Microsoft CISO Workshop Security Strategy and Program

CISO Workshop
Security Program and Strategy
Your Name Here M EN U

CISO Workshop &
Architecture Design Session (ADS)
You are Here

Who should be in the CISO Workshop?
Primary Participants
• CISO + Security Directors - Helps modernize security strategy and program components, integrate
security into larger organization
• CIO + IT Directors – Helps integrate security into technology program, cloud, and other initiatives
• Enterprise + Security Architects – and other roles with broad strategy/technology responsibilities
Optional Attendees
• Business IT leads, Business initiative owners that sparked discussion – helps integrate security
into business initiatives and better understand security dependencies
• Cloud Lead / Cloud Team (if formed) – help integrate security into cloud initiatives and reduce
unhealthy friction between teams
• Any supporting partners and integrators chosen by those roles
Note: This workshop is essential for people performing the functions that align with the roles
above and is also useful to many other roles within an organization
Agenda
A. Key Context and Fundamentals
Threat trends, Role & Responsibility Evolution, Strategy and Recommended
Strategic Initiatives to structure security transformation
B. Business Alignment
Engage business leaders on security, align to business priorities and risk
management, integrate security in IT/Business and build business resilience
C. Security Disciplines
Provide a clear structure for durable security program elements
Exercises
1. Assess against maturity model based on real world journey
2. Discuss prescriptive recommendations to improve programs
3. Assign next steps
This presentation is interactive!
Using PowerPoint Zoom Navigation
Introductions
Expectations
Name Role
for today
❑ Modern Access Control
❑ Modern Security Operations
❑ Infrastructure and Development
❑ OT and IoT Security
❑ Data Security & GRC
What’s on your current priority list?
Ransomware Recovery Readiness Start Date / In Progress

# Secure Identities
Module 2 – Secure and
Identities and Access
Access Start Date / In Progress
# Modern Security
Module 3 – Modern Operations
Security Operations (SecOps/SOC) Start Date / In Progress
# Infrastructure
Module 4 – Infrastructureand Development
& Development Security Start Date / In Progress
# Data Security & GRC

Module 5 – Data Security & Governance, Risk, Compliance (GRC) Start Date / In Progress
# OT and
Module 6 – IoTIoT Security
and OT Security Start Date / In Progress
# Other
________________________________ Start Date / In Progress
Common Security Initiatives
Mapping business outcomes to technical initiatives
CEO
Align security to business priorities
Security Program and Strategy / Cloud Adoption Framework (CAF) - Secure Methodology
Business Leadership
Secure hybrid Modernize Secure cloud Find and protect Protect Industrial
work incident response migration critical data Control Systems
CIO CISO
Technical Leadership
Secure Identities Modern Security Infrastructure and Data Security & IoT and OT
and Access Operations (SOC) Development Governance, Risk, Security
Security Compliance (GRC)
Architects & Technical Managers
Implementation
CISO Workshop &
Architecture Design Session (ADS)
CEO
Securing Digital
Transformation
Engaging Business
Business and Leaders on Security
Business Leadership
Security
Integration CISO Workshop
CIO CISO Security Program and Strategy
Security Strategy,
End-to-end Security Program Guidance + Integration with Digital & Cloud Transformation Teams
Technical Leadership Programs, and

Epics Security Architecture Design Session
Module 1 – Zero Trust Architecture
Architecture and Module 2 – Module 3 – Module 4 – Module 5 – Module 6 –
Policy Data Security &
Secure Modern Infrastructure & IoT and OT
Architects & Technical Managers Identities and Security Development Governance, Security
Technical Planning Access Operations Security Risk, Compliance
(SecOps/SOC) (GRC)
Implementation
and Operation
Implementation
What’s in these workshops?
Strategy
CISO Workshop Business Alignment and Cloud Transformation Success Metrics
Security Program and Strategy Role and Responsibility Evolution
Security Disciplines and Program Structure

Threat Trends Zero Trust Strategy
End to End Scenarios

Rosetta Stone for all
Module 1 – Zero Trust security models
Architecture and Ransomware
Overall Architecture Architecture
Zero Trust RaMP Ransomware
Summary of initiatives Guidance
Detailed Architecture Information on Initiatives

Modules 2-6 SASE
Technical Plan for initiative (roles, outcomes, etc)
Implementation
Product Documentation
Learning Operation
Planning for each role
Reference plans for 3 entry points
➢ Complete end to end security modernization
➢ Quick wins across all initiatives (Zero Trust RaMP)
➢ Microsoft 365 Zero Trust capabilities
CEO
Securing Digital
Transformation
Business Leadership Business and Enables a Zero Trust transformation
Security
Integration
CIO CISO
Security Strategy,
Technical Leadership Programs, and
Epics
Architecture and
Policy
Architects & Technical Managers
Technical Planning
Implementation
and Operation
Implementation
Documentation
Step by Step Instructions on
Microsoft Docs site
A security program bridges two worlds
Aligning security to business outcomes + apply Zero Trust security principles and best practices
Cloud Adoption Framework (CAF) - Secure Methodology
Adopt
Define strategy Plan Ready
Security ADS Workshop

Program Guidance
Secure
CISO Workshop
Govern Manage
Module 1 – Zero Trust Architecture and Ransomware
Module 2 – Secure Identities and Access
Module 3 – Modern Security Operations (SOC)
Module 4 – Infrastructure & Development Security
Module 5 – Data Security & Governance, Risk, Compliance (GRC)
Module 6 – IoT and OT Security

CISO Workshop
End-to-end Security Program and Strategy Guidance + Integration with Digital & Cloud Transformation Teams
Start Here – with key context and fundamentals

Decision Zero Trust Principles
Makers Assume breach | Explicitly Verify | Least privileged
Cloud Adoption Framework (CAF)

Secure Methodology
Priorities Threat Environment Roles & Strategy and

Discussion and Trends Responsibilities Recommended Initiatives
Business Alignment – Continuously Prioritize and integrate security
Engaging Business Business Alignment Exercise

Leaders on Security Risk Insights Security Integration Business Resilience
Security Disciplines – Establish and Evolve Foundational Capabilities
Access Security Asset Security Innovation Security Governance Exercise

Control Operations Protection Governance Security Next Steps
Complexity is driving urgent security changes
Dynamic Business Environment

Modernize & Simplify with Zero Trust
Complex Technical Estate Stay focused, move fast, & adapt quickly
Hybrid of Everything
IT, IoT, OT, Hybrid and multi-cloud Align to Business + IT
Legacy won’t go away Build a partnership
30+ years of technology layers
Always Changing Transform teams Simplify architecture,
DevOps, Infrastructure as Code, etc. configuration, & tech
to embrace
innovations portfolio
Increased Security Threats
Growing Business Impact Continuous improvement
with extortion & ransomware across people, processes, and technology
Increasing Sophistication
with new techniques
Commoditization
with “as a service” models
Imperative: Coverage for common attack chains
Email & IoT (& OT) Cloud Identities SaaS Apps
Collaboration
IoT Device Disrupt OT
Phishing Open Exploitation Environment Exfiltration
Brute force account Attacker
mail attachment accesses of data
or use stolen account
credentials sensitive data
Endpoints & Cloud
Infrastructure Attacker collects Domain
Click a URL
On-Premises reconnaissance & compromised
User account is
Identities compromised configuration data
Browse
a website
Exploitation Command
Attacker attempts
and Installation and Control
lateral movement
Privileged account
compromised
Leading Insider Risks

History of violations indicators
Data
Distracted and careless
leakage
Disgruntled or disenchanted
Potential
Subject to stressors Insider has access Anomalous
sabotage
to sensitive data activity detected
For sale in “bad neighborhoods” on the internet
Attacker for hire (per job) How this complicates fact validation
$250 per job (and up)
Other Services Ransomware Kits
Continuous attack $66 upfront
supply chain innovation (or 30% of the profit / affiliate model)
Compromised PCs / Devices

PC: $0.13 to $0.89
Mobile: $0.82 to $2.78
Spearphishing for hire

$100 to $1,000
(per successful account takeover)
Attackers Stolen Passwords

$0.97 per 1,000 (average)
(Bulk: $150 for 400M)
Denial of Service
$766.67 per month
How this shaped Microsoft investments
Don’t believe
Note: Sophisticated everything
attackers sometimes
use commodity toolkits to hide their origin
you see
Facts are naturally obscured Attack economy adds complexity Deliberate Deception Hides More
Demand for facts far exceeds Profit driven actors re-use tools, sell Sophisticated attackers often
ability to provide (expensive to ready made kits, and monetize attacks in deliberately pretend to be something
positively identify attackers, multiple ways (extortion / ransomware, else (use commercial tools, hide data
most useful defenses, etc.) selling passwords/access, data, etc.) theft in DDoS attacks, etc.)
Azure Security Capabilities and Guidance
Attacker for hire (per job)
Native Security Controls Azure Security

and integration with existing security capabilities Guidance
Ransomware Kits
Native Threat Detection (& SIEM)
Secure Azure, Azure AD, Windows, Linux, iOS, Android, SaaS apps Top 10 Best practices
Compromised PCs / Devices + correlate with cloud native SIEM+SOAR+UEBA (Azure Sentinel)
Spearphishing for hire Passwordless and Multi-factor Authentication

(MFA) Azure Security
$100 to $1,000
Benchmarks
(per successful account Mitigate common and effective identity and password attacks with
Stolen Passwords
takeover) biometrics, hardware security, and threat intelligence
Cloud Adoption
Denial of Service
Native Firewall and Network Security
Framework (CAF)
Protect business-critical assets with Azure Firewall, DDoS →
protection, & integrated web application firewall (WAF) Well Architected
Framework (WAF)
Attackers
Industry Collaboration
→ +
with customers, NIST, CIS, The Open Group, and others
(hundreds of millions of dollars paid)
2021 Microsoft Digital Defense Report contents
CHAPTER 1 CHAPTER 4 CHAPTER 6
Introduction Supply chain, IoT, Disinformation

Introduction and OT security Disinformation as an emerging threat
Our 2021 focus areas Challenges in managing risk associated with Mitigation through media literacy
the supplier ecosystem Disinformation as an enterprise disruptor
How Microsoft thinks about supply chain Campaign security and election integrity
CHAPTER 2 IoT and OT threat landscape
The 7 properties of highly secured devices
The state of cybercrime
Applying a Zero Trust approach to IoT solutions CHAPTER 7
The cybercrime economy and services
Ransomware and extortion
IoT at the intersection of cybersecurity and Actionable insights
sustainability
Phishing and other malicious email IoT security policy considerations Five cybersecurity paradigm shifts
Malware Summary of report learnings
Malicious domains Conclusion
Adversarial machine learning CHAPTER 5
Hybrid workforce security

Contributing teams at Microsoft
CHAPTER 3 A Zero Trust approach for securing hybrid work
Identities
Nations state threats
Devices/Endpoints
Tracking nation state threats
Applications
What we’re seeing
Network
Analysis of nation state activity this year
Infrastructure
Download the full report at
Private sector offensive actors
Comprehensive protections required
Data https://aka.ms/MDDR
People
CISO Workshop
•
•
Next Up:
1A – Strategy and Recommended Initiatives
Managing Information/Cyber Risk December 2021 -
Security responsibilities or “jobs to be done” https://aka.ms/SecurityRoles
Information Risk Management Program Management Office (PMO)

Supply Chain Risk (People, Process, Technology)
Incident
Posture Management Preparation
Incident
Response
Incident
Management
(IT, IoT, OT)
Threat
Hunting
Working Together on Information/Cyber Risk
Increase collaboration across teams
Prevention
Information Risk Management Program Management Office (PMO)
Supply Chain Risk (People, Process, Technology)
Incident
Posture Management Preparation
Incident
Response
Response
Incident
Management
Threat
Hunting
Mapping Roles to Disciplines
Requires collaboration between IT and Security teams
Business Leadership
CEO, Board, Other CxOs, and Business Unit/Line Leaders
Security Technical Leadership

CIO, CISO, CTO, and Chief Risk/Compliance Officer
Governance
Security Governance / Project Management
Risk and Posture Management
Security Architect IT Architect
Infrastructure security
Data Security IT Admin / IT Leadership Application Owners
(Servers, Endpoints, Containers, Storage, etc.)
MDM Admin Asset OT Operations

Access Identity Security Protection
Identity Architect
Control
Network Security
Identity Admin
Security SecOps Leadership

Operations Innovation
Application Security DevOps/DevSecOps Leadership
SecOps Analysts & Threat Hunters Security
Incident Response and Hunting
Typically in Security Organization Typically in IT Organization
End User Users Developer

Security Roles and Responsibilities
Business and Plan Build Run
technology outcomes Identify opportunities Execute and capture value Sustain and adapt
Security Governance Prevention Response

outcomes Architecture and Compliance Access control Asset protection Security operations
Security Leadership Roles
Security Architect Roles

Role Types
Platform Security Engineer IT & OT Operations, DevOps
Security Posture & Compliance
App Security Engineer Security Operations
Identity and key management

Security leadership
People security
Security architecture Incident monitoring & response
Data security
Responsibilities Threat Hunting
“Jobs to be done” / Security compliance management
Application security & DevSecOps
Organizational functions
Policy and standards
Infrastructure and endpoint security Threat intelligence
aka.ms/securityroles • Network security • Server/VM security
Posture management • Client endpoints/devices Incident preparation
Feedback loop
Identify Protect Detect, Respond, Recover


Role Types
Security isn’t that different

Security leadership
Security maps well to standard business plan – build - run stages
People security
Data security
Responsibilities Threat Hunting
“Jobs to be done” / Security compliance management
Feedback loop


Role Types
Build strong relationshipIdentity

and processes
and key management
Security leadership
Security Operations needs to have a close working relationship IT
People security
Operations and with DevOps teams to enable rapid response and
Data security
Responsibilities recovery
Security compliance management
Threat Hunting
“Jobs to be done” /
Feedback loop


Role Types
Security Operations
App Security Engineer

Security leadership
Skill Demand is shifting People security
ResponsibilitiesTo application-specific security skills (from enterprise-wideData platform

security skills) as trends progress:
Threat Hunting
“Jobs to be done” / • DevOps
Security(and Low-Code
compliance managementApplications) increase volume and speed of new applications
• Infrastructure as Code and automation reduce manual efforts in IT infrastructure
Feedback loop
CISO Workshop
1. Designate 2. Publish 3. Socialize

Decision Makers and Update list and follow-up
ESTABLISH CLEAR LINES OF RESPONSIBILITY

Who makes security decisions for the cloud?
Identify who owns following
1. Designate 2. Publish 3. Socialize up with stakeholders
# Stakeholders Point of Contact
1 Security Team
2 IT Operations
3 Cloud Teams
4 DevOps/DevSecOps Teams
5 <Other Stakeholders>
CISO Workshop
1. Designate
Decision Makers
2. Publish
and Update list
3. Socialize
and follow-up
Next Up:
Roles and Responsibilities Summary
CISO Workshop
Review – Roles and
Responsibilities
• Different security specialties reduce
organizational risk differently
• Prevent, respond, govern, architect, compliance,
and more
• Security works through IT, OT, IoT, and

DevOps teams
• Must build strong relationships and processes
• Security skill demand is shifting

• Designate and publish list of security
decision makers
Next Up:
1A – Strategy and Recommended Initiatives
The world is transforming rapidly
Market
Business
Attackers
Technology
Security
Working together
Business Digital Transformation
Market
Attackers
Technology Security
Zero Trust Transformation
Cloud Transformation
Security Shifts to Continuous Improvement Security Imperatives
Governance
Driving Continuous Improvement
Innovate with
Access Assets Assets
Asset
Protection
Security Imperatives Context to inform
decisions, tools, & automation
Known, Trusted, Allowed
Governance On every access request
Apply Security Standards

Driving Continuous Improvement
to all new assets as they are
Enablement and Monitoring created and updated
To ensure security maintenance is
performed well and properly Innovate with
Access Assets Assets
Asset
Protection
Clear North Star
Prioritize and scale Describing end state
Protect business critical assets most & first and integration across
Apply security consistently at scale & speed teams & systems
Accuracy, Impact, and Speed

For every response to disrupt Continuous Improvement
attackers (OODA loops) Clear guidance that stays current
Build Modern Security Ransomware Recovery Readiness
Ensure backups are validated, secure, and
Common Modernization Initiatives immutable to enable rapid recovery
Secure Identities and Access
Modern Security Operations
Infrastructure and Development
OT and IoT Security
Data Security & Governance, Risk, Compliance (GRC)

Security initiatives improve one or more disciplines
Access Security Asset Security Innovation
Control Operations Protection Governance Security
Module 5
Module 2 Module 3 Module 6 Module 4
Each initiative maps to an Architecture Design Session (ADS) Module

Microsoft Cloud Adoption Framework (CAF) https://aka.ms/adopt/overview
Define strategy Plan Ready Adopt

Understand motivations Digital estate Operating model Migrate
Business outcomes Initial organization alignment Landing zone concepts Modernize
Business justification Skills readiness plan Design area guidance Innovate
Prioritize project Cloud adoption plan Implementation options
Security
Asset
Access
Security
Innovation
Secure Manage Govern
Governance
Protection
Control
Operations
Security
Risk insights Business commitments Business risks
Business resilience Operations baseline Policy & compliance
Asset protection Operations maturity Governance maturity
https://aka.ms/CAFSecure
Microsoft Cloud Adoption Framework (CAF)
Achieve balance
Align business, people and technology strategy to achieve business goals with actionable,
efficient, and comprehensive guidance to deliver fast results with control and stability.
Cloud Adoption Framework | Secure Methodology
Security Program and Strategy Guidance
Zero trust principles

• Assume
Assume breach
breach |
• Explicitly
ExplicitlyVerify
Verify |
• Least privileged
Least privileged
What is Zero Trust? Zero Trust History
Assume breach | Explicitly Verify | Least privileged and Standards
Zero Trust Security Strategy – Secure digital business assets everywhere

Includes Multiple Technical Modernization Initiatives:
Secure Identities Modern Infrastructure Data Security & IoT and OT
and Access Security & Development Governance, Security
Modern identity & Operations Security Risk,
network access (SOC) Compliance
Secure Access (GRC)
Service Edge (SASE)
Too little security Too much security can
(or skipping it) block productivity
increases number & which incents people to
impact of security bypass authorized
incidents High Agility Balanced High Security systems & protections
Security
Productivity
Shadow IT
Increased Risk
Increase Business Agility and Mitigate Security Risk
Capture business Strengthen
opportunities Security
Digital Transformation Zero Trust Principles

Agile - adapt rapidly to changing business conditions Assume Breach (Assume Compromise) Minimize blast
Assume breach
and technologies with regular contact between business, radius with asset centric protections, micro-segmentation,
IT, and security. continuous monitoring, and automated threat response
Explicitly Verify
Sustainable – Ensure sponsors, developers, users, IT, and Verify explicitly Always make security decisions using all
security maintain a constant pace (and budget) available data points, including identity, location, device
indefinitely. health, resource, data classification, and anomalies.
Simplify User Experience – ensure each user role and

business process can execute with minimal friction and
interruption
Least privileged
Use least privilege access Limit access with just-in-time
and just-enough-access (JIT/JEA) and risk-based polices
like adaptive access control.
Digital Transformation
CEO
CFO COO
CIO CISO Zero Trust Security Strategy
Zero Trust Implementation

“Zero Trust” has been around for a while
The Open Group
(Home of the Jericho Forum,
TOGAF, and more)
Forrester
ZTX Model
Increasing consensus and convergence (though still some variations)

Identities Applications
Data
Infrastructure
Endpoints
Network
Assume breach | Explicitly Verify | Least privileged Zero Trust Architecture

Zero Trust Architecture
Policy
Optimization
Security Posture Assessment
User Experience Optimization

Data
Classify, label,
encrypt, prevent Emails & documents
Human loss
Structured data
Non-human
Strong
authentication
Zero Trust
Identity risk Policy Network Apps
Request Adaptive
Evaluation SaaS Apps
Enhancement Public Access
Traffic filtering
Enforcement On-premises Apps
& segmentation Private
Device Infrastructure
compliance Continuous
Containers
Serverless
Device risk assessment
Int. Sites
Corporate Runtime
PaaS
Threat
IaaS
control
Personal Protection
Risk Assessment JIT and Version Control
Response Automation
Threat Intelligence
Forensics
Telemetry/analytics/assessment
CISO Workshop
Review - Strategy and
Recommended Initiatives
• Security’s dual mission: reduce

risk + enable the business
• Partner and collaborate across
Business, IT, and Security teams
• Zero Trust Strategy includes
multiple initiatives
• Zero Trust Principles are critical
to modernization
Next Up:
1B Business Alignment
Security is a Team Sport
Example: Identifying what is business critical
Business
What would you restore first if everything was down?
IT / Technology
What are technical components • What security threats could cause this?
of business critical assets? • How to protect assets without disruption?
and more
Clients Servers Databases Apps Clouds
Reduced Business Friction = Increased Business Agility (and ability to capture opportunities)
Security is not a technical problem (to be ‘solved’).
Security is an ongoing risk to be managed
(driven by groups of well funded humans)
“That won’t be us“

Unprepared State Significant risk of reduced
Partially prepared (16 weeks +)
(~8 weeks) financial performance
Prepared state
(~2-weeks)
Never plan to
‘Just pay the ransom’
Reducing Time to Recover = Reducing Lost Revenue

(and distractions from business growth)
What ‘Unprepared’ is like
True Story: Desperate Measures
• Business Down - Most operations are completely down • Programmer wrote a useful application, which
• Zero or limited visibility into operations
• Zero or limited ability to execute processes
worked well and became business critical
• Pervasive Uncertainty – even if paying the ransom(s) …years pass…
• Unknown/uncertain timeline to restore business operations
and return to profitability • Programmer retired (and later passed away)
• Uncertain if keys/tools from criminals will work
…years pass…
• Uncertain legal/brand ramifications of paying criminals
(who may be affiliated with terrorists) • Destructive attack erased all copies of business-
• High likelihood gangs will sell data even after paying ransom critical application (among others)
• In destructive scenarios, there is no key and
• Company finds adult child of deceased
IT must be completely rebuilt from the ground up
programmer on social media…
• Unreliable communication with employees & customers
…asks if they have floppy disk with
(status updates, managing expectations, coordination)
• Chaotic communications + leaks to social media.
<critical application> in their father’s old boxes
• Slow Recovery – manual restoration of each critical system …hours pass (that feel like years)…
• Using backups , sh---y ransomware tools, or old disks
see true story on desperate/extreme measures → • They find one! And send to company
• Teams work endless hours, get exhausted, make mistakes
(recover wrong systems, forget basic steps, etc.), get They got lucky, but you may not
emotional, start burning out and quitting
Risk of no recovery (destructive attacks, etc.)
Legal & Brand Risk (Funding Criminals/Terrorists)
Funding Future Attacks on You
Restore trust in environment
‘Planning to Pay’ has hidden costs …and doesn’t avoid security investments
Secure cloud adoption enables rapid secure innovation
Secure innovation is the beating heart of an organization in today’s digital landscape
Secure
Enables rapid secure innovation
Cloud Adoption DevSecOps, IaC security, distributed security workflow
Provides native Zero Trust security capabilities

Built-in controls, monitoring, threat protection, and threat intelligence
2
Provides a safe foundation

Confidentiality, integrity, availability, posture
management, governance, and regulatory compliance
Secure cloud adoption is the foundation of a Trusted Digital Fabric

Components of a Trusted Digital Fabric
Safely Enable Business Agility from anywhere
Secure hybrid
work
Modern security
incident response
Trusted Digital Fabric Secure Cloud

• Business Agility
• Great User Experience
Migration
Find and protect

critical data
Business Enablement
How much security friction is in user Security Posture
experience and business processes? How good are we at
preventing damage?
Security Improvement
Business
Are we getting better Enablement
every month?
Starting Points
Security Response
How good are we at responding to
and recovering from attacks?
Board Questions Metrics
Example Metrics
Focus on continuous improvement
Security
Scorecard Business Enablement Security Posture Security Response Security Improvement
Metrics
Mean Time for security % of new apps/etc. Mean Time to Recover # of modernization
Supporting review reviewed (MTTR) projects open
Performance
# days for application Mean Time to # modernization project
Measurements Secure score
Acknowledge (MTTA) milestones achieved in
security review
last 60 days
Average boot/logon Time to Restore Critical
% Compliant apps
time for managed Systems
Number of repetitive
devices. # of high severity
# of privileged accounts manual steps removed
Number of security meeting 100% of incidents from workflows
interruptions in user requirements Incident growth rate
workflow # of Lessons learned
# of accounts meeting (overall)
% of IT help desk time from internal/external
spent on low-value 100% of requirements incidents
security activities
Help focus on key business outcomes
• What is our financial exposure to security risk?
• How prepared are we for extortion/ransomware attack?
• Are processes aligned to identifying and protecting business critical
processes? (without breaking them)
• Are we securing all business-critical assets? (including IT, IoT, and OT)
• Can we recover them quickly?
• Are we measuring continuous improvement for security?
• Is security program balanced across people, process, and tech?
• Are the security risk decisions by the right people? Are they prepared and
informed to do so?
• Business Models and Partnerships
• Technology Trends
• Regulatory, Geopolitical, Cultural Employee → supplier → partners
Forces
• Disruptive Events
• Paradigm Shift to Remote Work
Better security and user experience with Passwordless + working anywhere you want
NIST 800-40 on security
maintenance
1. Prioritize secure cloud adoption + modernization investments

a. Accelerate secure cloud & app modernization b. Normalize preventive maintenance for security
increases productivity and reduce risk reduces downtime & disruption risk
2. Help protect business critical assets and processes

a. Identify business critical systems b. Sponsor + participate in Cybersecurity BC/DR exercises
Ensures teams know the top priorities Reduces impact of real incidents & extortion/ransomware
3. Shift security accountability and oversight to business owners

a. Prepare business owners for security risk b. Empower business owners to accept security risk
Owners need security context + expertise to make • Ensures consideration of all opportunities and risks
good decisions • Enables agility and collaborative relationship with security
Encourage continuous collaboration between business, IT, and security teams

Just as preventive maintenance on corporate fleet vehicles can help
avoid costly breakdowns, patching should be viewed as a normal and
necessary part of reliably achieving the organization’s missions.
If an organization needs a particular technology to support its

mission, it also needs to maintain that technology throughout its life
cycle – and that includes patching.
https://csrc.nist.gov/publications/detail/sp/800-40/rev-4/final
CISO Workshop
needed for Security
Next Up:
1B Risk Insights, Security Integration, Business Resilience
• Business/asset owners should be accountable for security risk
• Security should be responsible to inform and help them.
Asset owners need to balance security risks against all other risks and benefits
with security providing subject matter expertise as a trusted advisor.
CRIMINAL ENTERPRISES
GOVERNMENTS
HACKTIVISTS
CISO Workshop
Review – Risk Insights
• Align Security Priorities to Business

• Business critical initiatives, applications, and data
• Integrate Security Risk into Existing Processes

• Risk Management Framework, Risk Register, Prioritization, Impact,
Language, etc.
• Threat Awareness and Planning

• Increase security literacy for organizational leaders
• Prioritize security investments around your likely threats
Next Up:
CEO
CFO COO
Healthy Friction – Critical thinking that reduces
risk but doesn’t break processes.
Unhealthy friction – impedes more value than it
CIO CISO protects.
Security Management – Key Operational Functions
Two operational functions for prevention (potential risk) and response (realized risk)
Posture Management Security Operations / SOC

Manage potential security risk (vulnerabilities) Collaboration Manage realized security risk (attacks)
Identify Prevent Detect Respond
IT Operations
• Accountable for Operational Uptime Recover
• Responsible for change implementation
Technical Estate (Dev → Test → Production)

Security Operating Model
Security Governance
Risk, Architecture, Compliance, Threat Intelligence (Strategic)
Posture Management Security Operations / SOC People

Manage potential security risk (vulnerabilities) Collaboration Manage realized security risk (attacks)
Security
Education,
Identify Prevent Detect Respond Insider Risk
IT Operations & Data Governance People

• Accountable for Productivity and Operational Uptime Recover
• Responsible for change implementation and lifecycle management Employees,
Partners,
Customers
Access Technical Estate (Dev → Test → Production)
Control Asset Protection (Data and Systems)
DevOps Teams Innovation Security Citizen

Application Security Developers
Continuously Learning to Reduce Risk
Collaborative approach to mitigate potential and realized risk
Security Collaboration
Posture Management
No threat
Found threat Quick Fix
Major/New
incidents
Note: Threat Intelligence and Security Engineering

(automation) is a supporting function for all security activities
Evolution of Posture Management
New Tooling Available
On-demand insights into security posture,
threat intelligence helps prioritize
Security Posture Management
• Measure and Report Risk across all sources:
• Software vulnerabilities – Operating System (OS),
app, middleware, etc.
• Configuration – OS, networks, apps, SaaS, PaaS, IaaS,
Containers, Low-code apps, and more
• Operation – processes and practices that create risk
(e.g. overuse of privileged accounts, entitlements, etc.)
• Mitigate Risk by enabling teams - Proactively work with
IT operations and DevOps teams to assist with
remediation (expertise, planning, tooling, education, etc.)
Traditional Vulnerability
Management
Focused on Operating System vulnerabilities
Posture management is large and complex
Posture Management
Manage potential security risk (vulnerabilities)
Collaboratively enabling many teams to secure a continuously changing technical estate Security Teams
DevOps Teams Productivity Team / User Support

Identity Security
Productivity Team Business Leads Application Developers DevOps Teams Database Teams Privacy Team(s)
IT Operations Productivity Team Application Developers DevOps Teams Citizen Developers

Business Leads
Productivity Team / User Support
IT Operations
(Multi-Cloud (Infrastructure and Endpoint)
and Hybrid)
Network Teams
Posture Management
Rapid Modernization Plan (RaMP)
1. Start with Cloud Infrastructure (via CSPM)

• Tooling - Cloud Security Posture Management (CSPM) for VMs, Containers, Databases, etc. (e.g. Defender for Cloud)
• Process - Build shared responsibility model between teams + enablement processes for IT/Dev Ops teams
• Configuration Baseline – start with vendor/industry recommendations (ASB, M365 Secure Score, CIS Benchmark for AWS, etc.)
2. Extend CSPM to all clouds and on-premises datacenters

• Extend Tools & Processes – add on-premises assets to CSPM (e.g. via Azure Arc) & extend processes to new teams
• Integrate TVM Team and Tools – to monitor all assets consistently
3. Proactively engage IT Ops and DevOps

• Adopt a self-service model for patching on clients and servers
• Build security engineering capacity & accountability to accelerate risk reduction
4. Establish Automated Guardrails Enables business agility by reducing process friction and delays
• Automate – security into DevOps & Infrastructure as code (IaC) with Azure Policy, ARM, Terraform, etc.
5. Continuously improve and extend

Prepare and Build Extend to more assets & controls
• Leadership support • Improve baseline configuration beyond default configuration
• Team skillsets • Add more controls across technologies (identities, apps, network, infrastructure, etc.)
• Processes • Integrate with application security engagement team(s) (e.g. SDL/DevSecOps)
CISO Workshop
Review – Security Integration
• Build consistent processes to integrate
across security and IT teams
• Align to shared goals, outcomes, risk understanding
• Always seek healthy level of security friction for IT and
Business
• Build Posture Management operations

• Combines vulnerability management + CSPM/EASM/others
• Critically important, but large & complex problem to solve
• Follow Rapid Modernization Plan (RaMP) for quick wins
and incremental progress
• Provides visibility needed to make business case for
improving security maintenance and measuring progress
Next Up:
T = Patch Ready T + 48 hours T + 7 days
Self-Service Grace Period Forced remediation

Management of this process may be
simplified with AutoPatch (Preview)
End User
Extended Testing
Workload owner Requires Approved Exception
Enterprise IT &
Security Teams
N
N
is the consistent goal of security

program and disciplines
Strong Prevention Weak Prevention
+ Rapid Response + Rapid Response Weak preventive controls
• Fewer successful attacks • More successful attacks + Weak response/recovery
• Limited impact/damage • Increased damage • More successful attacks
(attackers get farther before
containment/recovery) • Highly impactful/damaging
(Bigger breaches take a long time to contain
& recover, often requiring outside expertise)
A balanced strategy reduces risk faster

•
Next Up:
Business Alignment Exercise
CISO Workshop
1. Assess 2. Discuss 3. Assign

Current State Focus Areas Next Steps
Risk Insights Security Integration Business Resilience

Integrate security insights Integrate security insights and Ensure organization can
into risk management practices into business and IT operate during attacks
framework and digital processes, integrate security and rapidly regain full
initiatives disciplines together operational status
Program Maturity Path
Proactive
Integration See ‘Engaging Business Leaders
natural aspect of risk on Security’ for metrics guidance
and enablement decisions
Basic Business Alignment
Risk viewed per project or ad hoc,
limited business enablement focus
Security as Technical Risk
Security program focused on technical
view of risk (limited business alignment)
Unmanaged Security Risk

No security owner in leadership team
• Integrate security into risk management

Proactive framework
Integration • Enable business asset owners to make informed
natural aspect of risk security risk decision (similar to other risks) and
and enablement decisions implement mitigations
• Identify business enablement opportunities for
Basic Business Alignment security (e.g. rapid entry of markets, enable
Risk viewed per project or ad hoc, remote work, etc.)
limited business enablement focus
Security as Technical Risk
• Align security risk to business goals and risks
Security program focused on technical
• Link critical business processes to IT systems
view of risk (limited business alignment)
Unmanaged Security Risk

No security owner in leadership team
Next: Business Resilience
The person who owns and accepts the risk is the
person that explains to the world what went wrong
(often in front of TV cameras).
1. Who is accountable for security vulnerabilities & incidents?

a. Business Asset Owners? IT Teams? Security?
b. At what organizational level?
2. What is the highest level of executive interaction on security topics/risks?
How frequently?
3. Is there a specific board member or committee that oversees security?
a. Does the CISO (or CIO) meet with them regularly?
4. How do conflicts of interest get resolved between security and IT (or business)
functions?
What gets measured gets managed
What gets mismeasured gets mismanaged
- Rory Sutherland
1. How are you measuring security and compliance today?

a. Do you use KPIs, KRIs, OKRs, or other?
b. Do you measure & report security resiliency or organizational resiliency?
2. How are security risks integrated into the organizations’
risk management framework?
3. How are security priorities aligned to organizational priorities?
To cloud/digital transformation?
“Trust is knowing that when a team member does push
you, they're doing it because they care about the team.”
― Patrick Lencioni
1. How are you investing into integrating security into business and IT processes?
a. How prepared are organizational leaders to make security/risk decisions?
b. How prepared are business line leaders to make security/risk decisions?
2. What would business and IT leaders say about the progress on that
integration?
3. How is security budgeted? Proportional to IT? to organization’s FTEs or
revenue? Ad Hoc/Custom?
Learning
Organization
All teams focused on
learning from internal &
external incidents
Balanced Investment
SOC drives increased investment into
meaningful incident prevention
Response Focus (or overpivot)
Building and maturing new separate security
operations/SOC function (often after major incident)
Compliance Focus
Preventive program focused on meeting
compliance obligation and control configurations
Discuss Improvement Steps
Learning • Continuous improvement of inter-team processes

Organization (and automation of them)
All teams focused on • Continuous learning culture across all teams
learning from internal & • Continuously empower business asset owners with
external incidents security knowledge and accountability
Balanced Investment
SOC drives increased investment into • Integrate incident response learnings into
meaningful incident prevention strategy and preventive controls
• Shift security left (earlier) in technical processes
Response Focus (or overpivot)
Building and maturing new separate security
operations/SOC function (often after major incident)
• Build incident response capability
Compliance Focus (Security Operations / SOC)
Preventive program focused on meeting
compliance obligation and control configurations
Next: Assign Next Steps
1. What security framework do you adhere to today?
2. How are lessons learned from incidents integrated into security, IT, and
business processes?
3. How well do you balance investments across prevention vs.
detection/response/recovery?
a. Do you have a dedicated operations function focused on incident
response? (aka Security Operations Center or SOC)
b. Do you have a dedicated operations function focused on prevention?
(e.g. security posture management team)
c. Are these functions represented in technology leadership meetings?
Capture next step and who
1. Assess 2. Discuss 3. Assign owns following up on it
# Next Step Point of Contact

1
5
CISO Workshop
1. Assess
Current State
2. Discuss
Focus Areas
3. Assign
Next Steps
Next Up:
1C – Security Disciplines
Zero Trust principles transform access control
Secure assets wherever they go
Evolution of Authentication and Authorization
“Coarse authorization” during authentication

process that enforces common trust attributes
High Level
Air travel analogy Access Model
KNOWN
TRUSTED
Airport Security
(Identity System)
ALLOWED
Airline
(Application)
https://aka.ms/accessmodel
API
Next Up:
1C – Access Control, Security Operations, Asset
Protection, Security Governance, Innovation Security
More Details in Transformational Forces Reference

Module 2 – Secure Identities and Access & end to end architecture Plans
Secure Access Service Edge (SASE)
End to end architecture journey with Zero Trust Principles

Teams & Tiers Capabilities Threat Intelligence
Mission
Reduce organizational risk by limiting the time successful
attackers can access enterprise assets (dwell time) through rapid
detection and response.
Key Cultural Elements

• Mission Alignment
• Continuous Learning
• Teamwork Business Leadership
Touchpoints
Key Measurements
• Effectiveness - Mean Time to Remediate (MTTR)
• Responsiveness - Mean time to Acknowledge (MTTA)
Partner Teams
IT Operations, DevOps, &
Insider Threat, and more
Align to Mission + Continuously Improve
Responsiveness - Mean time to Acknowledge (MTTA)
Effectiveness- Mean Time to Remediate (MTTR)
Case Management
Analysts
and Hunters
Incident Response/Recovery Assistance
Security Information and Event Management (SIEM)
Managed Detection and Response
Threat Intelligence (TI)

Automation (SOAR)
Extended Detection and Response (XDR)
Enterprise Assets – Multiple generations of technology spanning clouds, Devices, Operating Systems, Applications, Data Formats, and more
CEO
PRACTICE EXERCISES / TABLETOPS
BUSINESS PRIORITIES
MAJOR INCIDENT STATUS

CISO Workshop
Next Up:
More Details in
Module 4 Modern Security Operations
Asset Protection
Effectiveness requires prioritization and consistency/automation for scale Discovering
Business-Critical Assets
1. Focus on Business-Critical Assets Business assets have intrinsic value to the business
Top-Down Discovery Identifying business

critical assets starts with understanding
business priorities, assets, and risks
New Conversations - This often involves

asking and answering questions that
haven’t been asked before
Can start with aka.ms/backup Clients Servers Databases Apps Clouds and more
2. Plan for Scale and Speed Technical assets host and run those assets
Example: Retail Website

• Business = Enablement of online customers purchases
• Technical = Servers, Databases, Containers, Administrative
workstations & identities, Network connections, customer
accounts, and more
Continuous Monitoring
and Improvement
Technical Estate (Dev → Test → Production)
Existing/Legacy Workloads DevOps Workloads
Workload Infrastructure
Shared Infrastructure
Hybrid and Multi-cloud
CISO Workshop
Review – Asset Protection
• Identify Business Critical Assets with top-down approach

• Ask and answer the hard questions on what matters most
• Plan for Scale and Speed
• Partner security teams with IT/OT Operations and DevOps teams
• Greenfield – integrate to prevent creation of more risk
• Brownfield – burn down technical debt to reduce risk
Next Up:
1C – Access Control, Security Operations, Asset Protection, Security Governance, Innovation Security
More Details in
Module 4 – Infrastructure & Development
Module 5 – Data Security & Governance,
Risk, Compliance (GRC)
Module 6 – IoT and OT Security
Asset Protection – Get Secure and Stay Secure
Get Secure – Apply security standards Stay Secure – Ongoing Asset Maintenance
• Protect data at rest and in transit • Keep software/firmware/etc. patched & up to date
• Asset specific configurations & protections • Keep software and protocols current
Standards - Architecture, Policy, and Guidance for each asset type
Continuously Improve
• Standards
• Discovery Mechanisms
• Application and
automation of standards
Automation – Integrate security into new and existing automation

Security
Governance
Business
goals + risk
Architecture & Policies

Align technology to business
Architecture, Policy,
Hybrid estate of multi-cloud and Standards
& on-prem IT + OT + IoT

Continuous Discovery Continuous Improvement
of Assets and Asset Types of asset security posture
Policy Driven Governance

Consistent execution
Compliance and Reporting

Ongoing Accurate Accountability
Posture Management is critical to continuous improvement
Origin & Evolution Ideal End State Rapid Modernization Integration into Process
Plan (RaMP)
Protecting and Monitoring Assets
Identify & Prevent – continuous improvement
Security Governance
Risk, Architecture, Compliance, Threat Intelligence (Strategic) Asset Protection
IT Operations
Posture Management
Manage potential security risk (vulnerabilities)
Innovation Security
Plan - Set measurable standards/baselines DevOps Teams
Start simple and work as a team
Do – Integrate standards/baselines
Check – Monitor standards (CSPM and other tools) Citizen
Developers
Act – Remediate Deviations (with posture management help)
Continuously improve - Standards/baselines
Collaborative Team Effort
5
Security Governance
Key Functions and Relationships
Align with Set Goals, Principles, and Policies

Organizational
Business Context Decision Rights, Processes, Org Chart definition
Priorities & Risks
& Intelligence
Risk and Security Security Posture

Compliance Intelligence Maintenance Management Security
Enablement, Coordination, Support for IT Ops + DevOps teams Architecture
Patching + Remediation Monitoring + Enablement Define and continuously
Strategic Threat
Intelligence (TI) improve end state
emerging from & integration
tactical TI
Access Security Asset Innovation Security

Control Operations Protection Security Governance
Establish Zero Trust access Detect, Respond, and Recover Protect sensitive data and Integrate Security into Continuously Identify, measure,
model to modern and from attacks; Hunt for hidden systems. Continuously DevSecOps processes. Align and manage security posture to
legacy assets using identity threats; share threat discover, classify & security, development, and reduce risk & maintain
& network controls intelligence broadly secure assets operations practices. compliance
CISO Workshop
Review – Security Governance
• Role of Security Governance

• Bridges business with technical implementation
• Provides unifying services across security and technology
• Architecture – Define ideal end state and integration, drive continuous improvement
• Posture Management – Enable and support risk mitigation efforts across the organization
• Risk and Compliance – Align security with organizational priorities & risks, manage policies
• Threat Intelligence – Provide context to stakeholders in business, IT, and security
• Proactive security posture management is essential to reducing risk
• Provides enablement for Ops teams to support meeting policy and standard
requirements
Next Up:
Secure innovation is the beating heart of an organization in today’s digital landscape
Responsive to Needs Safe and Secure

Meets business and customer Provides confidentiality, integrity, &
requirements for market relevance availability + regulatory compliance
Quality and Performance

meets the quality, speed, scalability,
reliability, and other expectations
Evolution of Innovation Security
DevOps Processes
Agile rapid delivery enables ability to
continuously mitigate security risks and
continuously refine security processes
Innovation Security
• Focused on rapid and secure development / low
friction
• Focused on high quality results
• Integrated into development process – automate
using CI/CD processes, reporting bugs through
normal processes, etc.
• Mitigate Risk by enabling teams - Proactively work with
developers and DevOps teams to educate, evangelize,
and assist with remediation (expertise, planning, tooling,
education, etc.)
Traditional Application Security

Focused on generating reports
with scanning tools
Infra + Dev Risk Security Integration DevSecOps

Feedback Loop
Feedback Loop
Idea Incubation DevOperations
Architecture & Governance

Security, Compliance, Identity, & Other Standards
2. Continuously improve process and program to improve developer productivity,

operational efficiency, security posture, identity standardization, etc.)
CISO Workshop
Review – Innovation Security
• Successful innovation requires integrating Development, Security,
and Ops (Operations)
• Traditional Application Security Evolves
• Focus on high quality findings (actionable, low false positive rate)
• Focus on enablement and seamless
integration into development process Next Up:
Security Governance Exercise
More Details in
• Module 4 Infrastructure & Development
• CAF Secure – Innovation Security
aka.ms/CAFSecure-InnovationSecurity
Current State Focus Areas Next Steps
Security Architecture Posture Management Security Maintenance
Security
Governance Access Security Asset Innovation
Continuously Identify, measure, Control Operations Protection Security
and manage security posture to Protect sensitive data and Integrate Security into
Establish Zero Trust access Detect, Respond, and Recover
reduce risk & maintain systems. Continuously DevSecOps processes. Align
model to modern and from attacks; Hunt for hidden
compliance discover, classify & security, development, and
legacy assets using identity threats; share threat
& network controls intelligence broadly secure assets operations practices.
CISO workshop and
Security ADS Module 1 Security ADS Security ADS Security ADS Security ADS
(same exercise) Module 2 Module 3 Modules 4 & 6 Module 4
Integrated
Security
Architecture
integrated enterprise-wide
and with all new initiatives
Basic Security Architecture
Ad Hoc documentation of non-network
security capabilities and solutions
Network Security Diagram
Describe network security zones and
supporting capabilities
No Security Architecture
No meaningful architectural documentation
• Build enterprise-wide integrated security
architectures (diagrams and documentation)
• Integrate with enterprise architecture (if present)
Integrated and business architectures (as appropriate)
Security • Ensure universal adoption by engineering and
Architecture implementation teams (IT, OT, IoT, DevOps)
integrated enterprise-wide • Continuously update and refine architectures,
and with all new initiatives policies, and standards based on threats, business
Basic Security Architecture intelligence, technical platforms, and more
Ad Hoc documentation of non-network
security capabilities and solutions
• Document enterprise-wide security
Network Security Diagram capabilities (beyond network)
Describe network security zones and • Integrate security in new enterprise solutions
supporting capabilities • Start integrating with standards and policies
No Security Architecture
No meaningful architectural documentation
Next: Posture Management
Continuous
Posture
Improvement
Automated guardrails and
continuous risk reduction
Proactive Posture Management Posture management data helps business case for
Establish self-service model for executive sponsorship of security maintenance and
remediating clients, servers, and more monitor progress against goals.
Basic Posture Management

Integrate CSPM tools and proactively engage with
infrastructure resource owners (IaaS, PaaS, On-Premises)
Vulnerability Scanning
Use TVM to scan operating systems and applications for
missing security patches/updates
Follow Rapid Modernization

Plan (RaMP) Stages
Continuous
Posture
Improvement 4. Continuously improve and extend
Automated guardrails and a. Cover more resources and resource types
continuous risk reduction b. Enable more teams
c. Improved support mechanisms and processes
Proactive Posture Management
Establish self-service model for patching
3. Proactively engage IT Ops and DevOps
clients, servers, and other assets a. Adopt Self-service patching model
b. Enable IT Ops and DevOps teams (with training,
Basic Posture Management security engineering, and advocacy)
Integrate CSPM tools and proactively engage with
infrastructure resource owners (IaaS, PaaS, On-Premises) Start with Cloud Security Posture Management:
1. Adopt CSPM for Cloud Infrastructure
Vulnerability Scanning 2. Extend CSPM to all clouds and
Use TVM to scan operating systems and applications for on-premises datacenters
missing security patches/updates
Next: IT Security Maintenance
Executive sponsorship often required to prioritize
IT security maintenance (so it won’t be
continuously overridden by other requirements)
Integrated NIST 800-40 provides
& Normalized clear guidance to
into all mission/business owners
automation and processes, on supporting these efforts
infrastructure as code, etc.
Core Priority
for IT operations and DevOps teams,
continuously increasing technical scope Assets may be at different levels
Limited Scope / Low Priority
Low priority responsibility of IT Operations and
DevOps Teams (regularly overridden by other priorities)
None / Inconsistent
Security patches & configuration not a priority for IT Ops /
DevOps teams, only applied on a reactive basis (emergencies)
Discuss Maturity Status Self-Service
Patching model
Next:
Assign Next Steps
Clients Servers Containers Apps & Firmware

Windows, Mac, Linux & Windows Middleware Servers, Routers,
Mobile Servers SAN/NAS, etc.
Typical Timeline
Integrated Hours or days
& Normalized
Core 30 days or less

Priority
Limited Scope
1-6 months
/ Low Priority
None /
6+ months
Inconsistent
Capture next step and who
1. Assess 2. Discuss 3. Assign owns following up on it
# Next Step Point of Contact

1
5
CISO Workshop
1. Assess
Current State
2. Discuss
Focus Areas
3. Assign
Next Steps
Next Up:
Module 1 Key Takeaways and Next Steps
Secure Access Modernize Security Manage Compliance, Commit to a Zero
starting with MFA Posture & Operations Risk, and Privacy Trust Strategy
Rapidly reduce risk from Modernize tools and processes Manage compliance and risk Commit to a security
common threats by with cloud technology (XDR, processes for data with modernization roadmap
modernizing access control SIEM, CSPM) to proactively modern cloud technology based on zero trust
with passwordless & multi- manage security posture and (eDiscovery, insider risk, and principles.
factor authentication (MFA) rapidly respond to attacks more)
Module 1 – Zero Trust

Module 2 – Secure Identities Module 3 – Modern Security Module 5 – Data Security & Architecture
and Access Operations (SOC) Governance, Risk, Compliance
(GRC)
Module 4 – Infrastructure &
Development Security
Engage your teams to drive and plan critical security modernization initiatives
CISO Workshop
• Business Alignment guidance, including security goal

of Business Resilience
• Roles and responsibilities references to inform
career/skill/role decisions
• Suggested Metrics to help track and report program
success
• Security Disciplines for durable program elements
• Prescriptive Security Initiatives to guide security
modernization (with deeper dives in subsequent
modules)
Next Up:
Security Architecture Design Session (ADS)
Security Guidance December 2021 - https://aka.ms/MCRA
CEO
Securing Digital
Transformation
Business Leadership Business and Security

Integration
CIO CISO Cloud Adoption Framework
(CAF)
Security Strategy,
Technical Leadership
Programs, and Epics
Architecture and Microsoft Cybersecurity

Policy Reference Architectures (MCRA) Initiative Planning/Execution
Architects & Technical Managers Azure Security Zero Trust
Microsoft Security Privileged Azure
Technical Planning Documentation Benchmark Ransomware Access Top 10
Product Docs Well Architected Framework

Implementation Azure | Microsoft 365 (For Azure Workload Owners)
Implementation
• MCRA - Capabilities
• Zero Trust User Access
• Roles and Responsibilities
aka.ms/CAFSecure aka.ms/MCRA
aka.ms/MCRA-Videos
Zero Trust Resources
aka.ms/zerotrust
aka.ms/ztbizplan
• Zero Trust: Security Through a Clearer Lens session (Recording | Slides)

• Microsoft’s IT Learnings from (ongoing) Zero Trust journey
Posture Management
Identities Applications
Microsoft
Microsoft Defender for
Azure AD Cloud
Data
Microsoft
Defender Microsoft
Information
for Identity
Protection Infrastructure
Endpoints
Microsoft
Defender
Microsoft
Cloud App Network
Microsoft Security
Endpoint
Manager
Azure Sentinel
Business Alignment
Risk Insights Security Integration Business Resilience
Integrate security insights Integrate security insights and Ensure organization can
into risk management practices into business and IT operate during attacks
framework and digital processes, integrate security and rapidly regain full
initiatives disciplines together operational status
Security disciplines
Access Security Asset Security Innovation

Control Operations Protection Governance Security
Establish Zero Trust Detect, Respond, and Protect sensitive data Continuously Identify, Integrate Security into
access model to Recover from attacks; and systems. measure, and DevSecOps processes.
modern and legacy Hunt for hidden Continuously manage security Align security,
assets using identity threats; share threat discover, classify & posture to reduce risk development, and
& network controls intelligence broadly secure assets & maintain compliance operations practices.
What applied threat intelligence looks like
Microsoft Threat Intelligence
Built on diverse signal sources and AI

Microsoft CISO Workshop Security Strategy and Program

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Microsoft CISO Workshop Security Strategy and Program

Uploaded by

Copyright:

Available Formats

CISO Workshop

Security Program and Strategy

Your Name Here M EN U

You are Here

Ransomware Recovery Readiness Start Date / In Progress

# Data Security & GRC

Architects & Technical Managers

Technical Leadership Programs, and

Security Disciplines and Program Structure

End to End Scenarios

Detailed Architecture Information on Initiatives

Business Leadership Business and Enables a Zero Trust transformation

Cloud Adoption Framework (CAF) - Secure Methodology

Security ADS Workshop

Module 1 – Zero Trust Architecture and Ransomware

Module 2 – Secure Identities and Access

Module 3 – Modern Security Operations (SOC)

Module 4 – Infrastructure & Development Security

Module 5 – Data Security & Governance, Risk, Compliance (GRC)

Module 6 – IoT and OT Security

Start Here – with key context and fundamentals

Cloud Adoption Framework (CAF)

Priorities Threat Environment Roles & Strategy and

Business Alignment – Continuously Prioritize and integrate security

Engaging Business Business Alignment Exercise

Security Disciplines – Establish and Evolve Foundational Capabilities

Access Security Asset Security Innovation Security Governance Exercise

Dynamic Business Environment

Leading Insider Risks

Compromised PCs / Devices

Spearphishing for hire

Attackers Stolen Passwords

Native Security Controls Azure Security

Spearphishing for hire Passwordless and Multi-factor Authentication

Introduction Supply chain, IoT, Disinformation

Hybrid workforce security

Information Risk Management Program Management Office (PMO)

Security Technical Leadership

Security Architect IT Architect

MDM Admin Asset OT Operations

Security SecOps Leadership

Typically in Security Organization Typically in IT Organization

End User Users Developer

Security Governance Prevention Response

Security Leadership Roles

Security Architect Roles

Identity and key management

Security Governance Prevention Response

Security Leadership Roles

Security Architect Roles

Security isn’t that different

Security Governance Prevention Response

Security Leadership Roles

Security Architect Roles

Build strong relationshipIdentity

Security Governance Prevention Response

Security Leadership Roles

Security Architect Roles

Identity and key management

ResponsibilitiesTo application-specific security skills (from enterprise-wideData platform

1. Designate 2. Publish 3. Socialize

ESTABLISH CLEAR LINES OF RESPONSIBILITY

# Stakeholders Point of Contact