CISO workshop slides

Portal Nachrichten

TSEC NEWS (572 Quellen): 11.08.22 Perofrmance fix. Download Android App Android App von Team IT Security

Cybersecurity Themen Chronologie für jeden Suchbegriff

CISO workshop slides

The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142):

Aside from my gripes with the example metrics (see below), the remainder of the presentation has a lot of useful information, lots of details, plenty of busy, thought-provoking diagrams and, as I said, an uncommon polish for free slide decks.

Here's a nice, fairly simple example slide that I could happily present and discuss in some depth as part of a workshop or training course:


Naturally, the slide deck emphasises Microsoft's own 'security posture', such as:

  • IT, cyber and data-centric, virtually ignoring the wider field of information risk and security management (e.g. protecting and exploiting workers' knowledge and other intangible forms of intellectual property) with limited, almost incidental reference to information risk and security management being truly driven by business objectives;
  • Hacking and malware i.e. deliberate, malicious and often targeted attacks, downplaying accidental threats (e.g. floods and fires) and other incidents such as human error, theft, sabotage and fraud, plus enterprise risk management as a whole (e.g. financial risk, market risk, compliance risk, strategic risk ....);
  • Zero-trust - whatever that means to the presenter and audience;
  • Cloud - meaning Azure, specifically;
  • DevOps and DevSecOps - whatever those terms mean ;
  • MS threat intelligence including artificial intelligence/machine learning rapid responses to novel malware (a cool idea, provided it works reliably).

I'm intrigued by their choice of example Security Scorecard Metrics (slide 63):

These examples supposedly focus on 'continuous improvement' (of what I'm not exactly sure), so let's take a closer look:

  1. Business Enablement appears to refer to IT and IT security services 'enabling' the business, although 'Number of security interruptions in user workflow' implies the need to prevent security getting in the way of business, a curious take on 'enable'.

  2. Security Posture suggests a confusing mix of application and account security metrics. I'm really not sure what 'security posture' even means in this context, and curious as to why those two aspects in particular have been selected as example metrics. Other slides in the deck appear to equate 'security posture' to vulnerability management and software/systems patching - a rather narrow/specific technical concern for metrics suggested to senior management, although arguably it is a major factor in cybersecurity - or to security strategy. Personally, I favour a much broader perspective on the organisation's overall posture (meaning its brands, corporate personality, customer perceptions ...) including security-relevant aspects (e.g. being a trusted partner).  Generally, though, the risk management and security arrangements quietly support and enable the business from the inside, as it were, rather than being exposed externally - unless they fail anyway!

  3. Security Response: the example metrics suggest the classical (outdated!) incident-response-and-recovery line i.e. dealing with business discontinuity, although thankfully later slides (#82-85) discuss resilience:

  4. Security Improvement as a category within this set of example metrics all supposedly focused on continuous improvement, confuses me. If these metrics are about improving security, what are the others improving? The example metrics don't help clarify the intent of this category either, referring to 'modernization' and automation (possibly in the realm of security, but not stated), although '# of Lessons learned from internal/external incidents' could indicate security improvements provided they are counted rationally (e.g. is an incident relating to weak passwords counted as just one incident or one per account compromised?).

For me, continuous improvement implies three things that don't exactly sing out from the example metrics:

  1. Clarity on the meaning of 'improve' in the present context, implying the need for management to understand what are the key parameters, as well as being able to measure and control/drive them in a positive direction.

  2. Some version of the classic Deming-style Plan-Do-Check-Act cycle.

  3. Process maturity, leading naturally towards maturity metrics.

So, I have concerns about the overall thrust, the categories and the individual metrics offered as examples ... which is ironic given that the very next slide hints at an altogether better approach: