90 Day Security Strategy: Ready, Set,

Go Mr. & Mrs. CISO!

Post-Conference Summary

Todd Fitzgerald, Global Director Information Security

Grant Thornton International, Ltd.
Wednesday March 2, 2016 3:20-5:20pm West Room 2024
Thursday, March 3, 2016, 3:20-5:20pm West Room 2024
Table of Contents
EXECUTIVE SUMMARY ........................................................................................................... 3
INTRODUCTION ..................................................................................................................... 4
Attendee Experience Level .......................................................................................................... 4
Session Pre-Work ........................................................................................................................ 4
Congratulations, you are The New CISO! .................................................................................... 4
Oh yeah, and Did We Mention 90 days?..................................................................................... 5
THE SECURITY STRATEGY PROCESS (WORKSHOP AGENDA) ..................................................... 5
1. Introductions........................................................................................................................ 5
2. Why were YOU hired?.......................................................................................................... 6
3. Security Vision Statement .................................................................................................... 7
4. Where are My Crown Jewels? ............................................................................................. 8
5. Mind mapping our way to Protection.................................................................................. 9
6. Planning the Next 5 Years .................................................................................................. 10
7. Presenting to the Board ..................................................................................................... 11
APPENDIX A- MIND MAP SAMPLES ...................................................................................... 12
ABOUT THE FACILITATOR ..................................................................................................... 24

2
Executive Summary
The 90 Day security strategy Learning Lab was comprised of 64 senior CISOs and other senior-level
security leaders interested in developing their company’s information security strategy. The sold-out 2-
hour workshop was held twice at 2016 RSA Conference, and was very interactive, leveraging the
knowledge and sharing of the participants.
The following sections include a facsimile of the materials used in the workshop, as well as workshop
insights of the work created in each section. The contribution by the workshop participants are noted by
the “Workshop Insight” call-outs in each section. This document may be used as a reference for
developing an information security strategy. Think of this workbook as a set of Lego pieces, each of which
may be assembled in different ways to create the security program. In the end, there is always a pile of
pieces not used today… but may be relevant for the next Lego project!
I hope you enjoy the materials and they are as valuable to you as the session was to the workshop
participants and myself. If you like what you see and would like to participate in the future, be sure to
arrive early for this workshop at the 2017 RSA conference!!!
Thanks to everyone that shared their experience and helped others through participation in the
workshop!

Sincerely,
Todd Fitzgerald
Global Director Information Security, Grant Thornton International, Ltd.

3
Introduction
One of the key job responsibilities as a new CISO to an organization is to develop an information security
strategy. Where should the CISO begin? What could go wrong? How do you get support so the strategy
becomes more than shelf ware or a pretty picture? This session will discuss what makes an effective
strategy and review experiences that have worked well and not so well.

Attendee Experience Level

This session is focused on those security leaders that are new to their organization, or new in the role of
the CISO. While you may be very experienced in leading security efforts, implementing technical security
solutions, auditing controls, or managing security compliance – your role is now to develop an
information security strategy and lead the organization. You may also be an experienced security leader
that wants to take the opportunity to learn and share experiences with others, as well as enhance your
own security strategy.

Session Pre-Work
As a busy professional, there is none – except - come prepared to share the information that you would
like to protect and knowledge of where some of the opportunities for improvement within your security
program may be. We can all learn from each other, so please come prepared to discuss your viewpoint!

Congratulations, you are The New CISO!

Congratulations, after an extensive job search you have been hired as the new information security
leader for your company. You may have the title of Chief Information Security Officer (CISO), VP,
information Security, VP, Information Risk Management, VP, Data Protection, Director of Information
Security, Security Manager, Security and Privacy manager, or who knows what – the job requirements are
all the same….

YOU WILL KEEP THE COMPANY OUT OF THE HEADLINES.

PERIOD.

It does not matter if this is your first rodeo, or your twentieth rodeo, this rodeo will be
different from the last horse that you rode… the challenges to stay on your horse will be the same… and
different.

4
 YOU MANY BE WONDERING… WHY DID I GET ON THIS HORSE?

Today, we will explore some of the steps that are necessary to ensure that you get to ride the horse for
more than 15 seconds, and if you do fall off, you know how to get back on the horse.

Oh yeah, and Did We Mention 90 days?

We can’t take our whole lives to figure out how to mount our darling bucking horse of an organization –
saddle up and let’s go! We only have 90 days and that nice person that hired you will be looking for a 12-
18 month and 3-5 years strategy (or it may be advisable to prepare 3 envelopes…)

The Security Strategy Process (Workshop Agenda)

No Agenda Item Time

1 Introduction – Let’s get to know each other 5 min
2 Why were you hired? 15-20 min
3 Preparing a security vision statement 15 min
4 Where are my crown jewels? 20 min
5 Mind mapping our way to protection 20 min
6 Planning the next 5 years 20-25 min
7 Presenting to the Board 15 min
8 Wrap-up 5 min

1. Introductions
(GROUP ACTIVITY)
Name
Company
Title
What I do for fun (non-security related)

5
 WORKSHOP INSIGHT: We used a high-energy
technique in the workshop to have everyone meet as
many people as possible in under 3 minutes. Some
people met and introduced themselves to as many as
20 people!! – How often do we go out of our comfort
zone in our organizations to introduce ourselves to
new stakeholders? If we can meet 20 new people in 3
minutes, surely we can find time to have security
conversations with many people in our organization
to build our strategy.

2. Why were YOU hired?

We know you are good. We know you are the best, or you would not be at the RSA Conference,
right? There must have been a reason why YOU were hired above all the candidates – (TABLE
DISCUSSION)

1) Why did they want you?

2) Why did you decide to take this job/role above any others?

WORKSHOP INSIGHT: The reasons were varied as there were people. If we do

not understand why we are hired, or why the predecessor is no longer there,
or why you are the first CISO, we are at a disadvantage. We can make the
mistake of assuming that we know the answers without having the context of
why the decisions were made. We need to first understand the culture of the
organization, by listening and observing for the first 30-45 days. Resist the
urge to communicate ‘your plans’, as there is probably something that was
missed- such as a technology you want to eliminate was the brainchild of the
person you need most to support your security efforts!

6
 3. Security Vision Statement

WORKSHOP INSIGHT: Developing a vision statement

on the surface seems like an easy exercise. However,
get 8 people together and it is clear it is anything but
easy! Security professionals tend to be very detailed
and analytical – some of the vision statements were
very lengthy and included everything. To create a
valuable vision statement, it should 1) reflect the core
values of the organization, 2) be aligned with the
mission, and 3) be brief so that others, not the
security professional, can get excited about why we
need to do what we need to do.

7
 4. Where are My Crown Jewels?

WORKSHOP INSIGHT: Without knowing what to

protect, we end up trying to protect everything to the
same level. None of us have the resources to achieve
this. Therefore, we need to identify what exactly we
are protecting. Different industries will have different
assets that need protection. It is worthwhile to write
these on post-it notes and then group the post-it
notes into themes. This can be done with the business
users across the organization. Across the group of 64
security leaders in each workshop, several hundred
different ‘crown jewels’ were identified!!!

8
 5. Mind mapping our way to Protection

WORKSHOP INSIGHT: Mind maps are a very effective

way to create free-form thinking. The goal of mind
mapping is to just get the idea down on paper, and
branch off the ideas without evaluating them. This is
a very quick way to determine the functions needed in
the organization. The appendix shows several of the
mind maps generated in the workshop. The mind
maps help us determine what we ‘should’ be doing.

9
 6. Planning the Next 5 Years

No Mat 12 Months 24 Months Mat 3-5 years Mat

1

2
3
4
5

Maturity Levels:
0=Nonexistent No evidence of practice or standard
1=Initial Ad-hoc and inconsistent
2=Repeatable consistent overall approach, but mostly undocumented
3=Defined documented approach, lacks enforcement or measurement
4=Managed regularly measures compliance and makes regular process improvements
5=Optimized refined the compliance to best practice

WORKSHOP INSIGHT: The planning is where the ‘rubber meets the road.’ While it is
all well and good to determine a) crown jewels, and b) what functions need to be in
place to protect them (mind mapping), without having a plan of action, the strategy
is, well, just a strategy. 3-5 years is long term planning for most organizations, and
real progress needs to be delivered in 12-18 months and 3 year horizons. So pick
those areas where the most critical crown jewels can be protected and with the
functions that are lacking that need further investment. Assessing the before and
after risk is important to move these strategies ahead and retain management
commitment.

10
 7. Presenting to the Board

WORKSHOP INSIGHT: Now that the strategy is together, the board or senior
leadership team needs to review and agree on the direction. 3 slides containing
the vision, assets to protect, how these will be protected, and the plan and
costs should be provided. Why 3? The board is very busy and we need to be
able to communicate in easy to understand terms that can focus the
discussion. More slides can be placed in an appendix if necessary. Risk to the
organization and what progress we are making to mitigate the risk will be of
primary concern. This support at the top-level is critical for the organization to
become aligned to the security program.

11
Appendix A- Mind Map Samples

12
13
14
15
16
17
18
19
20
21
22
23
About The Facilitator
Todd Fitzgerald Global Director of Information Security, Grant Thornton
International, Ltd.
CISSP, CISA, CISM, CGEIT, CRISC, CIPM, CIPP/US, CIPP/EU, PMP, ISO27000,
ITILv3f, MBA
Todd Fitzgerald is the Global Director of Information Security for Grant
Thornton International, Ltd., providing strategic information security
leadership for Grant Thornton member firms supporting over 40,000
employees in 133 countries. Leading large company information security
programs for 18 years, Todd is a 2013 Top 50 Information Security
Executive, 2013–15 Ponemon Institute Distinguished Fellow, and 2015 runner-up CISO of the Year Award
Chicago by AITP, ISSA, and Infragard. He is the author of 3 information security leadership books
(Information Security Governance Simplified: From the Boardroom to the Keyboard, CISO Leadership:
Essential Principles for Success (ISC2 Press), and 2014 Certified Chief Information Security Officer (C-CISO)
Body of Knowledge and a contributor to a dozen others. Todd is a frequent security presenter.

24