Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to Create an Effective Long-Term Cybersecurity Strategy

Published byElisabeth Bruce Modified over 6 years ago

Similar presentations

Presentation on theme: "How to Create an Effective Long-Term Cybersecurity Strategy"— Presentation transcript:

1 How to Create an Effective Long-Term Cybersecurity Strategy
Webcast Description: Cybersecurity has recently become an increased concern, especially in the legal industry. With more clients approaching you about your security practices and procedures, it has become necessary to implement a cybersecurity plan for your firm. Cybersecurity is not a passing fad, as it's steadily amounting to be more prevalent and crucial as time goes on. The number of threats will continue to increase as the type of threats progressively grow more sophisticated. It's paramount that your firm has a long-term cybersecurity strategy in place for current and future threats that may arise. This webinar will explore the essential components of a practical and comprehensive cybersecurity strategy, one that will ensure your firm maintains a strong and mature cybersecurity position, both now and in the future.

2 Agenda Meet Paul & TruShield Missing the big picture
Think Strategically, Act Tactically How? Suggested problem statements: Navigating the dynamic landscape of cybersecurity can be strenuous, creating a strategy doesn’t have to be Navigating dynamic landscape of cybersecurity can be challenging Not having a strategy mapped out can be a hazard for your business

3 Meet Paul Caiazzo Connect with me:
Co-Founder, CEO, Chief Security Architect CISSP, CISA, CEH M.S. in Information Security and Assurance 15+ years of experience in Information Security Connect with me: @Paul_Caiazzo

4 About TruShield A global cyber security company based in the Washington D.C. metro area. Provider of the following high-quality, concierge services: Continuous Security Monitoring, Alerting and Incident Response Compromise Assessments Threat Protection Security Consulting Managed Security Services Security Architecture Risk Assessment Services Security Awareness Training Penetration Testing …and much more Vulnerability Assessments

5 Missing the Big Picture
Boards increasingly responsible for cybersecurity Outdated understanding of cyber risk The ‘Technical problem’ misconception The ‘We aren’t a target’ misconception Unpredictability, and potentially high impact of cyber risks Hidden pay-offs to getting it right Therefore, lower priority Suggested problem statements: Navigating the dynamic landscape of cybersecurity can be strenuous, creating a strategy doesn’t have to be Navigating dynamic landscape of cybersecurity can be challenging Not having a strategy mapped out can be a hazard for your business

6 Missing the Big Picture
High volatility in cyberthreat landscape Heavy focus on tactical issues, at the cost of the big picture Maturity in this space requires leadership focus on strategies which protect the firm over the long term Over-investment in preventive controls, lack of focus on detection and response Suggested problem statements: Navigating the dynamic landscape of cybersecurity can be strenuous, creating a strategy doesn’t have to be Navigating dynamic landscape of cybersecurity can be challenging Not having a strategy mapped out can be a hazard for your business

7 Can’t see the forest from the trees…
Roadmap Slide Can’t see the forest from the trees…

8 Think Strategically What are my firm’s business goals and objectives?
What is my firm’s technology strategy? What regulatory requirements do we have? Can we envision any key threats to any of these?

9 To Reach a Destination, Know Where You’re Starting From
Every great journey begins with a single step A thorough current state assessment gives you an understanding of your starting point Prioritize and intelligently allocate resources

10 Current State Assessment
Many frameworks to assess yourself against Select one which aligns with your business objectives We like the SANS 20 CSC for those just starting out Talk about security frameworks SANS 20 CSC is within reach for smaller organizations

11 Strategic Analysis Compare your current state against your target state Consider: Your firm’s business and IT strategies Regulatory requirements and impacts of non-compliance Areas of strength and weakness Key risks (regulatory, reputation, opportunity, data loss, etc) Key threats you envisioned earlier Resources available to your firm Depends on how far off the organization you are assessing Even if you are trying to achieve ISO or FISMA, you can start with SANS 20 Doesn’t account for massive title shift, mid-stream, game-changing incident (new branch, merger, etc)

12 Security Program Roadmap
Helps leadership: Organize Prioritize Strategize Long-term plan to achieve cyber maturity and sustainability Finish Depends on how far off the organization you are assessing Even if you are trying to achieve ISO or FISMA, you can start with SANS 20 Doesn’t account for massive title shift, mid-stream, game-changing incident (new branch, merger, etc)

13 Tightly Aligned with Business Strategy/Objectives
Executive governance and buy-in Corporate culture of security Relationships between key stakeholders within the firm Communications between IT/Security and other business units Identification of skills gaps and training to close them Technology planning with security in mind

14 Business Drivers Policy and Standards Framework
Strategy Policy and Standards Framework Compliance Architecture Operations Awareness Governance and Organization Services Network security Software Security Host Security Data Protection Identify & Access Mgmt. Asset Mgmt. Third-Party Mgmt. Threat & Vulnerability Mgmt. Security Monitoring Privacy Business Continuity Mgmt. Incident Mgmt. Technology Protection Functional Operations Resiliency Intelligence Data Infrastructure Events Alerts Logs Metrics and Reporting

15 Identify Protect Optimize Sustain Enable

16 Identify Protect Optimize Sustain
Protect what matters most Develop a security strategy focused on business drivers & protecting high-value data. Assume breaches will occur- improve processes that plan, protect, detect & respond. Balance fundamentals with emerging threat management. Establish & rationalize access control models for applications & info. Identify the real risks Define the org’s overall risk appetite & how information risk fits. Identify most important info & applications, where they reside & who has/needs access. Assess threat landscape & develop predictive models highlighting your real exposures. Identify Protect Optimize Sustain Enable business performance Make security everyone’s responsibility. Don’t restrict newer technologies; use the forces of change to enable them. Broaden the program to adopt enterprise-wide info risk management concepts. Set security program goals & metrics that influence business performance. Sustain an enterprise program Get governance right- make security a board-level priority. Allow good security to drive compliance, not vice versa. Measure leading indicators to catch problems while they are still small. Accept manageable risks that improve performance. Optimize for business performance Align all aspects of security (info, privacy, physical & business continuity) with the business. Spend wisely in controls & technology- invest more in people & processes. Consider selectively outsourcing operational security program areas.

17 Primary Impact Level of effort 0 months 12 months 18 months 24 months
1. Network monitoring and log management Primary Impact 3. Incident response enhancement Enterprise IT Business operations Level of effort Low 6. Security architecture development Medium High 10. Security tool optimization 12. Security analytics 14. Threat and vulnerability management (TVM)

18 Primary Impact Level of effort 0 months 12 months 18 months 24 months
1. Network monitoring and log management Primary Impact 2. Security awareness 3. Incident response enhancement Enterprise IT Business operations Level of effort 5. Security function reorganization Low 6. Security architecture development Medium High 8. Policy standards and guidelines 9. Privileged account management 10. Security tool optimization 12. Security analytics 13. Governance, risk and control (GRC) 14. Threat and vulnerability management (TVM) 15. Unmanaged devices

19 Primary Impact Level of effort 0 months 12 months 18 months 24 months
1. Network monitoring and log management Primary Impact 2. Security awareness 3. Incident response enhancement Enterprise IT Business operations 4. High-value asset inventory Level of effort 5. Security function reorganization Low 6. Security architecture development Medium High 7. Network segmentation 8. Policy standards and guidelines 9. Privileged account management 10. Security tool optimization 11. Acquisition/Integration playbook 12. Security analytics 13. Governance, risk and control (GRC) 14. Threat and vulnerability management (TVM) 15. Unmanaged devices

20 How can MSSP help?

21 877-583-2841 TruShieldInc.com info@trushieldinc.com
Questions TruShieldInc.com Connect with me: @Paul_Caiazzo

Download ppt "How to Create an Effective Long-Term Cybersecurity Strategy"

Similar presentations

Copyright 1997-2001 The Info-Tech Research Group Inc. All Rights Reserved. D1-1 by James M. Dutcher Strategic IT Planning & Governance Creation H I G H.

Copyright The Info-Tech Research Group Inc. All Rights Reserved. D1-1 by James M. Dutcher Strategic IT Planning & Governance Creation H I G H.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.

Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
THE REGIONAL MUNICIPALITY OF YORK Information Technology Strategy & 5 Year Plan.

THE REGIONAL MUNICIPALITY OF YORK Information Technology Strategy & 5 Year Plan.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.

An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.
Holistic Approach to Security

Holistic Approach to Security
Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.

Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
Visibility. Intelligence. response Information Security: Risk Management or Business Enablement? Mike Childs Vice President Rook Security.

Visibility. Intelligence. response Information Security: Risk Management or Business Enablement? Mike Childs Vice President Rook Security.
12-CRS-0106 REVISED 8 FEB 2013 APO (Align, Plan and Organise)

12-CRS-0106 REVISED 8 FEB 2013 APO (Align, Plan and Organise)
Chapter 8 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Current risk and compliance priorities for law firms PETER SCOTT CONSULTING.

Current risk and compliance priorities for law firms PETER SCOTT CONSULTING.
Leadership Guide for Strategic Information Management Leadership Guide for Strategic Information Management for State DOTs NCHRP Project 20-96 Information.

Leadership Guide for Strategic Information Management Leadership Guide for Strategic Information Management for State DOTs NCHRP Project Information.
Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.

Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.
Cyber Security Phillip Davies Head of Content, Cyber and Investigations.

Cyber Security Phillip Davies Head of Content, Cyber and Investigations.
Chapter 1 Market-Oriented Perspectives Underlie Successful Corporate, Business, and Marketing Strategies.

Chapter 1 Market-Oriented Perspectives Underlie Successful Corporate, Business, and Marketing Strategies.

Similar presentations

Ads by Google