CISO MindMap 2024: What do InfoSec Professionals Really Do?

Many individuals outside the realm of cybersecurity often underestimate the intricacies involved in a security professional’s role. Since its inception in 2012, the CISO MindMap has served as a valuable educational resource, offering insights into CISO responsibilities and aiding security professionals in crafting and enhancing their security programs. Continuously adapting to reflect the evolving landscape of cybersecurity, the CISO MindMap has been updated to accommodate the latest developments in the field. Here is the most recent iteration of the CISO MindMap for 2024, featuring numerous enhancements and fresh recommendations for the year 2024-25.

Don’t forget to review recommendations for 2024-25 described below and to subscribe to my blog.

Summary of Changes to 2024 CISO MindMap

With time, the responsibilities of security professionals are only increasing. Why? Technology is changing fast, bringing new ways of doing business, continuous adoption of Cloud, and extremely fast evolving GenAI technology with many applications. Not only the Infosec professionals are “expected” to deeply understand these technologies, they are also tasked with providing policies/guidance on how to secure them. For this reason, every year you find new things on the CISO MindMap. At the same time, some items are changed or removed from the CISO MindMap depending upon their relevance. In the latest CISO MindMap, modified and new items are marked in red color for your convenience.

Other noticeable changes include:

  • Artificial Intelligence and GenAI – MindMap now has a dedicated section on Artificial Intelligence and GenAI, reflecting insights from security leaders. GenAI’s rapid development is exciting, but measured caution is advised until the field matures further. 
  • Removing Redundancy and Overlaps – Removed some redundancies and overlaps in different sections. I also moved some elements of the MindMap to more relevant categories.
  • Security Team Branding – An integral aspect of the CISO’s role involves effectively advocating for information security across diverse stakeholders. Drawing from valuable insights provided by experienced CISOs, we have expanded the section on ‘Security Branding’ in response to their feedback. This includes essential skills such as negotiation, executive engagement, strategic prioritization, and tactful decision-making. These are identified as key areas where new CISOs often encounter challenges, and thus, warrant special attention.
  • Expiration Date – A common issue is that many professionals still have older CISO MindMap copies. Like last year, I added an “expiration date” to let people know when they should stop using a particular version. The expiration date for the 2024 CISO MindMap is the end of June 2025. The next version will be published before the current version expires.

CISO MindMap Updates Methodology

Every update to the CISO MindMap undergoes thorough consideration, research, and attention to detail. In addition to my ongoing engagements with industry leaders, various methods are employed to ensure we capture the pulse of the cybersecurity landscape:

  • Conducting interviews with experts
  • Distributing surveys to gather insights
  • Leveraging LinkedIn for targeted questions and discussions
  • Analyzing feedback and comments from previous versions of the CISO MindMap
  • Staying abreast of industry news and conducting in-depth analysis

Furthermore, I’d like to express my gratitude to the contributors whose valuable insights have enriched this endeavor. The ‘Acknowledgments‘ section of this blog post includes their names and LinkedIn profiles as a token of appreciation.

Are you Accountable for Everything in the CISO MindMap?

Security is inherently a collaborative effort, and the role of the CISO entails providing consultative guidance in various areas outlined within the CISO MindMap. It’s crucial to discern between areas where direct ownership and accountability are necessary and those where consultation is the primary function. Within any organization, numerous stakeholders are involved, and a common pitfall is the lack of clearly defined boundaries for each role.

My recommendation is to establish a RACI (Responsible, Accountable, Consulted, Informed) matrix, which serves as a standardized methodology for delineating roles and responsibilities among stakeholders [6]. By mapping out tasks and corresponding roles within this framework, clarity is achieved, ensuring that each stakeholder understands their level of involvement and contribution to the overall security landscape.

Focus Areas and Recommendations for 2024-2025

Each year, I offer my recommendations as a practitioner, drawing insights from discussions with information security leaders. My approach strives for objectivity, steering clear of hype and focusing solely on data-driven research. Though unintended biases may exist, the goal remains to propose actionable steps viable within a short to mid-range timeframe. These recommendations do not constitute future predictions; rather, they address the immediate needs for enhancing security programs.

Selecting a concise set of recommendations is always a challenge for me. While the list provided below may be longer than I’d prefer, I aim to offer a comprehensive array of considerations for your reflection. Followers of the MindMap will notice both recurring suggestions from previous years and novel additions, providing a blend of continuity and fresh insights.

I’m genuinely interested in hearing your perspective on these recommendations and understanding whether they resonate with your experiences and insights. Your feedback, whether in agreement or disagreement, provides valuable insights that can help refine and improve our approach to addressing security challenges. So, please feel free to share your thoughts and insights on these recommendations—whether you support them or have reservations—so we can engage in a constructive dialogue to further enhance our security strategies.

Recommendation 1: Adopt a Cautious Approach Towards GenAI

GenAI has become a focal point of discussion, rapidly evolving within the technological landscape. The Wall Street Journal reported Amazon’s unprecedented investment in an AI startup, reflecting the significant momentum in this domain. In 2023, investments in Generative AI companies exceeded $29 billion [1]. Furthermore, numerous open-source solutions are emerging within the GenAI market [2]. Amidst the buzz, it’s important to maintain a discerning approach.

Security professionals approach GenAI from three primary perspectives:

  1. Utilization within security practices: Emphasizing enhanced productivity and the exploration of automation opportunities for routine tasks.
  2. Safeguarding GenAI in corporate environments: Establishing GenAI centers of excellence to ensure governance, policy adherence, and protection against potential attacks. Aligning business and cybersecurity strategies to accommodate GenAI.
  3. Monitoring malicious use of GenAI: While not yet a cause for alarm, it’s essential to remain vigilant regarding the evolving applications of GenAI for malicious purposes.

Although every security vendor touts AI integration within their products and services, it’s prudent to avoid succumbing to hype and refrain from significant investments in GenAI technology for security purposes at this stage. It’s anticipated that over the next 12-18 months, clear market leaders will emerge from the current phase of hype and use cases for Cybersecurity will be better defined. At this stage, it is better to educate oneself and explore use cases such as automation and productivity enhancement.

Recommendation 2: Consolidate and Rationalize Security Tools

No matter the size of your InfoSec budget, it is prudent to take a more critical look at security programs and find ways of ways for program management. An average organization is using a large number of technologies, by some estimates as high as 47, according to a Ponemon survey. Yet many security leaders don’t know if Cybersecurity tools are working. Accumulating more security tools doesn’t necessarily lower risk; rather, it amplifies the necessity for maintaining expertise within security teams. There is a need for consolidation and rationalization of security tools by deeply exploring Return on Investment (ROI) of these tools. When rationalizing the need for tools, consider factors such as functionality overlap, available expertise within the team to effectively utilize the tool, and the innovation on the side of vendors. You may be surprised to find shelfware. In some cases open source tools may work just fine as well.

Recommendation 3: Cyber Resilience – Go Beyond Incident Response

Building upon last year’s recommendation, it’s evident that in numerous organizations, security incident response remains separate from business continuity and disaster recovery functions. It’s imperative to assess ransomware defenses, detection, and response capabilities comprehensively. Conducting a business impact analysis is essential to identify critical processes, applications, and data.

Moreover, testing the ability to restore systems and data within an acceptable timeframe is crucial. Merely possessing backups is insufficient; the capability to rebuild impacted systems and restore backups promptly is vital for restoring normal business operations following security incidents.

Recommendation 4: Build a Brand for Security Team

The role of a CISO is inherently public-facing, demanding continuous engagement with technology and business leaders. While the message being conveyed holds significance, the credibility of the messenger is equally vital. To better serve the interests of the business, it’s imperative to equip security team members with skills beyond technical expertise, especially those who are aspiring to be leadership roles in future.

This includes training in business acumen, value creation, influencing without authority, and enhancing human experience. Emphasizing these aspects is not new; however, it’s crucial to maintain focus on the fact that information security teams operate within a broader context and must facilitate business objectives while collaborating effectively with others.

Skills such as negotiation, compromise, and strategic decision-making play pivotal roles in establishing both personal and team credibility, ultimately contributing to the enhancement of the overall brand.

Recommendation 5: Maximize Business Value of Security Controls

The proliferation of security and compliance controls often creates friction between security and other technology teams. However, not all controls carry equal weight, and some may offer minimal value in terms of risk reduction and business enhancement. It is advisable to conduct a thorough assessment of each control, evaluating its effectiveness and business impact.

CISOs should devise a strategy to phase out low-value controls within the next 12-18 months, thereby eliminating unnecessary maintenance costs. This proactive approach ensures resources are allocated efficiently, focusing efforts on controls that truly contribute to mitigating risks and driving business value

How to Use CISO MindMap?

Have you ever been asked to explain what you do as a security professional? The CISO MindMap offers a comprehensive solution for addressing this question and clarifying the intricacies of the role. Many professionals have attested to its efficacy in elucidating the complexities of the CISO position, particularly when communicating with a business audience.

Here are some ways in which the CISO MindMap proves to be immensely valuable:

  • Facilitating conversations with fellow technology professionals.
  • Instrumental in the design and refinement of security programs.
  • Adopted by certain security vendors for raising awareness.
  • Employed in CISO group discussions and community meetings.
  • Aiding aspiring security professionals in understanding the industry landscape and charting their career paths.
  • Serving as an educational and awareness-raising tool.

Obviously there is a lot on this MindMap. The stress on people who have these responsibilities is real. If nothing else, this MindMap should help leaders recognize that stress and do something about it. I covered this topic (stress) in my latest book Cybersecurity Arm Wrestling: Winning the perpetual fight against crime by building a modern Security Operations Center (SOC) as well.

What are They Saying?

Following are some comments on CISO MindMap LinkedIn post from 2023.

  • Michael Restivo“One of the most valuable documents around. Love this Rafeeq.”
  • Chris Novak“Always a great asset! Thanks for all that you do for the cybersecurity community!”
  • Muath AlHomoud“Great insight Rafeeq Rehman always inspiring”
  • Christophe Foulon “Insightful as always, Rafeeq Rehman
  • Matthew P.“Thanks for updating this. I think this makes a really useful tool when talking to the next generation about careers in security being able to demonstrate the breadth of what we can get involved in is quite eye opening”
  • David Elfering“Thank you! I review security programs as part of my work; your outline is fantastic. As a CISO, I regularly reviewed it, and as a consultant/advisor, I can see even more clearly how others would benefit.”
  • Alan Ng“Thanks for all the heart and sweat poured into this awesome mindmap and recommendations! It is a great resource!”
  • Stefan Jäschke – “Terrific work Rafeeq Rehman – thanks for giving back to the community consistently over the years in so many ways.
  • Arvind Javali – “I listened to your podcast interview on CISO mindmap, very insightful, thanks for sharing”
  • Ashoka Reddy – “Thank you, Rafeeq Rehman, for the knowledge, insight, time, and effort you have put into creating and sharing the #CISOMindMap. For #InformationSecurityManagers this is a gold standard that is priceless. It’s a little overwhelming to the point of being funny, but you’ve mapped my professional brain pretty nicely. For #BusinessLeaders this gives oversight to how we protect organizations, revealing our value and responsibilities.
  • Jas Puar“Great timing. I’ve been looking at the 2022 version recently for some inspiration. Glad the 2023 version is available. The role is becoming bigger (cutting deeper across the entire business) and therefore more critical every year. More needs to be done to educate and raise awareness to change the direction of travel, otherwise an already thankless role, will very soon become an impossible one. Keep up the great work!”
  • Steve Lodin – “Thanks again for your continued work here. I look at and keep a copy of every version you release!
  • Fernando Montenegro – “Really nice work, forwarded it to others. I really enjoy the “expiration date” aspect.”
  • Georgeo X. Pulikkathara – “Rafeeq Rehman, good work on the CISO MindMap. My assessment is that this is a good framework for CISOs to approach all the areas we need to consider.
  • Rob Mukherjee – “This is brilliant, thanks Rafeeq. And couldn’t agree more with your comment in the first focus area. “Understand that merely having a backup is not enough. Ability to rebuild impacted systems and restore backups in a timely manner is crucial.” Spot on!! Think “restore”, not just backup!

Acknowledgments

In addition to numerous infosec leaders who provide their input, we have a LinkedIn Group to gather suggestions and comments from the community. While many provided feedback, the following is a list of people and organizations who provided “specific suggestions” for improvements (in no particular order). If I missed anyone, please send me a message to make corrections.

  1. Jack Jones 
  2. Gary Hayslip
  3. Michael Restivo
  4. Wes Sobbott
  5. Muath AlHomoud  
  6. Ross Young
  7. Ross McNaughton 
  8. Gerard Onorato 
  9. Tony DeAngelo  
  10. James J Azar  
  11. Chris Hughes 
  12. Izhar Mujaddidi
  13. Nadeem Iftikhar 
  14. Ismail Cattaneo  
  15. Andres Ricardo Almanza Junco  
  16. Jack Jones 
  17. Chad Sturgill  
  18. Omar Khawaja  
  19. Rodolphe Simonetti 
  20. Scott Hawk  
  21. Hisham Zahid 
  22. Jerich Beason  
  23. M Kashif Bukhari  
  24. Chris Castaldo
  25. Atif Yusuf
  26. Jon Rogers  
  27. Andi Baritchi 
  28. Ricky Mehra
  29. Ahmed Kamel
  30. Tobias Ander
  31. Indy Dhami
  32. Matthew Thompson
  33. Marc Vael
  34. Christophe Foulon

Your input is highly appreciated!

References

[1] Wall Street Journal, Amazon Invests $2.7 Billions More in AI Startup, [link

[2] Wall Street Journal, Open-Source Companies Are Sharing Their AI Free. Can They Crack OpenAI’s Dominance?, [link]

[3] NIST AI Risk Management Framework [link]

[4] Deloitte, Proactive Risk Management in Generative AI [link]

[5] Deloitte, The implications of Generative AI for businesses [link]

[6] CIO, The RACI matrix [link]

Copyright © 2012-2024 – Permission to use

This MindMap is copyrighted material. However it is absolutely free for all personal, business and professional purposes (like water and air). There are no strings attached, as long as it is not altered and not used to make money. When using this MindMap, please cite the source properly so that recipients can receive future updates.

Subscribe to Blog

To keep updated with new versions of CISO MindMap and other posts, subscribe to my blog here:

Recent Posts

Posted in cisomindmap | Tagged , , , , , | Comments Off on CISO MindMap 2024: What do InfoSec Professionals Really Do?

Building Generative AI (GenAI) Applications

Four key considerations for business executives

Harnessing the potential of Generative AI (GenAI) to create user applications that drive business value may appear daunting, yet it doesn’t need to be. With the GenAI field advancing swiftly and offering a plethora of options, understanding the following four fundamental areas can provide clarity for business leaders:

  1. User Interface (UI) Design for Prompt Interaction – GenAI applications typically rely on user prompts to generate responses. A well-designed UI, effective prompt engineering, rigorous testing, and user training are crucial aspects. Tailoring the UI to enable users to establish “context” for GenAI responses is paramount.
  1. Implementing Prompt and Response Filtering – Establishing controls to govern how GenAI models respond to prompts and filtering out undesirable content is essential. This ensures that the generated responses align with organizational standards and objectives. The focus should be on providing guardrails in case the GenAI models deviate from safety standards.
  1. Selecting a Baseline GenAI Model – Choosing the right baseline GenAI model is pivotal. These pre-trained deep learning models serve as the foundation and offer a starting point for application development. Careful consideration of factors such as application type, cost, and computational requirements is imperative when selecting from a range of commercial and open-source options.
  1. Fine-Tuning for Optimal Performance – Enhancing the performance of baseline models through fine-tuning is indispensable. Fine-tuning involves leveraging additional data to adapt the baseline model to specific use cases, such as generating journalistic essays, customer support, legal documents, etc. Organizations should deliberate on how they intend to fine-tune GenAI models to align with their unique requirements.

While building GenAI applications entails inherent complexity, focusing on these considerations provides a valuable blueprint for developing high-quality user applications driven by Generative AI technology.

Subscribe to Blog

Recent Posts

Posted in Entrepreneurship, Leadership | Tagged , , | Comments Off on Building Generative AI (GenAI) Applications

Security Hygiene

While responsibilities of leaders in information security are very extensive as shown in the CISO MindMap, following are seven foundational and “must-have” capabilities that every information security program should have. If any of these capabilities is missing, the first priority should be to build it before considering more advanced level program development.

  1. Governance – Create or update foundational security policies, standards and procedures. This may vary significantly based upon organizational maturity, compliance needs, size of the organization, and risk tolerance. Create success metrics. Perform regular audits to measure effectiveness of security. Align security program with business objectives.
  2. Risk Management Process – At minimum, every organization must have a process for identifying, assessing, documenting, reporting, prioritization, and mitigating risk. This may be as simple as using a spreadsheet or as complex as using a sophisticated GRC tool.
  3. Asset Management – A process for identifying assets including hardware, software, network, applications, Cloud and others. An asset is anything that your organization relies on conducting its business.
  4. Network Security – Employ fundamental network security countermeasures such as network and web application firewalls, network segmentation, remote access VPN, and network threat detection capabilities.
  5. Endpoint Detection and Response – Use tools for endpoint protection, data protection, anti malware, that can provide protection against data theft and ransomware.
  6. Vulnerability Management Program – A program must include network and application scanning, vulnerability identification, penetration testing, patch management, tracking and closing vulnerabilities and linking with the risk management process. Many open source tools are available to overcome budget issues.
  7. Threat Detection and Response – Ability to detect threats using automated tools, logs, and other mechanisms, create an incident response process. Build an internal coalition for recovering from security incidents in a timely manner. Build relationships with local law enforcement. Tabletop exercises are a good mechanism to test capability for incident response, identify gaps and make improvements.

Building these capabilities requires people, effective processes, and relevant tools. A CISO should identify gaps, make a plan, request for budget and set targets/goals to build these capabilities.

Subscribe to Blogs

Recent Posts

Posted in InfoSec | Tagged , , , , | Comments Off on Security Hygiene

Third Party Risk Management – Considerations for creating a program standard

What is a Third Party

Third parties generally refer to external entities with whom you enter into contractual agreements to deliver products or services. These external partners may offer essential services to support your business operations or extend services to your clientele on your behalf. Examples of third parties encompass a diverse range of entities, such as internet service providers, financial institutions, software vendors, building maintenance companies, and others.

Reasons for Managing Third Party Risk

  • Breach Liability – A security incident with third parties may impact your business operations. If third parties have access to your data or your customers’s data, you may be liable for handling data breaches that occurred on a third party network.
  • Compliance – Many data privacy regulations require compliance wherever the data is stored, processed and utilized. A third party having access to privacy related data may be part of the scope of work you have to do to meet regulatory compliance.
  • Resilience of Supply Chain – Disruptions in supply chain may be detrimental to your business. Managing third party risk is essential for a reliable supply chain.

Have a Risk Management Program

If you have a corporate information security risk management program, it can provide you a basis for managing third party risk. Managing the lifecycle for third parties is very similar in many ways to managing other information security risks. Make third party risk as part of the overall risk management program and follow a risk management lifecycle starting from risk identification, categorization, assessment, mitigation and closure.

Define Third Party Risk Management Standard and Processes

Building a third party risk management standard should be one of the first steps for CISOs. A standard provides clarity and consistency for all stakeholders and goes a long way towards achieving maturity. Following are some of the components that should be part of the standard.

  1. Clearly define purpose of the standard
  2. Define categories for third parties
  3. Contractual arrangement with third parties
  4. Onboarding and offboarding of third parties
  5. Perform assessments for a third party
  6. Frequently assessments will be performed
  7. Monitoring and oversight of third party risk
  8. Third party compliance management
  9. Define a list of artifacts needed from third parties and the frequency at which these are required.
  10. Define third party “trust levels” and minimum technical requirements for each level. This will help determine which of the third parties can be given access to network, data, and other assets based upon the trust level.
  11. A RACI matrix for all stakeholders

Categorize Third Parties

Some third parties carry significantly more risk than others, and need more attention for risk management. Categorization of third parties may be based upon factors such as:

  • Criticality for business operations – Who is critical to your business processes such that without this third party business will cease to function.
  • Access to data – Who has access to your corporate, employee or your customer data.
  • Direct connectivity to network or Cloud – Who has direct connectivity into your network or to your Cloud environments with possibility of a breach on the third party environment can directly spill over into your environment.
  • Type of relationships with the third party – Do you consume services, use source code or software libraries, use a third party for data processing, and so on.

Based upon these and other factors, you can define a list of categories to prioritize assessments.

Automation and Tools

Historically simple tools such as questionnaires and spreadsheets have been used for third party risk assessment. To reduce management overhead, some information for third parties can be collected and assessed with automated tools and publicly available information.

Subscribe to blog

Recent Posts

Posted in Leadership | Tagged , , | Comments Off on Third Party Risk Management – Considerations for creating a program standard

No-Hype Use of LLMs in Cybersecurity

Three use cases of Large Language Models (LLMs) to save time and immediately enhance productivity

While there is tremendous hype around LLMs, many people in Cybersecurity are still struggling to put news tools like ChatGPT and Google Bard to practice. This is a brief article to discuss use cases that will save time and quickly enhance your productivity in carrying out common tasks.

  1. Create Bash Scripts to automate Cyber Security tasks
  2. Super fast SIEM use cases development
  3. Assistance in Security Awareness Program

Use Case 1: Automate Cybersecurity Tasks with bash Scripts

Many Cybersecurity professionals need automating simple tasks using scripts that would otherwise take a large amount of time and work. ChatGPT can create bash shell scripts quickly that you can adapt to your needs. Let us assume your policy requires disabling username/password authentication to SSH and allows only key based authentication. The following example shows how ChatGPT creates a script to accomplish it on a large number of servers. Carefully take a look at the prompt and response

User Prompt

“create a bash shell script that to check if SSH login using username and password is enabled on a large number of Linux servers. Assume key based login is enabled on these servers for a user with username “super_secret_admin”. The list of server IP addresses is stored in a file servers.txt, one IP address per line.”

ChatGPT Response

“To check if SSH login using a username and password is enabled on a list of Linux servers where key-based login is enabled for the user “super_secret_admin,” you can use a Bash script that reads the list of server IP addresses from a file and remotely checks the SSH server configuration for the “super_secret_admin” user. Here’s a sample script for this task:

#!/bin/bash

# Specify the path to the file containing server IP addresses

server_list_file="servers.txt"

# Specify the SSH username (super_secret_admin user)

ssh_user="super_secret_admin"

# Function to check if SSH password authentication is enabled for the super_secret_admin user

check_ssh_password_auth() {

    server_ip="$1"

    ssh_config_file="/etc/ssh/sshd_config"

    # Use SSH to remotely fetch the SSH server configuration

    ssh_config=$(ssh -o BatchMode=yes -o ConnectTimeout=5 "$ssh_user@$server_ip" "cat $ssh_config_file")

    # Check if PasswordAuthentication is set to yes in the sshd_config

    if [[ "$ssh_config" =~ "PasswordAuthentication yes" ]]; then

        echo "SSH password authentication is enabled for $ssh_user on $server_ip."

    else

        echo "SSH password authentication is not enabled for $ssh_user on $server_ip."

    fi

}

# Main script

if [ -f "$server_list_file" ]; then

    while read -r server_ip; do

        echo "Checking SSH configuration on $server_ip..."

        check_ssh_password_auth "$server_ip"

    done < "$server_list_file"

else

    echo "Server list file not found."

fi

Replace “super_secret_admin” with the appropriate SSH username you want to check for password authentication.

Ensure that the SSH key of the machine running this script has access to the servers you are checking. The script reads server IP addresses from the servers.txt file, one per line, and then connects to each server to check the sshd_config file for the presence of “PasswordAuthentication yes” for the “super_secret_admin” user to determine if password authentication is enabled.

You can run this script with the command bash script.sh. It will check each server listed in the servers.txt file.

Make sure you have the necessary permissions and approvals to perform remote checks on these servers.

Here is a partial screenshot of this prompt and response.

Note that you can fine tune the prompt if the result does not meet your needs. Also note that you still need knowledge of Bash scripting to make sure the generated script meets your needs and that you are able to make manual fine tuning to the script, if needed. ChatGPT is your assistant, not your replacement!

Use Case 2: Super Fast SIEM Use Case Development

LLM tools are also very useful to quickly fine tune SIEM rules and enhance detection capabilities in Security Operations Centers (SOC). The following simple example shows how quickly ChatGPT created Splunk code for detecting directory traversal attacks. 

The next screenshot shows Google Bard response to the same prompt with a different answer.

Use of these tools can greatly enhance speed of SIEM tuning and detection capability. The work that usually needs days can be accomplished in hours.

Use Case 3: Assistance in Security Awareness Program

Writing good communication is an art and many of us in the Cybersecurity field are not very skillful in written communication. Fortunately now we have ChatGPT to come to our assistance. Please see the following prompt and response in crafting a communication to your specific audience.

User Prompt

“Craft a brief email for executive management team members highlighting importance of security awareness month and actions that the board should take during this month.”

ChatGPT Response

“Subject: Security Awareness Month: Enhancing Our Organization’s Resilience

Dear Members of the Executive Management Team,

I trust this message finds you well. As we usher in Security Awareness Month, I want to underscore the critical importance of this initiative and outline the actions that our Board of Directors should consider to reinforce our commitment to cybersecurity.

Security Awareness Month serves as a yearly reminder of the dynamic and ever-evolving nature of security risks within our industry. It is a timely opportunity to focus our efforts on strengthening our organization’s security posture. To this end, I recommend the following actions for our Board’s consideration during this month:

1. **Increased Employee Vigilance**: Encourage all staff to maintain a heightened level of awareness when it comes to security threats. The mantra “See something, say something” should be reinforced throughout our organization.

2. **Education and Training**: Support and participate in security awareness training sessions for our employees. Highlight the importance of robust password management, data protection, and secure online practices.

3. **Policy and Procedure Review**: Conduct a thorough examination of our existing security policies and procedures. Identify areas where revisions or improvements are needed to address emerging threats.

4. **Incident Response Simulation**: Consider organizing a tabletop exercise to test our incident response plan. Ensure that all Board members and key staff are well-prepared in the event of a security incident.

5. **Expert Insights**: Explore the possibility of inviting external security experts to provide insights on emerging threats and best practices in security. Their perspective can be invaluable in fortifying our defenses.

6. **Stakeholder Communication**: Maintain transparent communication with our stakeholders, including customers and partners, regarding our dedication to security and the measures we are implementing to safeguard their data.

7. **Resource Allocation**: Evaluate and approve the allocation of necessary resources for our security initiatives. Invest in technologies and training programs that enhance our ability to mitigate threats effectively.

8. **Regular Updates**: Ensure that our Board members are well-informed about the progress of our security initiatives and receive regular reports on security-related incidents and trends.

By collectively embracing these actions during Security Awareness Month, we will not only strengthen our resilience against potential security threats but also reinforce our unwavering commitment to the security of our organization and the trust of our stakeholders.

Your support and involvement in these efforts are invaluable. Thank you for your commitment to the security and success of our organization.

Best regards,

[Your Name]

[Your Title]

[Your Contact Information]

Let us say this text is too long for your purpose. A follow-up prompt, as shown below, makes it much shorter. 

Using LLM tools as your assistance in a security awareness program is a great help.

Check Your Corporate Policy for LLM Use

Before using LLM tools, check your corporate policy. The tool may store your prompts and use them to enhance capabilities of the model. If you put any sensitive information in the prompt, it may result in unintentional data leakage. Use these tools with caution and in accordance with your corporate policies.

Recent Posts

Subscribe to Blog

Posted in InfoSec, Leadership, SOC | Tagged , , , , , | Comments Off on No-Hype Use of LLMs in Cybersecurity

A New CISO’s TODO List

When a CISO joins a new organization, it is important to start with basics. Following is a TODO list for every new CISO.

  1. Understand the business – where revenue comes from, who are major customers, meet internal stakeholders.
  2. Review CISO budget – How much is the budget, where it is spent (people, technology, services).
  3. Know team members – Get to know team members. In case of a large team, get to know key leaders but meet individual contributors to understand their challenges.
  4. Identify compliance and regulatory needs – Before creating strategy, list all compliance needs, their current status, next audit cycle timeline.
  5. Understand technology foundation
    1. Policy, standards and governance structure.
    2. Critical assets and asset management (what to protect).
    3. Identify key technologies used for protection (end point, network, applications, Cloud, Identity and access management).
    4. Security operations, threat detection, incident response
  6. Key vendors – Contact key vendors and identify how to get their help.
  7. Develop Strategy and Metrics – What needs to be done to build a security program, risk management strategy, and how to measure progress.
  8. Security team branding – Create a plan for marketing and branding of the security team.

Subscribe to Blog

Posted in InfoSec, Leadership | Tagged | Comments Off on A New CISO’s TODO List

A Conference Dedicated to Security Operations Center (SOC)

Credits Pixabay

As shown in CISO MindMap 2023, job of security professionals is complex and Security Operations Center (SOC) is a significant part of this job. SOC analysts are stressed out by overwhelming number of incidents and dealing with these incidents in a timely manner. While there are so many security conferences every year, working on my latest book “Cybersecurity Arm Wrestling – Winning the perpetual fight agains crime by building a modern Security Operations Center (SOC)” made me convinced that a dedicated event is needed to focus only on topics related to a SOC.

Purpose

Benefit from experiences of SOC practitioners, crowdsourcing SOC best practices.

Main Focus Areas

Following are the major areas of focus that should be part of a SOC conference.

  1. SOC in the Cloud, SOC as a Service
  2. SOC – Meaningful Performance Metrics
  3. SOC Staff: Well being and stress management
  4. Use of Artificial Intelligence in SOC
  5. SOC for IoT, OT, Autonomous Vehicles and other emerging industry needs
  6. Implication of Cloud, Containers, Serverless Computing on SOC
  7. Threat visualization, Threat Intelligence
  8. Cooperative SOC for vertical markets
  9. Automation
  10. Open source SOC
  11. Incident Response, Digital Forensics
  12. Business case development, planning and implementation and cost management
  13. Emerging SOC technologies
  14. Global SOC challenges, privacy laws, data sharing across physical boundaries
  15. Integrations, APIs, Ticketing Systems
  16. Knowledge Management

With expanding sources of data and ever-evolving new threats, we, as industry need to continuously work on finding the best path forward. The objective of this conference is to do exactly that by challenging the status quo and bring fresh and original thoughts to meet new challenges.

Who Should Speak?

Speakers at this event should be only those who are SOC practitioners in some form so that they can bring real world experience to the audience.

Delivery Mode

To enable global community, the conference should be virtual so that participants can join/present from anywhere without the need for traveling.

Call to Action

Interested? Connect at LinkedIn and explore this idea further – https://www.linkedin.com/in/rafeeq/


Subscribe to Blog

Email subscription will deliver new posts to your inbox.

Posted in SOC | Tagged , , , | Comments Off on A Conference Dedicated to Security Operations Center (SOC)

Life Principles

Life Principles Rafeeq Rehman

This post is an updated version of six fundamental principles that always fill my professional and personal life with joy, pleasure and satisfaction. So here they are!

  1. This is my first model of a joyful life, explained to me by a senior school friend. If you do this, you will never regret anything from the past, career choices, business decisions or personal relationships. It takes a lot of courage, but you will have a contented heart all the time.
  1. “Your value” is directly proportional to the value you create for others. Measure your actions by how much they benefit others, whether it is a business meeting, a family dinner, or social media post. Always serve the people around you.
  1. There is no perfect time to launch a product, start a business, pursue a degree, or change career. You will never have perfect information to make important decisions. Embrace imperfection, “good enough” is much better than “perfect”.
  1. Be generous in your praise of people, in sharing credit, in kindness, in forgiving, in giving favors. Be a giver. Be generous with people who disagree with you. Giving favors is the best investment for your career and your personal life.
  1. Complexity is the biggest enemy at work, home, in relationships, and with friends. Be simple, do simple things, have simple ideas, simplify things for people. Be single threaded to improve productivity. Use images, diagrams, and analogies to explain complex things.
  1. Fear of failure keeps people from achieving great things and miss career opportunities. Fail; if you have not failed in a long time, you have very likely missed many opportunities. Overcome the fear of failure, you don’t have to prove anything to anyone. Abandon your comfort zone. Success and failure are two sides of the same coin, one does not exist without the other.

Subscribe to Blog

Recent Posts

Posted in Leadership | Tagged , | Comments Off on Life Principles

CISO MindMap 2023: What do InfoSec Professionals Really do?

Most people outside the Cybersecurity profession don’t fully realize and appreciate the complexity of a security professional’s job. Since 2012, CISO MindMap has been an effective educational tool to communicate CISO responsibilities and has enabled security professionals to design and refine their security programs. Here is the latest and updated CISO MindMap for 2023 with a number of updates and new recommendations for 2023-24.

Download PDF Version for better printing quality

What has changed?

With time, the responsibilities of security professionals are only increasing. Why? Technology is changing fast, bringing new ways of doing business, continuous adoption of Cloud, and many emerging technologies like ChatGPT phenomenon with many vendors working on similar solutions. Not only the Infosec professionals are “expected” to deeply understand these technologies, but also provide policies/guidance on how to secure them. For this reason, every year you find new things on the CISO MindMap. Like every year, few things are added, changed or removed from the CISO MindMap depending upon their relevance. Modified and new items are marked in red color for your convenience.

Other changes include but not limited to:

  • Automation – A section on “Automation” is added after re-organizing some existing content and adding new. Given efforts of optimization of budget by many CISOs and lack of qualified staff, automation is key to remove routine tasks and find efficiencies in security operations. I believe every security team must create a specific role for automation
  • Redundancy and Overlaps – Remove some redundancies and overlaps
  • Expiration Date – A common issue is that many professionals still have older CISO MindMap copies. I added an “expiration date” to let people know when they should stop using a particular version. The expiration date for the 2023 CISO MindMap is the end of June 2024. The next version will be published before the current version expires.

Recommendations for 2023-2024

Every year I make my recommendations as a practitioner and based upon conversations with infosec leaders. I try to be objective, avoid the hype, need for adoption in the next 12-18 months, and solely focus on what data and research shows. While there may be some unintended biases, the objective is to provide actions that can be taken in a short to mid range time period. These are not “predictions” of the future but rather “what is needed now” to strengthen security programs.

For me, the most difficult part while making these recommendations is to pick as few as I can. The following list is longer than what I would like it to be but hopefully it would give you a few things to think about. The followers of MindMap would quickly realize that some of these are the same as previous years and some new ones.

  1. Increase Attention on Resilience – Evaluate ransomware defenses, detection and response capabilities, perform a business impact analysis and identify critical processes, applications and data. Test ability to restore systems and data within an acceptable time frame. Understand that merely having a backup is not enough. Ability to rebuild impacted systems and restore backups in a timely manner is crucial to bring business back to normal operating conditions after security incidents.
  2. Reduce and Consolidate Security Tools – More security tools don’t necessarily reduce risk but do add the need for maintaining expertise on security teams. While deciding which tools to keep or retire, think about functionality overlap, future direction, innovation on the part of vendors
  3. Build a Brand for Security Team – While the message is important, the credibility of the messenger is also crucial. To serve business better, train security team staff on business acumen, value creation, influencing people without authority, and human experience. I included this recommendation last year as well and we need to keep focus on the fact that information security teams don’t live in a vacuum and have to enable business and interact with others. 
  4. Untangle Application Web of Components – Modern applications have become a web of interconnected components, APIs, multiple cloud and data centers, open source libraries, third party services like DNS, email, content delivery vendors, and so on. Even when you purchase a commercial off the shelf application/software, it may rely on third party APIs and services. Understand how business applications work, take an inventory of all components that they rely on, and make it part of your vulnerability management program.
  5. Build Expertise in Emerging Technologies – By now everyone has heard about ChatGPT and competing technologies from other vendors. Build team expertise in technology fields including machine learning (ML) models, model training, API security, service mesh, containers, DevSecOps.
  6. Create a Security Automation Role – Managing security program cost and working at “machine speed” requires automation. This is a new section added to CISO MindMap this year. Automate maintaining a risk register, asset (hardware, software, APIs, etc.) inventory, scanning and testing. Many tools used in CI/CD pipelines as part of DevOps are useful for automation. However, simple scripting goes a long way in reducing overhead of routine tasks. I would highly recommend automating security metrics such that you can see the current state of your security program anytime you need to, almost in real time. It is not an easy task but it is doable. I have observed some organizations do it on scale.

I am eager to listen to your viewpoint on these recommendations, why or why not!

How to use CISO MindMap?

It is unbelievable how many posts and messages I see about many different ways people are using the CISO MindMap. Over the years, it has become a great tool for many of you and I appreciate your feedback, suggestions for improvements. Following are some of the ways this MindMap is quite helpful:

  • Have you been asked what you really do as a security professional? The CISO MindMap is one way for answering the question and explaining it to people. I have heard from many professionals that this MindMap is extremely helpful in explaining the complexity of a CISO job, especially to a business audience.
  • A means for guiding conversation with other technology professionals.
  • SANS Institute uses it as part of the Security Leadership Poster.
  • Designing and refining security programs.
  • Some security vendors use the MindMap for awareness.
  • CISO group discussions and/or community meetings.
  • For aspiring security professionals, understand the landscape and decide their career path.
  • An educational and awareness tool.

Obviously there is a lot on this MindMap. The stress on people who have these responsibilities is real. If nothing else, this MindMap should help leaders recognize that stress and do something about it. I covered this topic (stress) in my latest book Cybersecurity Arm Wrestling: Winning the perpetual fight against crime by building a modern Security Operations Center (SOC) as well.

What do they say?

Many security leaders and professionals have made comments on LinkedIn about CISO MindMap and how they use it. Following is a sample of some of these comments with links to original posts on LinkedIn.

Jesper Bork Olsen said:

Interested in understanding the role of a CISO? Today, reflecting on the past weeks of intensity, curiosity and just overall well invested energy, I enjoy looking through the newly updated CISO mindmap that Rafeeq Rehman continues to maintain both from a relevance, recommendations and a reminding perspective. 

If you’re in the #cybersecurity field you will have seen the #CISO mindmap for sure, and if you are a senior leader, that haven’t had the pleasure yet or are curious as to what a CISO actually considers in the everyday life, I strongly recommend spending time on this – I guarantee there are topics on there that can inspire a vivid conversation with the board in almost any organization! If nothing else, share the 6 recommendations with your cybersecurity team and see if it’s a match for you too 😉

For me personally, the Mindmap has served as a great source of inspiration from the very first version several years ago – thank you Rafeeq Rehman for your continued contributions to the community!!”

Rodolphe Simonetti said:

“My friend Rafeeq Rehman recently released the 2022 version of the CISO Mindmap – always a great reference.”

Dan Maslin Wrote:

“Another year, another update to the CISO MindMap by Rafeeq Rehman.  Looks like in 2022 we’ve added another dozen or so areas of responsibility for the CISO (unsurprising and yes it is unrelenting), these are shown in red.

Published now for over a decade, I find these CISO MindMaps incredibly useful to explain (maybe to ourselves at the very least) the breadth and complexities of the roles that CISOs and cyber security teams undertake.”

Martin tePoele says:

I ran across the CISO MindMap recently and was quite impressed.”

David Howell says

Landed on a great resource for anyone interested in better understanding the incredibly complex scope of responsibilities under a CISO. The CISO Mind Map (courtesy of Rafeeq Rehman) puts it all into perspective. It’s one thing to say “CISOs have a lot on their plates” – but another thing to see it in black and white. The CISO Mind Map is also useful in terms of thinking about how the many discrete activities and programs may be organized.

Acknowledgments

In addition to numerous infosec leaders who provide their input, we have a LinkedIn Group to gather suggestions and comments from the community. While many provided feedback, the following is an alphabetically organized list of people and organizations who provided “specific suggestions” for improvements. If I missed anyone, please send me a message to make corrections.

Your input is highly appreciated!

Copyright © Note

This MindMap is copyrighted material. However it is absolutely free to all (like water and air) with no strings attached (as long as it is not altered and not used to make money). When using this MindMap, please cite the source properly so that recipients can receive future updates.

Subscribe to my blog

To keep updated about new posts, you can subscribe to my blog

Recent Posts

Posted in cisomindmap, Leadership | Tagged , , , , , , | Comments Off on CISO MindMap 2023: What do InfoSec Professionals Really do?

Risk Assessment – On Estimating Control Strength

In a previous blog post, I discussed qualitative, quantitative, and scoring methods of risk assessment. Irrespective of which method we use, estimating “control strength” is an important part of calculating overall risk (especially in qualitative and quantitative methods). To improve consistency and to decrease subjectivity in estimating control strength, I am providing some examples of how to estimate control strength in this article.

What is a Control and Control Strength?

A “control” is something that reduces the potential of a loss. Controls can be implemented in many forms. It could be a technical control (e.g. a firewall), a process control (e.g. change management process), an administrative control (e.g. a visitor log), or in some cases a person (like a security guard). 

Simply put, control strength is the ability of a control to stop/resist cyber attacks from threat actors, resist compromise and protect an asset’s confidentiality, availability and integrity.

Categorizing Control Strength

Control strength can be categorized in different levels. Using five levels for control strength is very common. Following is one way to describe these levels but there could be other ways to do so.

  1. Very High (VH) – The control will protect against top threats
  2. High (H) – The control will protect against majority of threats
  3. Moderate (M) – The control protects against average threats
  4. Low (L) – The control protects only very low .level attacks
  5. Very Low (VL) – The controls is not effective at all and would rarely protect against any threats

Having these categories at hand, a risk analyst can determine control strength during the process of risk analysis in a more consistent manner.

Estimating Control Strength

Risk analysts need to make an estimate about control strength during the risk assessment process. This estimate could be based upon data (which is difficult to acquire in the information security field) or it could be based upon experience and knowledge of the analyst. Following are some examples of how to estimate control strength in different scenarios. These could be used for education purposes.

Scenario 1 – Protecting data in a web application with help of user authentication and making it available to only authorized users.

Following can be one way of estimating control strength levels:

  1. Very High (VH) – A user has to use a combination of username and password along with two factor authentication. The password must be strong with a minimum length of 10 characters and a combination of alphabets, numbers and special characters. Passwords expire after a certain time forcing the user to change it. A user is notified via email when password change occurs.
  2. High (H) – A user has to use a combination of username and password. The password must be strong with a minimum length of 10 characters and a combination of alphabets, numbers and special characters. Passwords expire after a certain time forcing the user to change it. A user is notified via email when password change occurs.
  3. Moderate (M) – A user has to use a combination of username and password. The password must be strong with a minimum length of 10 characters and combination of alphabets, numbers and special characters.
  4. Low (L) – A user has to use a combination of username and password but is able to use a password of any length and no requirement of special characters.
  5. Very Low (VL) – No username and password is required. A user can get to data as long as the user has a specific URL.

Scenario 2 – Protect physical security of a data center

  1. Very High (VH) – Boundary wall with locked gates, presence of 24×7, surveillance cameras, security guard on duty, visitor log register, keycard access to datacenter room with biometric retina scan, camera inside the data center with face recognition technology that can identify unknown people.
  2. High (H) – Boundary wall with locked gates, presence of 24×7, surveillance cameras, security guard on duty, visitor log register, keycard access to datacenter room.
  3. Moderate (M) – Boundary wall with locked gates, security guard on duty, visitor log.
  4. Low (L) – Boundary wall with locked gates. Visitors with a key can enter the building.
  5. Very Low (VL) – Room inside a building with no locks.

Other Considerations 

Here are few other considerations while dealing with control strength estimation.

  • We don’t need all five levels of controls for each scenario. In some cases, we may have three or four levels of controls, e.g. Very High, Moderate, and Low.
  • The exact definition of each level of controls can vary from one organization to another but should comply with and be consistent with a single standard inside that organization.
  • The risk management leadership should train risk analysts on a continuous basis. The training should be about  how to measure control strength by walking them through new scenarios each time. An example could be a monthly open meeting to pick one scenario and explain rationale for control levels.

Subscribe to Blog

Recent Posts

Posted in Risk Management | Tagged | Comments Off on Risk Assessment – On Estimating Control Strength