on a previous slide. Do you have any other sources that can be adapted at this point or that we can discuss at this time? point when people - so some of those sources that Julia spoke to are our thematic sources that could be applied to almost any organization operating in any industry anywhere in the world clearly when organizations want to apply some of this work that we have done to their own specific environment there are other sources to clearly consider some organizations, depending on the industry they are in, they have to worry about the rules and regulations imposed on them depending on the industry, if they operate in 50 different countries, they may have to vote on the edition. rules and regulations that you have to worry about, so that list of sources that we've given you when you're trying to tailor it to your needs and why you might need to consider, what other sources should I consider based on who I am and who I work with? what industry I'm in, what bar, what world I operate in, etc., okay, before we go back, every jeweler just remind everyone or anyone who joins us late, there is a file download tab on your console which you can exit with a PDF slot.
PDF copy of the slides from today's presentation along with the technical report on the organization this is Oh along with other work by sei insert in this space for Julia to take back, okay Shane, thank you and many more thank you, so I was remiss in not mentioning the white paper at the beginning of my comments, but many of the details of everything we are discussing today, the assignments that are not referenced, and a detailed description of this candidate organizational structure that I'm about to tour. For you, they are all described in the technical report and for those of you who have downloaded the PDF of that report, I encourage you that I will post the candidate organizational structure if you want to keep this in front of you while I am describing each of these units that They could help serve as a navigation aid, but given the analysis that is not described, we did it from the top, from the fundamental flows function down to some functions, activities, departments, affinity groupings, analyzing what could be included and be subcontracted. etc., this is the structure that we developed and we'll talk a little bit about this at the end, but maybe the way to hear this is to think about how these various activities are currently performed in your organization and use this as if you'll have a sort of frame and you'll say, "Okay, we do that, we don't," it's that something that's working particularly well is something that I need to shore up or maybe I'm missing a function or a department entirely, so use this. like you want it or something that you can compare your current organizational activities to and I'm going to briefly walk you through each of these.
I'm going to go from right to left starting with program management, okay, so this is a pretty typical function in almost any organization, whether it's security or another related activity, you have planning, you have scheduling the roles and responsibilities of the plan , making sure you have the right resources, dealing with funding, doing all the follow-up that happens when In this case, we are making a significant investment in an organization for information security. I would like to point out to you in particular the last point that identifies the business functions enabled for review and evaluation because the cybersecurity of Corrlesa and the soul of the CIO is the support function that is here to make sure that the business continues to function as intended and, so it's a key part of the system function in the program management office and then the manager responsible for that excuses me to make sure that all the business functions are enabled as needed by security. activity again following the earth map the next department governance and compliance risk sometimes called GRC not to be confused with GRC tools we recommend the use of tools, but first you should know what you are doing before embarking on any type of acquisition and implementation of tools, but this is where the program plan is done at the policy level, setting the strategic guidance for the organization and making sure that guidance is followed, making sure you have a reasonable risk management framework and process. place to identify monitoring and mitigate risk and then all monitoring.
I'll talk specifically about the significant oversight role of the Information Security Executive Council in a moment, but just making sure that change. The other oversight board oversight meetings are done from a compliance perspective, making sure that controls. are appropriate and interact with the organization's audit function, last but not least, staff and external relations, manage their supplier, suppliers and contractors, interact with their business partners, stay in touch with key An important example is the US Federal Bureau of Investigation and ensuring that your relations with the press are well established and then dealing with all the people, aspects that come with an effective cybersecurity program, knowledge, skills, training and awareness, acceptable use so that all those things live. within the program management department and its units in this candidate organizational structure, so I'm going to move on to more operational aspects of the organization, so I suspect that many of you have these, you are responsible for all the daily operations activities of security and this is a case where much of this is done by the IT organization with oversight from the CIA, so as some of you know, I'm sure the relationship between the CIS and the IT Director from C can Sometimes they can be contentious in trying because they are trying to achieve different objectives, but they really have to work together effectively to establish situational awareness intelligence gathering.
This is where the monitored detection and search function is largely realized and does not refer to functions. manage all the malicious code that crosses your desk and this is also the first line of defense for cybersecurity incidents, sometimes called computer instant response team or computer security incident response team and these people interact with other important department of Emergency Operations is very active, and they are interested. administration department and these are the people who mobilize when something big happens, so they exist as an entity. I'll talk to you in a moment about the things that you do during normal operations, but when something big happens, emergency operations as a team or management department.
Interacts intensively with the security operations center to ensure that all feet are on the ground, people in the roles they need to play think what is happening, communication channels are established and not carried out between assets, the publications and systems that are compromised. and in times when they can take a breather and are busy putting out fires, they plan for incident management, business continuity and disaster recovery, conduct test exercises and drills to make sure the organization is prepared when something happens and I would say probably one of the biggest gap areas we see in many of the organizations we work with is in the area of problem management with root cause analysis and after action reporting, usually when the dust settles afterwards. of something big that the organization often doesn't do. having the collective will to dig deep and figure out how we got to this match and that's really in this particular sub-function where you're really digging, trying to find out what processes worked and didn't work, developing after-action reports, communicating with everyone. the key players and of course research is a key part of this capability, let me pause here for a moment, Shane, if you have any questions at this point before we describe the last major department, we have a couple of questions here , one of Duncan asking where security would be. the architecture chair would sit with other architecture practices or in the CISO organization a perfect question, that's my next slide if I can keep that question until one more thing progresses, yes we have another one from Carl asking third parties who manage, for example , cloud providers and provisioning o Connectivity to ensure that risks to business data are appropriately managed is a significant challenge.
Can you give us more information on how to approach this organizationally? So bear with me while I back up a little bit two slides ago. Personal and external relations. We have a home for that function and it's called external relationship management in the SIRT resilience management model, we call it external dependencies, external dependency management, so this is where that function is performed in terms of the actual action. I would refer you to that part of the public search management model that will provide you with detailed objectives and practices for managing those relationships with critical third parties.
Brilliant,we have a couple. We'll let you move on, Julie, unless you want to go back to the one with the architecture practices and then we can move on. Okay, so let's talk about it. architecture so if you have your org chart in front of you on the far left, you'll see this department called security engineering and asset security and I'm going to talk about role six six, but that department complies with including security architectures so Typically we don't always see these functions combined, so again this is security engineering and asset security, so what this covers is the entire life cycle of your critical assets, from the moment you develop the security requirements for acquiring or building something up to the terms. of putting a key system, a host and a network and the requested information into a database, can you excuse me in your actual operating environment?
I really wanted to point out and this is one of the areas that I think is quite unique in this framework, if any of you are following the DevOps movement, which is about creating a more integrated and fluid relationship between development and IT operations, what We included this role in our proposed organizational structure because if you don't have IT people working during development, then there is no need for development people to have to keep track of how your product works. I think we're all very familiar with the kind of problems this causes, so with respect to the question you asked earlier, Shane, we put a security architecture here that specifies your security requirements. they're building, acquiring a combination, whatever it is, if they're doing the security architecture, making sure that all aspects of those requirements are reflected at the conversation level and the detailed design and a component architecture in the interfaces of that particular system or operating environment, making sure that those requirements and that architecture are propagated throughout the entire development and acquisition lifecycle and, last but not least, making sure that all the boxes have been checked and have done all the work before releasing the system to production, so this is where we address architecture and yes, we consider it a CISM function, but going back to something I didn't say before, it could be outsourced to another development department within the organization , but the CIS, oh, that is very defined in our proposed structures, very defined supervisory responsibilities, so This is one of the six units within the security engineering mass security department and now I will talk about the other type, for So identity and access management is pretty familiar, I'm sure most of you who are involved in this aspect managing identities, the access controls that implement those identities, and all the various technologies that allow them to assert and confirm that your people, your systems, anything that requests access to other objects is legitimate and authorized, that's where this book the third of six applications, security, only deals with application assets, software, anything that you acquire, inventories, access controls, managing those configurations, applying patches, keeping everything up to date, making sure your critical applications are protected as best as possible by managing changes to the ones you have.
You will see some replication or duplication of these functions applied to a different type of what is on your network. Make sure you have the critiques in an inventory, know who is logged in on your control access and again configuration management and change management in terms of your standard configurations and any changes and network controls, everything to do with your perimeter, both your intranet and your Internet, to everything that has to do with this is where you actually implement a lot of the security architecture that was, like the initial lifecycle information asset requirements. security, you could also think of this as data management where you classify the sensitivity of your vital information and assets to ensure that your critical assets are inventory to which you have an assigned owner.
I should have said that before for any asset that has an inventoried authorization designation. of ownership and custody, who owns it and who is responsible for taking care of it and controls its information assets in accordance with the requirements, we have a placeholder for physical access control, usually all security facilities physical are managed physically outside of the CIO, so the organization is sometimes run by a security director or facilities manager, but there is a very critical interface here between those two roles in terms of electronic access to facilities, credentials, other types of biometrics, other types of ways to control, run facilities, hosts and networks, and make sure those access controls are in place if it's a relatively small operation for a CIS.
Oh, this could be combined with the identity and access management feature if you want to reduce them to a slightly smaller subset and before we continue, I wanted to repeat here. The reason we put these early lifecycle activity requirements architectures together with operational activities is to encourage across the organization structure a much tighter coupling between development and operations and then one of my final boxes in this section is to reach the dotted line. box that reports or connects with the chief information security officer, who is the executive information security guy, these people are the advisors to the CIO, so they incorporate, as you can see in the membership sample, the other key leadership roles in organizations that need to worry about policy requirements for cybersecurity, this advice is one of the ways to enact governance managed by the chief information security officer and, as you can see, includes legal concerns, concerns financial, obviously, human resources because this is a big people problem, but you also want to have the business unit leadership, VPS, the VP of engineering and certainly whoever is responsible for managing information technology right now ,Shane.
I think we could have another survey question and you can also answer some questions and we have a question on that third and final one. Today's survey question is: Does this candidate's organizational structure cover his current or planned system responsibilities? So if it's something he's dealing with it hasn't been covered or feel free to write it in the Q&A box and we can't add it to the list. of topics, but let's ask some questions while people are voting, so there are a lot of questions in the queue, so we're going to go with one from Murray here asking: would you say that the four blocks that are described correspond to the four functions of the CISO?
Would you say all four? The blocks described correspond to the four functions of the CISO. I have to say yes, because the four functions that I described at the beginning are the underlying structure of the org chart, the candidate org chart that Julia just explained to us, okay Julie, adding anything, yes, I would. Let's say it's not, it may not be some kind of automatic shame, but clearly program management is the fundamental management and governance function that is not described as emergency operations, those with respond and recover, the Operations Center of security certainly goes with some searches for monitors, detect and There are clearly a number of aspects of the protection side of the equation that are found in the set of security engineering and asset security units and activities, so I think I would agree I agree with nodding that they draw a line, but I think that would be too simplistic Say that once because you will see and you will have, as you dig into the details, you will find activities in each of these departments that could span two, three or four of the functions.
Okay, we'll address one more question. Here from Leslie asks: Do you recommend that the CISO function exist as an independent organization rather than being part of another department, such as the IT organization, in which position should the CISO report? So we get that question very often. Mom asks more frequently than we do. Get is where an organization should locate its information security organization or function or who the chief information security officer should report to. Our examination of many organizations and after analyzing the incidents and how the organizations respond, we have to say that there is no silver bullet, there is no right. response that is tailored to the needs and responses of each organization and businesses clearly, many organizations have chief information security officers who report to their IT organization from whichever organization they work with.
We've seen chief information security officers report to the organization's chief risk officer because information security is an important operational risk management activity, so our recommendation for organizations to decide where to place their information security function is The insight is let's look at the overall business goals of your company, how things are done today, where the functions that Julia just talked about are performed today and then ask the question: does it make sense to move people or move these partners? or put the CISO under a different structure. Alright, before we jump back, we'll give you the survey results real quick, so the question was: does this candidate organizational structure cover your current or planned system responsibilities.
We had 54% yes, 38% partial, and 8% no, so again, if you're in that partial or no area, feel free to write some information in the Q&A box, no o we will change it. I come back to you and let me add one more piece of information to answer the question above, regardless of where you end up placing the information security organization or regardless of who makes the main information security ports, perhaps one more important thing What to make sure of is that information security activities have very high executive sponsorship and that executive sponsorship elevates the information security function to the enterprise level so that it gets the focus it needs regardless of the verdict of the activities. or actual performance, which is probably even more important than learning to put. the features are good, very good, let us end our conversation today by simply recommending some possible next steps that you, who have been sitting through our conversation today, could take.
One thing you could do is look at your current chief information security officer. officer officer organization how it is structured and see if it matches the candidate structure that we have talked about ask the question, hey, is bail assigned if the bill is not assigned? Are they the things that are missing or are they the things that should be improved, so Those are some of the next steps that, if you want to take right away, before too much time goes by, that probably makes sense and then if you identify areas that need to be change or move, use some of those sources that Giulia talked about. about that will give you guidance on how to implement some of these activities and don't forget to take baby steps if you don't want to take too big a bite of an apple to start with, we've provided you with some additional resources like as I mentioned, a copy of the technical note that has the details of our study is available, the copy of the slides is available on the next slide, we have listed several references that might be of some interest, we will probably publish them in late December and early January. a podcast based on this topic, so if you want to hear more about the topic, you can take advantage of that podcast and then as you progress and want to get additional broader training on the activities of the chief patient safety officer, you can consider programs like the Carnegie Mellon University Security Officer Chief of Mission Executive Training Program that is available, so that's a list of references that I was referring to that is at the end of the slides and Shayne, I think we We'll stop here and see.
If there are any more questions or any other conversations you would like to have, we have a lot of interesting questions in the queue and just a reminder to everyone, before we leave today's webinar, the police should fill out that survey as we greatly appreciate your feedback. Okay, let's move on to another one. Question from Marie: Can you talk a little bit about having a security architecture with support and control and the need for security architecture to also relate to a chief architect in an enterprise architecture role? Let me know if you need a repeat. In fact, Julia answered that question since she justI finished talking about that concept a few minutes ago.
It's actually a great question that I appreciate, so many of us will depend on the people involved in the type of leadership model that exists in the organization if it is strictly hierarchical or if there is more peer collaboration between units, but I would recommend that yes security architecture is an important activity within the organization, the chief architect along with the chief security architect sit on the Information Security Executive Council there would be a very active collaboration because clearly they are the architects of all companies and They have many concerns beyond security, but security should be at the forefront of their thinking and through some mechanism such as the Information Security Executive.
Council or some unit of that Council. I think they'll be able to achieve the kind of collaboration and integration of those two perspectives, but it would still maintain the security architecture, if not a direct reporting activity to the CEI. Oh certainly one area where the CIS au has some legitimate and recognized oversight responsibilities, this goes back to my previous comments about working hard to integrate previous lifecycle activities into a system or software development project with operational responsibility to keep that system or products cured once it enters its operating environment. Great, we'll move on to Tanisha's next question, which asks how the CISO will structure with configuration management and change management already in place.
How would you structure the CISO with configuration management and change management already in place? I guess the structure is like this. So as Julia walked you through the candidate structure, there was a department there, configuration management and change management were explicitly listed as part of that role, so most organizations already have management activities of changes and configuration if you are satisfied with the performance of those existing changes. change management and configuration management and any happy meanings for your business, then you can leave them as they are while you consider how to change the rest of your organization if you think you are not happy with how change management and configuration management are done today. setting.
If you're not happy with the way they perform or support the rest of the activities, then you want to do that exercise I mentioned. Okay, compare what you have today with the sample structure we've given you to see if you'll go for the sample. structure that configuration change management falls into and then I ask the question: if I move them there, it would solve my problem and I can't intervene either of course, so going back to our proposed organizational structure, you will remember that we take what we call an asset . focused view on establishing these units, so that you have units for application security, one for host and network security, and one for information asset security, and if you look back at those slides or In the technical report, you will see that each of them has a change. on the configuration management aspect and to go back to the original question when you said there is an approach, does it cover all of those assets, does it cover configuration and change management for your software and other applications for your host and networks, and the lo What typically tends to be lacking is information asset security, in other words, you have a very thoughtful change in configuration management around your large information assets, your large repositories, your inventories, your various databases. data and if they are actually handled by the same team, probably not, but regardless of how There is, I didn't say if they did it right by adding the CIO, so oversight or interaction with those existing functions may be enough or you may need to do some architecture and engineering summarized.
Well, next we get one from Borja asking who he would be. in charge of security life as the life cycle of applications that are created in the cloud who would need to participate in this life cycle in the security organization. Can you explain the roles that participate in this life cycle in their tasks? Julien, do you want to take that one, yeah, that's a great question. Okay, in the instructions we have. proposed there, it would be a combination of the security engineering function, so it's still under that, although someone who is responsible for meeting security requirements throughout the architecture design before release to production, but when it's about a cloud service provider that is an external relationship and you may remember that external relationship management at least we have, you know, in our early days of candidates are assigned to the program management function, but again still under the CIS, so you would have to choose who is responsible for the relationship. with that cloud service provider and bring them together on some type of team with their security engineering staff and make sure there are mechanisms in place, whether through a service level agreement.
I mean sometimes these big cloud service providers, you know they basically get what you don't have a lot of ammunition unless you're a big customer of theirs, but through service level agreements or whatever their terms are. , conditions, any resources you have to monitor what happens when a major incident occurs in the CIF on that side. The responsibilities would be those responsible for managing the relationship with the cloud service provider along with those in security engineering who ensure that the security requirements that you as a customer of that service provider have are actually met through whatever mechanism have with them to monitor, supervise and ultimately pay them for providing the service you have contracted for, so you would need to leverage several of the capabilities within the CIO, so structure.
I hope I answered your question at least partially, it sounded good Well, next we have some update planned for the resilient certificate management model. The book is excellent, but it was published in 2010 and I imagine Julia Allen and others have new ideas and developments to share and that was not submitted by Julia Allen. herself by Mark, so Julia, if you want to chime in, well actually, I think it's funny, this sounds even though I'm on the list, he's one of the authors and I understand he's more intimately involved with the team than it's actually looking at version 1.2 and version. 2.0, so if you want to summarize, you don't, as the model was formally published in 2011 in book format, in addition to our team helping organizations put it into process, we have actually developed what we call derivatives of the model .
For certain communities we have developed derivatives for certain domains of interest, each time we develop from those derivatives we have actually updated certain aspects of the model, for example, Julia referred to work sponsored by the Department of Energy that resulted in the creating what is known as the cybersecurity capability maturity model, when we develop that derivative of our mm, we introduce new domains and process areas that are not explicitly present in the book, so the body of knowledge has continually evolved and some of those evolutions are documented in In these derivatives that we have developed, we have developed an expanded version of the model for a US Postal Service where we have actually made a larger model, so the model has been changing and There is documentation available to show how the model has been handled for other purposes or made larger for certain other environments, although we cannot point you to version 1.2 of the book because today a typical textbook may not be the best way to keep up to date with all the changes that are happening.
Fantastic Marie. Go ahead, Julia, yes, yes, sir. I must say that we have plans in the very near future to start releasing updated process areas which we will call version 1.2, so there is an incremental update of the 26 process areas and Sirdar mm and we have plans in 2016 to start looking at significant changes, maybe even architectural, in the model that would eventually be reflected in version 2.0, but I'm not prepared to confirm any dates on what we're looking for, so we're both considering an incremental process. update and its main version excellent update thank you okay Marie I would like to know if you can talk a little about the relationship between the CISO with respect to the information management function and the broader business intelligence initiative in organizations where information management Information represents only one component of the overall intelligent business enterprise.
So we've worked with, as Julie mentioned at the beginning, we've spent quite a bit of time helping other organizations put into practice some of the things that we work on, including some of the things that we talked about today. We have worked with organizations that use data. and information is part of daily operations the daily business function of those organizations the chief information security officer and the organizations chief information security officer becomes a facilitator for those parts of the organization whose job it is to collect manipulate deliver that information to the rest of the organizations to enable day-to-day business operations, so making this CISO a key partner with that part of the organizations becomes critical, okay, Trevor, yeah, about a minute left , so we will go deeper into each other, we will be very fast. de Carl asks: can you give us a rough estimate of the relative size of the four organizational structures compared to each other?
Julie. I want to answer the last question. I'm sure we haven't really done any kind of detailed analysis on the size of the four main departments, but in the white paper we have some rules of thumb that I think are great for sizing the overall CISO and CISO organization. It is possible to derive some type of units of measure for each of the four main departments, but I would point out that you refer to the white paper for additional guidance on the size and resources of this organizational structure. Well, I know we are 2/3. We're trying to fit one more question in here very quickly from Patrick asking if we're in the advent of cloud computing and much of it is already used commercially today, as opposed to traditional secure servers, what new or special security developments? are needed before the general public can be sure that cloud computing is safe from hackers, so I'll go back to something Julia mentioned.
A few minutes ago, in response to the previous question we had about cloud services, in the same way that organizations depend on external services for many things, you know that anywhere from energy and Internet service providers , cloud services could be considered as another very critical option. External services that are required to keep daily business activities running in the same way that information security teams worry about how to address issues related to their Internet service provider, may also start to worry about that with the same level of difficulty. should care about your cloud service provider, which includes not only availability but also issues of ok, how does the cloud service provider satisfy my requirements for confidentiality, integrity, availability, how confident can they give me that they are correctly meeting those requirements for my stakeholders and what actions will they take?
In the event of a major data breach, how can I be protected? How will I be notified? How will I be involved? Excellent nod o Julia, thank you very much for your excellent presentation, friends, that is all the time we have for today, thank you again for your participation. and we hope to publish it in the next webinar. Have a great day.
If you have any copyright issue, please Contact
