GenAI Risk Categories

Let us make it simple: All GenAI risks can be grouped into three high level risk categories (as explained win this document). These three buckets will help better understand GenAI risks and to apply strategy recommendations below.

Traditional Tech Risks

These risks are associated with network infrastructure on which GenAI models and applications run. These risks always existed and are not specific to AI. These include, but not limited to:

  • Network architecture
  • Operating systems vulnerabilities
  • Applications design
  • Identity and access management
  • Denial of service
  • Web applications (OWASP top 10 for web apps)
  • Ransomware

Recommendation: Continue using traditional controls to manage these risks.

GenAI Amplified Risks

These risks always existed but use of GenAI has either amplified these or created a new dimension to these risk. These include, but not limited to:

  • Data leakage and information disclosure
  • Amplified privacy concerns
  • Global compliance to regulations
  • Incident detection & response
  • Supply chain attacks
  • Resource exhaustion and denial of service

Recommendation: To deal with these risks, security teams need to update and enhance their traditional controls

Newly Introduced Risks

These risks are completely new and very specific to use of GenAI. New methods are needed to identify and manage these risks. These include:

  • Prompt injection
  • Jailbreaking
  • Hallucinations
  • Legal liability of pre-trained models
  • Training data and model poisoning
  • Excessive agency over taking actions

Recommendation: New controls, governance, and tools are needed to manage these newly introduced risks.

Recent Posts

Subscribe to Blog

Posted in AI, Risk Management | Tagged | Comments Off on GenAI Risk Categories

Ten Best Practices for Cybersecurity Risk Management

Cybersecurity risk management is a critical process for organizations aiming to safeguard their assets, systems, and data from potential threats. Effective risk management involves the following best practices: 

  1. Asset Identification : Understand your most critical assets, including data, systems, and networks.
  2. Risk Assessment : Evaluate risks related to each asset by determining potential threats and their likelihood of occurring, as well as the impact on the organization if a threat is realized.
  3. Mitigation Strategies : Develop and implement strategies to mitigate or eliminate identified risks. This may involve technical, administrative, and physical controls.
  4. Continuous Monitoring : Regularly monitor and review the organization’s cybersecurity posture to ensure that new threats are quickly identified and addressed.
  5. Incident Response Plans : Establish incident response plans and procedures to minimize the impact of a successful attack or breach.
  6. Regular Testing and Updates : Regularly test and update your cybersecurity measures to maintain an effective defense against evolving threats.
  7. Security Culture : Foster a security-conscious culture within the organization by providing regular training, encouraging secure habits, and promoting open communication about potential vulnerabilities.
  8. Compliance and Collaboration : Adhere to relevant laws, regulations, and industry standards related to data protection and privacy. Collaborate with other organizations and government agencies to share information about threats and best practices for addressing them.
  9. Patch Management : Maintain a strong focus on patch management to ensure that systems and applications are updated with the latest security patches and fixes.
  10. Threat Intelligence and Vulnerability Management : Utilize threat intelligence frameworks and vulnerability management programs to identify, prioritize, and manage threats based on their likelihood and impact.

By adhering to these best practices, organizations can effectively manage cybersecurity risks, protect their assets, systems, and data, and reduce the likelihood of a security breach. 

Posted in cisomindmap, InfoSec | Tagged , | Comments Off on Ten Best Practices for Cybersecurity Risk Management

Run LLM Models on Macbook – Part II

Protect your intellectual property by running GenAI models locally

This is a continuation of my previous blog post on running open source models locally. In this blog we add Open WebUI as a web interface to provide the end user similar experience as ChatGPT.

Following is a short summary of why run local models locally.

Why Run Open-Source GenAI Models Locally?

Running open-source GenAI models locally provides several benefits:

  1. Data Protection: Keep sensitive information within your organization’s control. By processing data locally, you can keep sensitive information from leaving your organization’s premises, reducing the risk of data breaches and intellectual property theft.
  2. Increased Control: With full control over the deployment environment, you can tailor the setup to meet your specific requirements, ensuring that your models are used as intended.
  3. Improved Performance: Running GenAI models locally allows for faster processing times and reduced latency, making them more suitable for real-time applications.
  4. Enhance Security: Reduce the risk of data breaches and intellectual property theft by processing data locally.

Open Source License Requirements

Please check the licensing requirements for the open source model you are going to use as it may be quite different depending upon the model you use. The license may also be different depending on the type of use (personal, educational, commercial, etc.)

Step-by-Step Process

Follow these three simple steps to install and run multiple LLMs locally.

Step 1: Set up Ollama

Ollama is an open source project that enables you to run large language models (LLMs) locally without going through too much hassle. It is available at GItHub (see references below)

Open terminal window on Macbook and use the following commands:

mkdir llm
cd llm
curl -L https://ollama.com/download/ollama-darwin-arm64 -o ./ollama
chmod u+x ollama 
./ollama

Step 2: Download LLM model you want to run

Go to a new terminal windows and pull llama3

./ollama pull llama3

Step 3: Run the Model

Once the model is downloaded, you can run it and use prompts on the command line. Following is a typical session with one prompt and its response:

./ollama run llama3

Step 4: Install Open WebUI

Use the following steps to install Open WebUI.

python3 -m venv venv
 . venv/bin/activate  
pip install open-webui

The first line creates a new Python environment. The second line activates this environment and the third line installs Open WebUI.

Step 5: Run Open WebUI

Use the following command to run Open WebUI.

open-webui serve

You will see a bunch of messages appear on the terminal window as shows in the screenshot below. 

Now point your web browser to http://0.0.0.0:8080 or http://localhost:8080 where you have to create an account the first time you use Open WebUI. You are ready to ask questions using this web interface. On the top-left corner of the following screenshot, select one of the installed models from step 2 and then enter prompt for that model.

If you have multiple models installed locally, you can use the same prompt to check how they respond differently.

References

Subscribe to Blog

Subscribe to blog to get email notification of new posts

Recent blog posts

Posted in AI | Tagged , , , | Comments Off on Run LLM Models on Macbook – Part II

Post-Quantum Cryptography Resources

Open Source Software Libraries and Organizations working to future proof security of data 

This blog post provides essential resources for security professionals and software developers looking to secure data in the post-quantum era. It highlights key organizations such as NIST, the Linux Foundation, and the Post-Quantum Cryptography Alliance, which are leading efforts in quantum-resistant cryptography. Additionally, it introduces open-source libraries that facilitate the implementation of quantum-safe encryption algorithms, offering practical tools for integrating cutting-edge security measures into your systems.

NIST Post-Quantum Cryptography Research

The NIST Post-Quantum Cryptography project focuses on developing and standardizing cryptographic algorithms that are secure against the threats posed by quantum computing. This initiative aims to identify and endorse new cryptographic algorithms that can protect data and communications in a future where quantum computers might break current encryption methods. The project involves a multi-phase process, including a public evaluation and selection process to ensure that the chosen algorithms are both secure and practical for widespread use. NIST’s goal is to establish new standards for cryptography that will ensure data security well into the future.

Main webpage: https://csrc.nist.gov/projects/post-quantum-cryptography

NIST Released Three Post-Quantum Encryption Standards

After 8 years of work, the National Institute of Standards and Technology (NIST) has released its first three finalized post-quantum encryption standards, marking a significant step in securing data against future quantum computing threats. These standards include algorithms designed to protect digital information from being compromised by quantum computers, which have the potential to break traditional encryption methods. The new standards are intended to ensure long-term data security and support the transition to quantum-resistant cryptographic systems. 

Main webpage: The announcement page

Following are links to the finalized standards:

OpenQuantum Safe

The Open Quantum Safe (OQS) project is dedicated to developing and promoting quantum-resistant cryptographic algorithms and tools to safeguard data against the potential threats posed by quantum computing. It provides an open-source platform for the research and implementation of cryptographic algorithms that are resistant to quantum attacks. The OQS project aims to advance the security of information systems by offering resources, software libraries, and a community-driven approach to integrating quantum-safe algorithms into existing security frameworks.

Post Quantum Cryptography Alliance

The Post-Quantum Cryptography Consortium (PQCA) is focused on advancing the adoption and development of cryptographic systems that are secure against the potential threats posed by quantum computing. The consortium collaborates with industry leaders, researchers, and institutions to facilitate the transition to quantum-resistant cryptographic algorithms. It provides resources, guidelines, and support to help organizations implement and evaluate post-quantum cryptographic solutions, ensuring robust security in a future where quantum computers could compromise current encryption methods.

Open Quantum Safe provider for OpenSSL

The OQS Provider on GitHub is an open-source project that integrates quantum-safe cryptographic algorithms into the Open Quantum Safe (OQS) framework, such as OpenSSL. It provides a modular interface for incorporating post-quantum cryptographic algorithms into existing cryptographic libraries and systems. The OQS Provider enables developers to test and deploy quantum-resistant algorithms by offering an implementation of these algorithms as a provider for cryptographic operations. The project aims to facilitate the evaluation and adoption of quantum-safe cryptography within various software environments.

Summary

The post highlights essential resources for security professionals and software developers to secure data in the post-quantum era. It mentions key organizations such as NIST, the Linux Foundation, and the Post-Quantum Cryptography Alliance (PQCA), which are leading efforts in quantum-resistant cryptography. The blog also introduces open-source libraries that facilitate the implementation of quantum-safe encryption algorithms, including Open Quantum Safe (OQS) and its provider for OpenSSL. Specifically, it notes NIST’s release of three post-quantum encryption standards, FIPS 203-205, and provides links to these standards. Additionally, it summarizes OQS as an open-source project dedicated to developing and promoting quantum-resistant cryptographic algorithms and tools, and PQCA as a consortium focused on advancing the adoption and development of cryptographic systems secure against quantum threats.

Subscribe to Blog

Posted in AI, InfoSec, Quantum | Comments Off on Post-Quantum Cryptography Resources

Run LLM Models on a Macbook

As the use of GenAI models becomes increasingly prevalent, it’s crucial for organizations to ensure the security and ownership of their intellectual property. One way to achieve this is by running open-source GenAI models locally on your own infrastructure.

Why Run Open-Source GenAI Models Locally?

Running open-source GenAI models locally provides several benefits:

  1. Data Protection: Keep sensitive information within your organization’s control. By processing data locally, you can keep sensitive information from leaving your organization’s premises, reducing the risk of data breaches and intellectual property theft.
  2. Increased Control: With full control over the deployment environment, you can tailor the setup to meet your specific requirements, ensuring that your models are used as intended.
  3. Improved Performance: Running GenAI models locally allows for faster processing times and reduced latency, making them more suitable for real-time applications.
  4. Enhance Security: Reduce the risk of data breaches and intellectual property theft by processing data locally.

Open Source License Requirements

Please check the licensing requirements for the open source model you are going to use as it may be quite different for each model. The license may also be different depending on the type of use (personal, educational, commercial, etc.)

Step-by-Step Process

Follow these three simple steps to install and run multiple LLMs locally.

Step 1: Set up Ollama

Ollama is an open source project that enables you to run large language models (LLMs) locally without going through too much hassle. It is available at GItHub (see references below)

Open terminal window on Macbook and use the following commands:

mkdir llm
cd llm
curl -L https://ollama.com/download/ollama-darwin-arm64 -o ./ollama
chmod u+x ollama 
./ollama

Step 2: Download LLM model you want to run

Go to a new terminal windows and pull llama3

./ollama pull llama3

Step 3: Run the Model

Once the model is downloaded, you can run it and use prompts on the command line. Following is a typical session with one prompt and its response:

./ollama run llama3
>>> who wrote harry potter?
>>>

If you have completed the above three steps, you are on your way to start using LLMs locally on your Macbook. No need to have Internet connectivity or send data to a third party chatbot. Ollama supports many LLMs and the list is available on its Github page. You can “pull” any of these models and test them locally.

Running open-source GenAI models locally provides a secure and controlled environment for developing and deploying AI-powered applications. By maintaining ownership and control over your data, you can protect your intellectual property while still leveraging the benefits of GenAI technology.

In a next blog post, I will discuss using a web interface with Ollama.

References

https://github.com/ollama 
https://github.com/ollama/ollama
https://ollama.com/library

Subscribe to My Blog

Latest Blog Posts

Posted in AI | Comments Off on Run LLM Models on a Macbook

Navigating the Landscape of Risk Management Frameworks

In the realm of information security, the quest to effectively manage risk is paramount. However, amidst the myriad of frameworks available, distinguishing between those explicitly designed for risk management and those that serve as broader guidelines can be a daunting task. A recent survey conducted over a 24-hour period on April 20-21, 2024, offers illuminating insights into the landscape of risk management frameworks, shedding light on prevalent practices and perceptions within the industry. Following is an image showing the results of this survey:

Despite the survey question’s slight ambiguity, the responses gleaned from 259 votes and 5591 impressions on LinkedIn provide valuable glimpses into the strategies employed by information security teams. It becomes evident that a multitude of frameworks are being utilized, even ones not originally intended as strict “risk management frameworks”.

Towering above the rest in popularity is the NIST Cybersecurity Framework (NIST CSF), a stalwart in the field renowned for its comprehensive approach to cybersecurity. Originating from an initiative aimed at safeguarding critical infrastructure, NIST CSF has transcended its initial scope to emerge as a go-to resource for managing cybersecurity risk across diverse organizational landscapes.

When probed further about why individuals perceive NIST CSF as a risk management framework, one respondent succinctly encapsulated the sentiment: “The goal of CSF and pretty much any control framework is to manage and reduce risk.” Indeed, the preface of NIST CSF explicitly states its purpose as assisting organizations in managing and mitigating cybersecurity risks, underscoring its relevance in the risk management arena.

However, it’s important to acknowledge dissenting voices within the survey responses. While many recognize NIST CSF as a formidable tool for risk management, others contend that it falls short of being a dedicated risk management framework. Instead, frameworks such as ISO/IEC 27005:2022 and NIST SP800-30 are hailed as the true champions of risk management, offering more specialized approaches tailored to the intricacies of risk assessment and mitigation.

Moreover, respondents highlight the need to delineate between distinct categories of frameworks, including:

  • Security Program Management such as NIST CSF
  • Risk Management such as NIST RMF
  • Control Frameworks (such as NIST 800-53)

This clarification is essential in preventing confusion and ensuring that organizations select the most appropriate framework for their specific needs.

Further complexity arises with the mention of FAIR (Factor Analysis of Information Risk), heralded as a risk assessment methodology rather than a traditional risk management framework. While some dismiss FAIR due to its perceived lack of widespread adoption, others emphasize its value in providing a structured approach to assessing and quantifying information risk.

In conclusion, the survey findings underscore the nuanced landscape of risk management frameworks, characterized by a diversity of approaches and perspectives. While NIST CSF reigns supreme in popularity and utility, it’s essential for organizations to critically evaluate their needs and objectives before selecting a framework (especially when it comes to SEC breach notification/reporting on Form 8K). By fostering a deeper understanding of the distinctions between various frameworks and methodologies, information security teams can navigate the complex terrain of risk management with confidence and clarity.

Subscribe to blog

Recent Posts

Posted in Risk Management | Tagged , , , | Comments Off on Navigating the Landscape of Risk Management Frameworks

CISO MindMap 2024: What do InfoSec Professionals Really Do?

Many individuals outside the realm of cybersecurity often underestimate the intricacies involved in a security professional’s role. Since its inception in 2012, the CISO MindMap has served as a valuable educational resource, offering insights into CISO responsibilities and aiding security professionals in crafting and enhancing their security programs. Continuously adapting to reflect the evolving landscape of cybersecurity, the CISO MindMap has been updated to accommodate the latest developments in the field. Here is the most recent iteration of the CISO MindMap for 2024, featuring numerous enhancements and fresh recommendations for the year 2024-25.

Don’t forget to review recommendations for 2024-25 described below and to subscribe to my blog.

Summary of Changes to 2024 CISO MindMap

With time, the responsibilities of security professionals are only increasing. Why? Technology is changing fast, bringing new ways of doing business, continuous adoption of Cloud, and extremely fast evolving GenAI technology with many applications. Not only the Infosec professionals are “expected” to deeply understand these technologies, they are also tasked with providing policies/guidance on how to secure them. For this reason, every year you find new things on the CISO MindMap. At the same time, some items are changed or removed from the CISO MindMap depending upon their relevance. In the latest CISO MindMap, modified and new items are marked in red color for your convenience.

Other noticeable changes include:

  • Artificial Intelligence and GenAI – MindMap now has a dedicated section on Artificial Intelligence and GenAI, reflecting insights from security leaders. GenAI’s rapid development is exciting, but measured caution is advised until the field matures further. 
  • Removing Redundancy and Overlaps – Removed some redundancies and overlaps in different sections. I also moved some elements of the MindMap to more relevant categories.
  • Security Team Branding – An integral aspect of the CISO’s role involves effectively advocating for information security across diverse stakeholders. Drawing from valuable insights provided by experienced CISOs, we have expanded the section on ‘Security Branding’ in response to their feedback. This includes essential skills such as negotiation, executive engagement, strategic prioritization, and tactful decision-making. These are identified as key areas where new CISOs often encounter challenges, and thus, warrant special attention.
  • Expiration Date – A common issue is that many professionals still have older CISO MindMap copies. Like last year, I added an “expiration date” to let people know when they should stop using a particular version. The expiration date for the 2024 CISO MindMap is the end of June 2025. The next version will be published before the current version expires.

CISO MindMap Updates Methodology

Every update to the CISO MindMap undergoes thorough consideration, research, and attention to detail. In addition to my ongoing engagements with industry leaders, various methods are employed to ensure we capture the pulse of the cybersecurity landscape:

  • Conducting interviews with experts
  • Distributing surveys to gather insights
  • Leveraging LinkedIn for targeted questions and discussions
  • Analyzing feedback and comments from previous versions of the CISO MindMap
  • Staying abreast of industry news and conducting in-depth analysis

Furthermore, I’d like to express my gratitude to the contributors whose valuable insights have enriched this endeavor. The ‘Acknowledgments‘ section of this blog post includes their names and LinkedIn profiles as a token of appreciation.

Are you Accountable for Everything in the CISO MindMap?

Security is inherently a collaborative effort, and the role of the CISO entails providing consultative guidance in various areas outlined within the CISO MindMap. It’s crucial to discern between areas where direct ownership and accountability are necessary and those where consultation is the primary function. Within any organization, numerous stakeholders are involved, and a common pitfall is the lack of clearly defined boundaries for each role.

My recommendation is to establish a RACI (Responsible, Accountable, Consulted, Informed) matrix, which serves as a standardized methodology for delineating roles and responsibilities among stakeholders [6]. By mapping out tasks and corresponding roles within this framework, clarity is achieved, ensuring that each stakeholder understands their level of involvement and contribution to the overall security landscape.

Focus Areas and Recommendations for 2024-2025

Each year, I offer my recommendations as a practitioner, drawing insights from discussions with information security leaders. My approach strives for objectivity, steering clear of hype and focusing solely on data-driven research. Though unintended biases may exist, the goal remains to propose actionable steps viable within a short to mid-range timeframe. These recommendations do not constitute future predictions; rather, they address the immediate needs for enhancing security programs.

Selecting a concise set of recommendations is always a challenge for me. While the list provided below may be longer than I’d prefer, I aim to offer a comprehensive array of considerations for your reflection. Followers of the MindMap will notice both recurring suggestions from previous years and novel additions, providing a blend of continuity and fresh insights.

I’m genuinely interested in hearing your perspective on these recommendations and understanding whether they resonate with your experiences and insights. Your feedback, whether in agreement or disagreement, provides valuable insights that can help refine and improve our approach to addressing security challenges. So, please feel free to share your thoughts and insights on these recommendations—whether you support them or have reservations—so we can engage in a constructive dialogue to further enhance our security strategies.

Recommendation 1: Adopt a Cautious Approach Towards GenAI

GenAI has become a focal point of discussion, rapidly evolving within the technological landscape. The Wall Street Journal reported Amazon’s unprecedented investment in an AI startup, reflecting the significant momentum in this domain. In 2023, investments in Generative AI companies exceeded $29 billion [1]. Furthermore, numerous open-source solutions are emerging within the GenAI market [2]. Amidst the buzz, it’s important to maintain a discerning approach.

Security professionals approach GenAI from three primary perspectives:

  1. Utilization within security practices: Emphasizing enhanced productivity and the exploration of automation opportunities for routine tasks.
  2. Safeguarding GenAI in corporate environments: Establishing GenAI centers of excellence to ensure governance, policy adherence, and protection against potential attacks. Aligning business and cybersecurity strategies to accommodate GenAI.
  3. Monitoring malicious use of GenAI: While not yet a cause for alarm, it’s essential to remain vigilant regarding the evolving applications of GenAI for malicious purposes.

Although every security vendor touts AI integration within their products and services, it’s prudent to avoid succumbing to hype and refrain from significant investments in GenAI technology for security purposes at this stage. It’s anticipated that over the next 12-18 months, clear market leaders will emerge from the current phase of hype and use cases for Cybersecurity will be better defined. At this stage, it is better to educate oneself and explore use cases such as automation and productivity enhancement.

Recommendation 2: Consolidate and Rationalize Security Tools

No matter the size of your InfoSec budget, it is prudent to take a more critical look at security programs and find ways of ways for program management. An average organization is using a large number of technologies, by some estimates as high as 47, according to a Ponemon survey. Yet many security leaders don’t know if Cybersecurity tools are working. Accumulating more security tools doesn’t necessarily lower risk; rather, it amplifies the necessity for maintaining expertise within security teams. There is a need for consolidation and rationalization of security tools by deeply exploring Return on Investment (ROI) of these tools. When rationalizing the need for tools, consider factors such as functionality overlap, available expertise within the team to effectively utilize the tool, and the innovation on the side of vendors. You may be surprised to find shelfware. In some cases open source tools may work just fine as well.

Recommendation 3: Cyber Resilience – Go Beyond Incident Response

Building upon last year’s recommendation, it’s evident that in numerous organizations, security incident response remains separate from business continuity and disaster recovery functions. It’s imperative to assess ransomware defenses, detection, and response capabilities comprehensively. Conducting a business impact analysis is essential to identify critical processes, applications, and data.

Moreover, testing the ability to restore systems and data within an acceptable timeframe is crucial. Merely possessing backups is insufficient; the capability to rebuild impacted systems and restore backups promptly is vital for restoring normal business operations following security incidents.

Recommendation 4: Build a Brand for Security Team

The role of a CISO is inherently public-facing, demanding continuous engagement with technology and business leaders. While the message being conveyed holds significance, the credibility of the messenger is equally vital. To better serve the interests of the business, it’s imperative to equip security team members with skills beyond technical expertise, especially those who are aspiring to be leadership roles in future.

This includes training in business acumen, value creation, influencing without authority, and enhancing human experience. Emphasizing these aspects is not new; however, it’s crucial to maintain focus on the fact that information security teams operate within a broader context and must facilitate business objectives while collaborating effectively with others.

Skills such as negotiation, compromise, and strategic decision-making play pivotal roles in establishing both personal and team credibility, ultimately contributing to the enhancement of the overall brand.

Recommendation 5: Maximize Business Value of Security Controls

The proliferation of security and compliance controls often creates friction between security and other technology teams. However, not all controls carry equal weight, and some may offer minimal value in terms of risk reduction and business enhancement. It is advisable to conduct a thorough assessment of each control, evaluating its effectiveness and business impact.

CISOs should devise a strategy to phase out low-value controls within the next 12-18 months, thereby eliminating unnecessary maintenance costs. This proactive approach ensures resources are allocated efficiently, focusing efforts on controls that truly contribute to mitigating risks and driving business value

How to Use CISO MindMap?

Have you ever been asked to explain what you do as a security professional? The CISO MindMap offers a comprehensive solution for addressing this question and clarifying the intricacies of the role. Many professionals have attested to its efficacy in elucidating the complexities of the CISO position, particularly when communicating with a business audience.

Here are some ways in which the CISO MindMap proves to be immensely valuable:

  • Facilitating conversations with fellow technology professionals.
  • Instrumental in the design and refinement of security programs.
  • Adopted by certain security vendors for raising awareness.
  • Employed in CISO group discussions and community meetings.
  • Aiding aspiring security professionals in understanding the industry landscape and charting their career paths.
  • Serving as an educational and awareness-raising tool.

Obviously there is a lot on this MindMap. The stress on people who have these responsibilities is real. If nothing else, this MindMap should help leaders recognize that stress and do something about it. I covered this topic (stress) in my latest book Cybersecurity Arm Wrestling: Winning the perpetual fight against crime by building a modern Security Operations Center (SOC) as well.

What are They Saying?

Following are some comments on CISO MindMap LinkedIn post from 2023.

  • Michael Restivo“One of the most valuable documents around. Love this Rafeeq.”
  • Chris Novak“Always a great asset! Thanks for all that you do for the cybersecurity community!”
  • Muath AlHomoud“Great insight Rafeeq Rehman always inspiring”
  • Christophe Foulon “Insightful as always, Rafeeq Rehman
  • Matthew P.“Thanks for updating this. I think this makes a really useful tool when talking to the next generation about careers in security being able to demonstrate the breadth of what we can get involved in is quite eye opening”
  • David Elfering“Thank you! I review security programs as part of my work; your outline is fantastic. As a CISO, I regularly reviewed it, and as a consultant/advisor, I can see even more clearly how others would benefit.”
  • Alan Ng“Thanks for all the heart and sweat poured into this awesome mindmap and recommendations! It is a great resource!”
  • Stefan Jäschke – “Terrific work Rafeeq Rehman – thanks for giving back to the community consistently over the years in so many ways.
  • Arvind Javali – “I listened to your podcast interview on CISO mindmap, very insightful, thanks for sharing”
  • Ashoka Reddy – “Thank you, Rafeeq Rehman, for the knowledge, insight, time, and effort you have put into creating and sharing the #CISOMindMap. For #InformationSecurityManagers this is a gold standard that is priceless. It’s a little overwhelming to the point of being funny, but you’ve mapped my professional brain pretty nicely. For #BusinessLeaders this gives oversight to how we protect organizations, revealing our value and responsibilities.
  • Jas Puar“Great timing. I’ve been looking at the 2022 version recently for some inspiration. Glad the 2023 version is available. The role is becoming bigger (cutting deeper across the entire business) and therefore more critical every year. More needs to be done to educate and raise awareness to change the direction of travel, otherwise an already thankless role, will very soon become an impossible one. Keep up the great work!”
  • Steve Lodin – “Thanks again for your continued work here. I look at and keep a copy of every version you release!
  • Fernando Montenegro – “Really nice work, forwarded it to others. I really enjoy the “expiration date” aspect.”
  • Georgeo X. Pulikkathara – “Rafeeq Rehman, good work on the CISO MindMap. My assessment is that this is a good framework for CISOs to approach all the areas we need to consider.
  • Rob Mukherjee – “This is brilliant, thanks Rafeeq. And couldn’t agree more with your comment in the first focus area. “Understand that merely having a backup is not enough. Ability to rebuild impacted systems and restore backups in a timely manner is crucial.” Spot on!! Think “restore”, not just backup!

Acknowledgments

In addition to numerous infosec leaders who provide their input, we have a LinkedIn Group to gather suggestions and comments from the community. While many provided feedback, the following is a list of people and organizations who provided “specific suggestions” for improvements (in no particular order). If I missed anyone, please send me a message to make corrections.

  1. Jack Jones 
  2. Gary Hayslip
  3. Michael Restivo
  4. Wes Sobbott
  5. Muath AlHomoud  
  6. Ross Young
  7. Ross McNaughton 
  8. Gerard Onorato 
  9. Tony DeAngelo  
  10. James J Azar  
  11. Chris Hughes 
  12. Izhar Mujaddidi
  13. Nadeem Iftikhar 
  14. Ismail Cattaneo  
  15. Andres Ricardo Almanza Junco  
  16. Jack Jones 
  17. Chad Sturgill  
  18. Omar Khawaja  
  19. Rodolphe Simonetti 
  20. Scott Hawk  
  21. Hisham Zahid 
  22. Jerich Beason  
  23. M Kashif Bukhari  
  24. Chris Castaldo
  25. Atif Yusuf
  26. Jon Rogers  
  27. Andi Baritchi 
  28. Ricky Mehra
  29. Ahmed Kamel
  30. Tobias Ander
  31. Indy Dhami
  32. Matthew Thompson
  33. Marc Vael
  34. Christophe Foulon

Your input is highly appreciated!

References

[1] Wall Street Journal, Amazon Invests $2.7 Billions More in AI Startup, [link

[2] Wall Street Journal, Open-Source Companies Are Sharing Their AI Free. Can They Crack OpenAI’s Dominance?, [link]

[3] NIST AI Risk Management Framework [link]

[4] Deloitte, Proactive Risk Management in Generative AI [link]

[5] Deloitte, The implications of Generative AI for businesses [link]

[6] CIO, The RACI matrix [link]

Copyright © 2012-2024 – Permission to use

This MindMap is copyrighted material. However it is absolutely free for all personal, business and professional purposes (like water and air). There are no strings attached, as long as it is not altered and not used to make money. When using this MindMap, please cite the source properly so that recipients can receive future updates.

Subscribe to Blog

To keep updated with new versions of CISO MindMap and other posts, subscribe to my blog here:

Recent Posts

Posted in cisomindmap | Tagged , , , , , | Comments Off on CISO MindMap 2024: What do InfoSec Professionals Really Do?

Building Generative AI (GenAI) Applications

Four key considerations for business executives

Harnessing the potential of Generative AI (GenAI) to create user applications that drive business value may appear daunting, yet it doesn’t need to be. With the GenAI field advancing swiftly and offering a plethora of options, understanding the following four fundamental areas can provide clarity for business leaders:

  1. User Interface (UI) Design for Prompt Interaction – GenAI applications typically rely on user prompts to generate responses. A well-designed UI, effective prompt engineering, rigorous testing, and user training are crucial aspects. Tailoring the UI to enable users to establish “context” for GenAI responses is paramount.
  1. Implementing Prompt and Response Filtering – Establishing controls to govern how GenAI models respond to prompts and filtering out undesirable content is essential. This ensures that the generated responses align with organizational standards and objectives. The focus should be on providing guardrails in case the GenAI models deviate from safety standards.
  1. Selecting a Baseline GenAI Model – Choosing the right baseline GenAI model is pivotal. These pre-trained deep learning models serve as the foundation and offer a starting point for application development. Careful consideration of factors such as application type, cost, and computational requirements is imperative when selecting from a range of commercial and open-source options.
  1. Fine-Tuning for Optimal Performance – Enhancing the performance of baseline models through fine-tuning is indispensable. Fine-tuning involves leveraging additional data to adapt the baseline model to specific use cases, such as generating journalistic essays, customer support, legal documents, etc. Organizations should deliberate on how they intend to fine-tune GenAI models to align with their unique requirements.

While building GenAI applications entails inherent complexity, focusing on these considerations provides a valuable blueprint for developing high-quality user applications driven by Generative AI technology.

Subscribe to Blog

Recent Posts

Posted in AI, Leadership | Tagged , , | Comments Off on Building Generative AI (GenAI) Applications

Security Hygiene

While responsibilities of leaders in information security are very extensive as shown in the CISO MindMap, following are seven foundational and “must-have” capabilities that every information security program should have. If any of these capabilities is missing, the first priority should be to build it before considering more advanced level program development.

  1. Governance – Create or update foundational security policies, standards and procedures. This may vary significantly based upon organizational maturity, compliance needs, size of the organization, and risk tolerance. Create success metrics. Perform regular audits to measure effectiveness of security. Align security program with business objectives.
  2. Risk Management Process – At minimum, every organization must have a process for identifying, assessing, documenting, reporting, prioritization, and mitigating risk. This may be as simple as using a spreadsheet or as complex as using a sophisticated GRC tool.
  3. Asset Management – A process for identifying assets including hardware, software, network, applications, Cloud and others. An asset is anything that your organization relies on conducting its business.
  4. Network Security – Employ fundamental network security countermeasures such as network and web application firewalls, network segmentation, remote access VPN, and network threat detection capabilities.
  5. Endpoint Detection and Response – Use tools for endpoint protection, data protection, anti malware, that can provide protection against data theft and ransomware.
  6. Vulnerability Management Program – A program must include network and application scanning, vulnerability identification, penetration testing, patch management, tracking and closing vulnerabilities and linking with the risk management process. Many open source tools are available to overcome budget issues.
  7. Threat Detection and Response – Ability to detect threats using automated tools, logs, and other mechanisms, create an incident response process. Build an internal coalition for recovering from security incidents in a timely manner. Build relationships with local law enforcement. Tabletop exercises are a good mechanism to test capability for incident response, identify gaps and make improvements.

Building these capabilities requires people, effective processes, and relevant tools. A CISO should identify gaps, make a plan, request for budget and set targets/goals to build these capabilities.

Subscribe to Blogs

Recent Posts

Posted in InfoSec | Tagged , , , , | Comments Off on Security Hygiene

Third Party Risk Management – Considerations for creating a program standard

What is a Third Party

Third parties generally refer to external entities with whom you enter into contractual agreements to deliver products or services. These external partners may offer essential services to support your business operations or extend services to your clientele on your behalf. Examples of third parties encompass a diverse range of entities, such as internet service providers, financial institutions, software vendors, building maintenance companies, and others.

Reasons for Managing Third Party Risk

  • Breach Liability – A security incident with third parties may impact your business operations. If third parties have access to your data or your customers’s data, you may be liable for handling data breaches that occurred on a third party network.
  • Compliance – Many data privacy regulations require compliance wherever the data is stored, processed and utilized. A third party having access to privacy related data may be part of the scope of work you have to do to meet regulatory compliance.
  • Resilience of Supply Chain – Disruptions in supply chain may be detrimental to your business. Managing third party risk is essential for a reliable supply chain.

Have a Risk Management Program

If you have a corporate information security risk management program, it can provide you a basis for managing third party risk. Managing the lifecycle for third parties is very similar in many ways to managing other information security risks. Make third party risk as part of the overall risk management program and follow a risk management lifecycle starting from risk identification, categorization, assessment, mitigation and closure.

Define Third Party Risk Management Standard and Processes

Building a third party risk management standard should be one of the first steps for CISOs. A standard provides clarity and consistency for all stakeholders and goes a long way towards achieving maturity. Following are some of the components that should be part of the standard.

  1. Clearly define purpose of the standard
  2. Define categories for third parties
  3. Contractual arrangement with third parties
  4. Onboarding and offboarding of third parties
  5. Perform assessments for a third party
  6. Frequently assessments will be performed
  7. Monitoring and oversight of third party risk
  8. Third party compliance management
  9. Define a list of artifacts needed from third parties and the frequency at which these are required.
  10. Define third party “trust levels” and minimum technical requirements for each level. This will help determine which of the third parties can be given access to network, data, and other assets based upon the trust level.
  11. A RACI matrix for all stakeholders

Categorize Third Parties

Some third parties carry significantly more risk than others, and need more attention for risk management. Categorization of third parties may be based upon factors such as:

  • Criticality for business operations – Who is critical to your business processes such that without this third party business will cease to function.
  • Access to data – Who has access to your corporate, employee or your customer data.
  • Direct connectivity to network or Cloud – Who has direct connectivity into your network or to your Cloud environments with possibility of a breach on the third party environment can directly spill over into your environment.
  • Type of relationships with the third party – Do you consume services, use source code or software libraries, use a third party for data processing, and so on.

Based upon these and other factors, you can define a list of categories to prioritize assessments.

Automation and Tools

Historically simple tools such as questionnaires and spreadsheets have been used for third party risk assessment. To reduce management overhead, some information for third parties can be collected and assessed with automated tools and publicly available information.

Subscribe to blog

Recent Posts

Posted in Leadership | Tagged , , | Comments Off on Third Party Risk Management – Considerations for creating a program standard