So you want to be a CISO - #3 "Assessment"

By the time you have reached this step in the process you now have been with your organization
for several months. You have reached out to your stakeholders, team members, and peers and
have proceeded to build the human network you will need to grow your cyber security program
throughout your organization.

By now you should also have collected much of the data specified in Step 2 “Inventory.” This
data is crucial for you to better understand the enterprise network environment, data,
applications, and people you are tasked as CISO to protect. This information will give you the
inside view of how your organization works, how it uses data, and the particular data types that
are critical. Remember, not all data is created equally and hopefully during the “Inventory”
process you learned more about your stakeholders’ workflows and what types of data and
technology are important to them.

All of the information you now have from Step 1 “Meet & Greet” and Step 2 “Inventory” will
come together in this step of the process. In “Assessment,” you will now take this background
and strive to give it some context…to give it meaning that can be used to build your project plans
and future budgets. In “Assessment,” you will make a judgment call based off of this collected
information and your experience. You will look at this data and assess your security program’s
level of maturity, where the security program is in its life-cycle, and document any gaps found
for follow-on remediation. With “Assessment,” there are three phases that I have found as CISO
you will typically go through to come up with the end product, namely a security controls gap
assessment. This assessment will contain security controls that will need to be updated or
implemented to reduce risk to the organization. Some of these identified gaps in security controls
will result in long term projects that you will need to include in your future budgets. The three
phases of “Assessment” are as follows:

• Verify the health of the Security Suite

- CMDB
- ITAM
• Review recent audits, policies, and projects
• Measure Security
- Technical requirements
- Performance Requirements
- Assessment frameworks
- Responsiveness

In regards to the previous step it may look pretty easy, but remember you are reviewing a large
amount of information and assessing the state of your cyber security program from a maturity
life-cycle perspective. Decisions made at this step will have long-term impacts on your future
budgets, project plans, department technology road-maps, and the overall quality of your cyber
security program and its services that you provide to your organization.

1. Verify the Health of the Security Suite – In this phase, you will review the data you collected
from “Inventory,” most of this data is in document repositories or databases such as a
Configuration Management Database (CMDB) or an IT Asset Management (ITAM) database.
What I look for here is to understand what equipment I have as part of the security suite, how old
the equipment is, has it been updated, do maintenance contracts exist, and is there a program in
place to upgrade or replace legacy equipment. If you start to look at your lists of hardware and
notice many of them are “End of Life” (EoL), you will need to annotate this on your security gap
list. This is critically important because EoL equipment many times no longer receives security
patches, this results in unintended doorways into your network that you will need to re-mediate.
Effective cyber security is supposed to make it harder for the bad guys to get into the enterprise
environment, not easier – so if you notice you have a large amount of legacy equipment that is
end of life, you will need to list it by priority of what needs to be replaced first. My experience
suggests that many stakeholders (be they line managers or executive board members) are
unaware of the risks posed with using end of life equipment. This issue will lead to not only
security risks from the use of the out of date, legacy equipment but financial risks caused by the
unscheduled request for funding to replace this equipment. These requests for capital are
unplanned for organizationally and can put a strain on your organizations operational budget. I
typically list them starting out with routers, firewalls, sensors, & switches. I am sure there are
many people who would argue differently but just remember if you have a large disparate list
don’t be afraid to ask for help in prioritizing what needs to be replaced first. The insights from
other stakeholders will be especially valuable relative to this prioritization. Good risk-
management skills really come into play with this effort. Remember the organization may set
priorities for you based on budget, business processes, etc. and this is where you want to use
your relationships with your vendors and resellers to see what types of programs they have that
you may want to leverage to get more hardware or software at a cheaper rate or price. The main
thing to remember is don’t panic if it’s a large list, prioritize what your needs are and use this
information for the projects and budget in the steps to follow.

2. Review recent audits/policies/projects – In Step 2 “Inventory” you collected previous audit

and assessment reports and annotated the recommendations made for any security control gaps
that were found. You may have also investigated if these recommendations were implemented
and, if not, put them on the growing list of security issues that need to be fixed. In this stage, you
are now going to go through these reports and really look at what was assessed, what was
recommended, and compare it to the inventory lists you have created. One of the issues you will
want to verify is whether or not these recommendations for remediation are still current, has your
network been updated to the point that the recommendations are outdated and no longer apply to
your organization’s environment. You should also evaluate if any new systems, applications, and
hardware were captured. You will also want to review any new workflows and policies that have
been put in place that may mitigate these recommendations. I have seen corporate policies put in
place that remove the risk of multiple outstanding issues. This is where your network of contacts
with stakeholders can be used to review these new policies to verify the previous annotated risks
have been reduced. Another issue that, although tedious, needs to be completed is a review of all
of the collected cyber-security policies & procedures presently used by your organization. Cyber
is a very fast paced field where the industry standards are always in constant debate, what is
considered industry standard today can be out of date within a year and considered a threat
vector to your network within two years. The point here is as CISO you must know your
environment and the policies you have in place to protect it, it is your responsibility to ensure
these policies properly reflect your vision of how you want to implement cyber security for your
organization. You will want to review these written documents to ensure that they properly
reflect the technology, processes, and work flows your organization has in place at present and
not what was done 6 months ago. I would recommend you keep these documents in a binder
close at hand and set in your calendar a semi-annual review cycle for these documents. This will
ensure you and your team know what they contain and will keep you in the habit of ensuring
your organization’s key documents on how it conducts cyber security strategically for the
business are updated and current. Finally, you need to review all current projects and initiatives
that have a cyber-security component. You want to verify the scope of these projects, the
timelines, and budgets. You also want to verify if there are any present work stoppages or known
issues that must be addressed. You want and need visibility into these projects because if they
intersect with your team, you may have to provide services or budget to ensure they are
completed on time. I have found it’s best to have visibility in the beginning stages of projects as
this helps to ensure security is accounted for in the project’s planning stage and not added near
the end of the project as an almost forgotten add-on.

3. Measure Security – In this final phase you will pull it all together by reviewing your security
suite’s technical requirements, reported metrics, and then select a framework with which to
measure your cyber-security program’s maturity. So to begin this stage, the first action I would
recommend you do is to meet with your team, security architects, and network engineers. You
want to verify that the security suite you have in place, from a technical view point, is meeting
the requirements for the Cyber Security strategy that is presently implemented in your
organization. Remember, this is the current Cyber Security strategy plan that is in place. You
will have the opportunity to make changes to the plan and fine tune it to the vision that you want
as a CISO later. Part of this process will be to pull reports, monitor logs, and verify your security
suite is operating as efficiently as it should. Do not be afraid to ask your team if there are
additions or modifications that can be made to reduce risk to the organization. I have found over
the years that my teams will have innovative ideas about how the security suite can be tuned for
better performance to protect the corporate environment. It is during these discussions that I
would recommend a review of any standing security metrics used to measure your programs
performance. Some metrics I have used in the past:

• Patch Latency – how long from the time updates are issued to installation.
• Baseline Scan coverage – Percentage of organizations assets covered by antivirus, firewall and
malware/APT solutions (94%-98%) is good.
• Ratio of compromised machines to user base – I like to keep mine below 1%, (If I have 10,000
users I want to have less than 100 machines per month infection rate).
• Incident response time – time measured from report of incident to remediation.
• Percentage of incidents detected by equipment type measured against overall number of
incidents.
• Mean-Time between security incidents & time to recovery
• Percentage of systems/assets without vulnerability issues after scan, allows you to see if your
systems are configured and patched correctly and is very interesting to watch this shift over time.
• Information Security budget as a percentage of overall IT budget, hopefully this is increasing
overtime.
• Mean-Time between infection to detection, with many of the new attack vectors the quicker
you are able to isolate and re-mediate the asset the better.
The next action to complete is to review the current contracts and SLA reports you have with
your vendors for a second time. I have found from previous experience that once you have
reviewed all of this information about your organization’s enterprise environment, you are able
to approach the contract/SLA requirements again with a new frame of mind and certainly new
insights that would have never surfaced too early in the process. Take another look at these
contracts and SLAs and ask yourself “Am I measuring all of the contract metrics I need for
security?”, “Are there other data points that my team collects that will help me paint a picture of
the exceptional job my team is doing?” and, finally, “Are there any more metrics we can collect
that provide visibility as to how we are providing value to the organization?” All of these
“security metrics” are very important. I have seen them used as the driving reason why a project
gets budget and I have seen them used to justify hiring new personnel. I cannot stress the
importance of understanding your numbers. You want to be in control of them and the picture
they paint about your security program to upper management.

Finally, you need to select a framework(s) to assess the maturity of your cyber-security program.
I have used multiple frameworks in the past and to me they provide a key component that you
need as a CISO to measure the progress, or lack thereof, of your security program. Frameworks
provide you with a reference to measure and baseline the effectiveness of your current cyber-
security program and also a foundation to build upon. What framework you select will be based
on the business environment your organization operates in and the types of data (data categories
is very important) it processes, stores, and transmits to 3rd-parties. To start with, I like to take a
good solid framework to use as a quick snapshot of the health of my cyber-security program. I
would suggest you use something like the SANS Top 20 Security Controls as this will allow you
to verify that your program has the basic recommended security controls in place. If you are
missing something from this list, don’t panic, just create a risk matrix and list which control you
believe is missing or not implemented correctly. After you have completed this step, I would
then recommend you move to a more in-depth security risk-assessment framework such as NIST
SP 800-53 or ISO 27001/27002 and proceed through the listed controls and sub-controls as well
as the enhancements and supplemental guidance. Doing this process with a framework such as
NIST or ISO can be very tedious, but I have found it makes you look at your collected
information and picture the technologies, processes, and networks in an “outside the
organization” assessment point of view. You will find when doing this exercise that there will be
security controls that apply and that there will be many that don’t. The main thing to remember
here is to document in a risk matrix all of the controls that apply and annotate which ones you
believe are missing or not implemented fully. Once you have completed this step, I would
recommend next that you look at all of the industry/compliance type frameworks that apply to
your organization based on the types of data you currently process, store, and transmit. You will
find that that the compliance frameworks are very similar to what is covered in NIST or ISO.
However you need to remember the compliance frameworks have teeth – if you do not meet
controls under them your organization can face substantial penalties and fines. Your
organization’s counsel may also have insights into regulatory requirements that may need to be
addressed. Certain data types have different control requirements and data retention periods that
should not be overlooked. If you meet with your organization’s stakeholders and counsel and
they have a “deer in the headlights” look in their eyes, you know you’ve been given an
opportunity to do some cyber training. Add that to the list as well.
By the end of “Assessment,” you now know the health of your security suite based on
information you collected during the “Inventory” phase and the multiple processes you have
gone through during this step. You now possess a list of recommendations from your team and a
list of equipment that will need to be upgraded. You also have reviewed the contracts and SLAs
that fall under your purview as CISO for a second time and have documented what metrics apply
and new ones that need to be implemented. Also, at this stage in the process, you have reviewed
your current policies and projects, noting what policies need to be updated and projects that may
require further scrutiny. Finally, as we finish this step you have taken all of your collected
information and knowledge about the organization’s enterprise environment and measured it
against multiple frameworks. You have created a risk matrix within which you now have
documented the controls that apply to your enterprise environment and you know which ones are
“security gaps” and that will need to be re-mediated.

As you finish this step you will have come a long way as CISO, you are now intimately familiar
with your enterprise environment and the policies and procedures in place to manage it. You now
have multiple lists of hardware, policies, and security controls that will need to be corrected or
re-mediated. You now have all of the components for what’s next, Step 4 “Planning.” Here you
will pull your lists together and create your strategy for what you want to do as CISO. It is in this
next step that as CISO you must remember “Security doesn’t work in a vacuum, however it
excels in a Community.” I would recommend you include your team in the next step, use
“Planning” to mentor and lead your people, and teach them why Cyber Security provides value
to your organization and is a business enabler.

***All mindmaps for this article is available for download at https://app.box.com/Five-Step-

CISO-Mindmaps