Resources to create Cyber security strategy, for CISOs

UnixGuy

Say you're a CISO or a consultant helping a CISO to create a cyber security strategy

Do you have any good resources? frameworks? industry standards/benchmarks?

keen to hear your thoughts and I'll share mine as well!

JDMurray

There are certainly a lot of podcasts with 'CISO' in the name.

UnixGuy

@JDMurray Any favourites? I listened to a couple and couldn't get past the cringe in some of them

This is a good resource for those interested:

https://docs.microsoft.com/en-us/security/ciso-workshop/ciso-workshop

JDMurray

I have a bunch queued in Stitcher for listening to this weekend (CISO Dojo, CISO Insider, CISO Hotline, CISO Stories, CISO Talk, CISO Tradecraft, et al.). I'll post what I think about them after listening to only one or two episodes each.

UnixGuy

@JDMurray Thanks! I did sub to some of those already and will check them out.

Coursea is an underrated resource. I learned so much from free courses on Coursea (mostly non IT related stuff), but now I'm doing some Enterprise Risk management & governance stuff that are relevant to CISO duties.

JDMurray

Are you enrolled in this Coursera course:  Road to the CISO – Culminating Project Course ?

UnixGuy

@JDMurray : I did enroll earlier this week! but it's project based so I'm gonna keep it in the back burner. I'm enrolled now in a risk management course (not cyber related).

I always enroll in 'audit mode' so I never pay and I don't get a verifiable credential. Honestly, it's been an great learning experience. I think I should make a thread about it, I feel it's an underrated FREE resource!

UnixGuy

@JDMurray : update, I listened to Exabeam's the New CISO podcast, not bad at all! I quite like it

JDMurray

I've noticed that my podcast app of choice (Stitcher) does not find many podcasts that I know exist. Therefore, I recommend that people search for podcasts at Podcastindex.org rather than using a podcast app's in-app search feature.

CISO podcasts found via Podcastindex.org

scasc

Does the client follow a specific framework/standard? If so, best to use this as it will be more easily accepted (culture, ways of working, current policy alignment etc). If starting from clean slate - probably best to pick something holistic in nature - NIST CSF, ISO 27001, COBIT. Start off by obtaining current strategy, audit reports, key gaps, pen test findings, policies, architecture workflows. Interview key high level staff and if you find governance is the issue - use say COBIT or CSF or even ISO to define key gaps and put roadmap in place. If you find from high level interviews governance not the problem its more tech, you can venture down the CIS/20 route. 

So all in all it depends on the problem domain, what the root cause issues are. From this apply the framework when you speak to the "lower level staff."

JDMurray

scasc said:

So all in all it depends on the problem domain, what the root cause issues are.

I would throw in, "and the business goals and objectives of the organization."

scasc

Yep absolutely. All ties back to business mission and objectives. 

UnixGuy

This is a new AMA that I will keep an eye on:

https://www.reddit.com/r/cybersecurity/comments/m1y256/ama_series_ask_a_ciso_anything/

JDMurray

I've been listening to a several of these CISO podcasts enough to give some mini-reviews of them individually and as a whole. There are two specific  information formats; 1) talking to CISOs about being CISOs, and 2) discussion things that CISOs are (supposedly) interested in. Many of the hosts have been CISOs, have worked directly for CISO, or are professional consultants to the CISO-level. Most interview podcasts are entirely a single interview, and some are multi-block episodes that discuss non-CISO-specific topics including tech products and current (cyber) events.

The quality of these podcasts are what you would expect to find by randomly-sampling any 20 podcasts that have either published 20+ episodes or have been in production for at least a year. That is, the sound quality, post-production work, and host(s) experience with the information presented and producing an audio-only media product vary considerably. Having a Website with the show notes (references, transcripts, etc.) is also very useful but not always provided. All that being said, if you are very interested in the CISO-centric topics presented, I think any of these podcasts will provide you valuable information worthy of note-taking regardless of the fidelity of its presentation.

Each of the podcasts reviewed here have published recent episodes (1-4 weeks) unless otherwise noted.

CISO Dojo is a very casually-presented podcast where the hosts interview CISOs and security leaders. I say this podcast is "casual" because the sound quality is poor and the presentation skills of the interviewer is only fair, but the two co-hosts (a former CISO and employee) do have an interesting repartee. The guests and their CISO perspectives can also be quite interesting.

CISO Dojo Website

CISO Hotline is a CISO interview podcast hosted by Todd Neilson that published four episodes in 2019 and none since. (I contacted Todd via LinkedIn and he said that he got too busy to continue.) While you won't be seeing any new episodes soon, I think those available now are worth listening to for anyone with CISO information collection interests.

CISO Hotline Website

CISO to CISO Cybersecurity Talk is a single-interview podcast hosted by Michael Coates (former CISO of Twitter) who does a good job of guiding the interviewers in talking about their security leadership roles throughout their careers. 

CISO to CISO Cybersecurity Talk Website

Global CISO Forum Podcast is the official EC-Council CISO Forum podcast. This podcast contains only interviews with CISOs and only publishes about five or six, 30-minutes episodes per year, making it easy to stay current. The host, Amber Pedroncelli, is a generic interviewer personality and does not seem to have any specific insights into the CISO role or needs. Interview questions are fairly checklist (e.g., 'How did you get into cybersecurity?") and follow-up questions are generic (e.g., "I read on your blog that..."), so the real value here is whatever the CISO interviewee decides to say. I am a little surprised that the episodes do not contain a trailing marketing blurb for the the EC-Council's CCISO certification.
Global CISO Forum Podcast Website

The Virtual CISO Podcast is conducted by one or more interviews and interview wees, with no guests being a rare exception. In the few spisodes I sampled, the talk was very detailed and technical and really didn't seem to be what a CISO needed to know to make decisions. The interviews are detailed discussion of standards and frameworks and how the products of the interviewees addressed the needs of an enterprise. In fact, I can't remember the terms 'CISO' or 'CxO' being said very much or at all. If you are looking for talk from CISOs then this podcast won't provide for you, but if any of the episode topics are of interest to you, and you can tolerate poor sound quality, then do give it a listen.

The Virtual CISO Podcast Website

UnixGuy

Reviving this thread, with a fresh new question

I currently (may or may not be) working on a vision statement and a cyber security strategy from scratch. I found it interesting that there is no frameworks for this. Yes there is NIST and ISO and others but those are control frameworks. There are no frameworks or templates to create a strategy. There is also no templates to create various policies, principles, etc.

I think the closest I found was the SABSA framework which has it's own set of complicated steps and that's an enterprise security architecture framework, not a policy and definitely not a strategy template

Just thinking out loud here, anyone come across this type of challenge? what industry best-practice did you base your strategy on? what industry best-practice did you build your policies from?

JDMurray

A vision statement for an entire org or just for the CISO's part of it?

Off the top of my head: "It's all about risk: mitigate what is reasonable, transfer what you can afford, and accept what you must."

UnixGuy

JDMurray said:

A vision statement for an entire org or just for the CISO's part of it?

Off the top of my head: "It's all about risk: mitigate what is reasonable, transfer what you can afford, and accept what you must."

Vision statement for a cyber security strategy, so for the cyber security part of the org

scasc

Hey,

Are there any business strategy/objective reports for you to see? This will help truly understand business requirements and purpose. Even by looking at mission statement, values statement, code of conduct you can extract the business purpose of an organisation. Look at IA reports, board of director statements etc.

Now once you have understood this, perhaps done a SWOT, PEST analysis you can comprehend the organisation’s threats, enablement objectives and opportunities to pursue.

once done, create vision statement which will bring out the business purpose/opportunities and threats and how the security objectives of confidentiality, integrity, availability, accountability, privacy will map to those threats and opportunities. 

Business strategy must be already accepted and documented so by focussing on achieving this you have one half the battle as business requirements are being focused on, achieved but from a security standpoint. This is where you can bring out control objectives to mitigate threats and opportunities the strengths of the business can take advantage of (I.e. SWOT/PEST) etc. 

hopefully this helps in some way.

JDMurray

A vision statement for a cyber security strategy must appeal to the business folks controlling the org, so you are pretty much stuck with crafting something based on the precept, "The primary purpose of (cyber)security is to enable business."