CISO Mindmap – Business Enablement

While doing some research about CISO function, noticed a very good MindMap created by Rafeeq Rehman.

While what he has come up with is mindmap, I will try to deconstruct this mindmap to elaborate more about the various functions performed by CISO.

Let’s begin:

  1. Business Enablement
  2. Security Operations
  3. Selling Infosec (internally)
  4. Compliance and Audit
  5. Security Architecture
  6. Project Delivery lifecycle
  7. Risk Management
  8. Governance
  9. Identity Management
  10. Budget
  11. HR and Legal
So why I numbered them and in the order?
I believe Business Enablement is the most important function of a CISO. If (s)he doesn’t know the business where (s)he operates, it will be a very difficult job to continue his duties as CISO. Consider a person coming from a technology background with no knowledge of Retail Business. If that person is hired as a CISO because (s)he knows the technology, that may not be a good deal. The only reason to become a successful CISO, one must know which business he is involved in. To understand the security function, he must understand the business climate.

If this retail business has a requirement of storing credit card information into their systems, CISO’s job is to make sure appropriate PCI-DSS controls are in place so the data doesn’t get into the wrong hands. While at the same time, making sure that PCI-DSS is not coming into the way of enabling the┬ábusiness to accept credit cards transactions. Yes, security is a requirement but not at the cost of not doing business.

That’s why I rate business enablement as a very important function as a CISO.

What are some of the way CISO can enable business to adopt technology and still not come in their way?

  • Cloud Computing
  • Mobile technologies
  • Internet of things
  • Artificial Intelligence
  • Data Analytics
  • Crypto currencies / Blockchain
  • Mergers and Acquisitions
We will review each of these items in details in the following blog posts.

Risk Management Models

There are various Risk Management Models around, some of them discussed here:

General Risk Management Model: 

This five step general risk management model can be used in virtually any risk management process:

Step 1: Asset Identification

Identify and classify the assets, systems, and processes that need protection because they are vulnerable to threats. 

Step 2: Threat Assessment

After identifying assets, you identify both the threats and the vulnerabilities associated with each assets and the likelihood of their occurrence. All things have vulnerabilities; one of the key is to examine exploitable vulnerabilities. To list: CWE (from mitre.org), SANS Top 25 list, OWASP Top 10 list.. 

Step 3: Impact Determination and Quantification:

An impact is the loss created when a threat is realized and exploits a vulnerability. Tangible impact results in financial loss or physical damage. An intangible impact, such as impact on the reputation of a company, assigning a financial value can be difficult. 

Step 4: Control Design and Evaluation:

Determine the controls (also called countermeasure or safeguards) to put in place to mitigate risks. List of software control can be found in NIST SP 800-53
Step 5: Residual Risk Management:
A risk that remains after implementing controls is termed as residual risk. Multiple controls can be applied to achieve better defense posture through defense in depth.

Software Engineering Institute Model:

1. Identify:

Examine the system, enumerating potential risks.

2. Analyze:

Convert the risk data gathered into information that can be used to make decisions. Evaluate the impact, probability, and timeframe of the risk. Classify and prioritize each of the risks.

3. Plan: 

Review and evaluate the risks and decide what actions to take to mitigate them. Implement the plan.

4. Track:

Monitor the risks and the mitigation plans. Review periodically to measure progress and identify new risks.

5. Control:

Make corrections for deviations from risk mitigation plans. Changes in business procedures may require adjustments in plans or actions, as do faulty plans and risks that become problems.