Professional Documents
Culture Documents
Post-Conference Summary
2
Executive Summary
The 90 Day security strategy Learning Lab was comprised of 64 senior CISOs and other senior-level
security leaders interested in developing their company’s information security strategy. The sold-out 2-
hour workshop was held twice at 2016 RSA Conference, and was very interactive, leveraging the
knowledge and sharing of the participants.
The following sections include a facsimile of the materials used in the workshop, as well as workshop
insights of the work created in each section. The contribution by the workshop participants are noted by
the “Workshop Insight” call-outs in each section. This document may be used as a reference for
developing an information security strategy. Think of this workbook as a set of Lego pieces, each of which
may be assembled in different ways to create the security program. In the end, there is always a pile of
pieces not used today… but may be relevant for the next Lego project!
I hope you enjoy the materials and they are as valuable to you as the session was to the workshop
participants and myself. If you like what you see and would like to participate in the future, be sure to
arrive early for this workshop at the 2017 RSA conference!!!
Thanks to everyone that shared their experience and helped others through participation in the
workshop!
Sincerely,
Todd Fitzgerald
Global Director Information Security, Grant Thornton International, Ltd.
3
Introduction
One of the key job responsibilities as a new CISO to an organization is to develop an information security
strategy. Where should the CISO begin? What could go wrong? How do you get support so the strategy
becomes more than shelf ware or a pretty picture? This session will discuss what makes an effective
strategy and review experiences that have worked well and not so well.
Session Pre-Work
As a busy professional, there is none – except - come prepared to share the information that you would
like to protect and knowledge of where some of the opportunities for improvement within your security
program may be. We can all learn from each other, so please come prepared to discuss your viewpoint!
PERIOD.
It does not matter if this is your first rodeo, or your twentieth rodeo, this rodeo will be
different from the last horse that you rode… the challenges to stay on your horse will be the same… and
different.
4
YOU MANY BE WONDERING… WHY DID I GET ON THIS HORSE?
Today, we will explore some of the steps that are necessary to ensure that you get to ride the horse for
more than 15 seconds, and if you do fall off, you know how to get back on the horse.
1. Introductions
(GROUP ACTIVITY)
Name
Company
Title
What I do for fun (non-security related)
5
WORKSHOP INSIGHT: We used a high-energy
technique in the workshop to have everyone meet as
many people as possible in under 3 minutes. Some
people met and introduced themselves to as many as
20 people!! – How often do we go out of our comfort
zone in our organizations to introduce ourselves to
new stakeholders? If we can meet 20 new people in 3
minutes, surely we can find time to have security
conversations with many people in our organization
to build our strategy.
6
3. Security Vision Statement
7
4. Where are My Crown Jewels?
8
5. Mind mapping our way to Protection
9
6. Planning the Next 5 Years
2
3
4
5
Maturity Levels:
0=Nonexistent No evidence of practice or standard
1=Initial Ad-hoc and inconsistent
2=Repeatable consistent overall approach, but mostly undocumented
3=Defined documented approach, lacks enforcement or measurement
4=Managed regularly measures compliance and makes regular process improvements
5=Optimized refined the compliance to best practice
WORKSHOP INSIGHT: The planning is where the ‘rubber meets the road.’ While it is
all well and good to determine a) crown jewels, and b) what functions need to be in
place to protect them (mind mapping), without having a plan of action, the strategy
is, well, just a strategy. 3-5 years is long term planning for most organizations, and
real progress needs to be delivered in 12-18 months and 3 year horizons. So pick
those areas where the most critical crown jewels can be protected and with the
functions that are lacking that need further investment. Assessing the before and
after risk is important to move these strategies ahead and retain management
commitment.
10
7. Presenting to the Board
WORKSHOP INSIGHT: Now that the strategy is together, the board or senior
leadership team needs to review and agree on the direction. 3 slides containing
the vision, assets to protect, how these will be protected, and the plan and
costs should be provided. Why 3? The board is very busy and we need to be
able to communicate in easy to understand terms that can focus the
discussion. More slides can be placed in an appendix if necessary. Risk to the
organization and what progress we are making to mitigate the risk will be of
primary concern. This support at the top-level is critical for the organization to
become aligned to the security program.
11
Appendix A- Mind Map Samples
12
13
14
15
16
17
18
19
20
21
22
23
About The Facilitator
Todd Fitzgerald Global Director of Information Security, Grant Thornton
International, Ltd.
CISSP, CISA, CISM, CGEIT, CRISC, CIPM, CIPP/US, CIPP/EU, PMP, ISO27000,
ITILv3f, MBA
Todd Fitzgerald is the Global Director of Information Security for Grant
Thornton International, Ltd., providing strategic information security
leadership for Grant Thornton member firms supporting over 40,000
employees in 133 countries. Leading large company information security
programs for 18 years, Todd is a 2013 Top 50 Information Security
Executive, 2013–15 Ponemon Institute Distinguished Fellow, and 2015 runner-up CISO of the Year Award
Chicago by AITP, ISSA, and Infragard. He is the author of 3 information security leadership books
(Information Security Governance Simplified: From the Boardroom to the Keyboard, CISO Leadership:
Essential Principles for Success (ISC2 Press), and 2014 Certified Chief Information Security Officer (C-CISO)
Body of Knowledge and a contributor to a dozen others. Todd is a frequent security presenter.
24