The Five Secrets of High-Performing CISOs

Interesting model and well presented. Here’s my summary:

  • do you promise to safeguard your company’s assets?
  • do other ppl in your org believe you’ve made that promise?
  • do you have the resources to deliver on that promise? – probably not.. so you’ll need:

lead without authority” using influence, persuasion, negotiation conflict management, communication, education of organization.

CISOs must have Technical Excellence AND Organization Engagement

8 domains of Technical Excellence

  1. configuration and data protection
  2. Software and vendor security
  3. access control
  4. security awareness and training
  5. analysis and detection
  6. defense
  7. incident response
  8. recovery

7 factors OE:

  1. Get command of the facts: when board asks “are we ok? are we safe?”
    • reach individual business leaders, how’s business ran? what are crown jewel? risk apetite?
  2. Get the business to own risk
    • have a partner in managing that risk. “Have funded infosec mitigation plans, the business has financial stake in the outcome.”
    • Embrace change agent role: systematically and proactively engage stakeholders at all levels
  3. Embed into key processes
    • you can’t attend every meeting -> be virtually present -> done right infosec is practice even when you’re not around
    • find natural allies in legal, audit etc, change management to add security early into the project
    • don’t wait to be invited to the party
  4. Run infosec like a business
    • credibility, budget, people, projects. Deliver on time on budget
  5. Technical & Business capable team
    • CISO can’t do it all alone. Build a team considering: technical debt, business knowledge, interpersonal skills
    • cohesive cyber cadre – not just a team. This is a step further: a unit that is on the same page and bring a consistent message
  6. Communicate the Value
    • how infosec helps the org win and succeed? the answer needs to be broken apart and customized for different stakeholders. how does infosec help beat competitors and reach their goals (this isn’t security awareness or swag posters or corporate speak BS). Do you have a 30sec elevator pitch for security?
  7. Organize for success
    • are you organized for max influence and impact? younger orgs reports exclusively into IT (CIO, CTO…), as it becomes more established, reporting into a risk function

it’s a 5-7 year journey lead your organization to adopt safe business practices



USENIX Enigma 2016

some quick notes taken while watching the presentation:

Know your network, the devices the security technologies and things inside it.

Attackers will often employ ppl that study the security technology of the devices you use to a very deep level. They end up knowing it better than those who develop it.


Reduce attack surface, red team, pen test and act on results. Don’t assume a small crack is too small to be found. Attackers are patient and persistent, they’ll keep poking and they’ll wait for windows of opportunity if needed.

network boundaries expanded with byod, work from home, cloud, mobile devices that come and go


spear phishing, waterhole, known cve, sql injection, 0day.
Note that it’s not all 0days.. attackers persistence and focus will get them in.

brest practices, baselines, credentials. Have processes to know what is norm.

segmenting, whitelisting

move laterally, how will you detect it? segment, manage trust

defend & improve -> rinse and repeat

Learning the wrong lessons from Offense (Harron Meer)

A really interesting talk from Haroon Meer at the t2 conference in Finland (2016)

A collection of points I wrote down while watching it, and that I would like to highlight:

  • Enterprises are still finding out they were hacked because stolen data often ‘self-advertises’ the hack. Where this isn’t the case, enterprises go months/years without knowing
  • Think like an attacker : Try thinking like a chef and see how well you do on the kitchen (quoting a post from 2008 )
  • the Cargo Cult Science in learning from offense

offense vs defense

  • offense has tight feedback loop (attacks either succeed or they don’t) vs defense can think it’s doing something meaningful when actually the only thing is that you have not been attacked on your watch yet.
    • defense ends up doing things that are of very little value like forcing ppl to change their pass every two weeks
  • offense understand cost better than defense does
    • offense knows cost of attacking and usually knows the value of the prize he’s after vs defense doesn’t necessarily know how the attacker values his information or how much it cost them to attack
  • only have to win once : discovering offense burns toolsets and TTPs. see
  • get to choose time & cadence
  • Complexity tends to favor the attacker
  • Attackers ability to throw things/tools away once they are not useful
  • Clarity : attackers specializing while defenders to it all
  • attackers write more code. Defenders need to write more stuff, own tools, rely less on blinking lights and SLAs (I really liked the way Haroon spoke about this one)

defender disadvantages

  • least privilege: ppl complain of lacking permissions, but no one complains for having too much access
  • enterprise obstacles: defenders attitude “if only they did it right”

defender adv

  • network awareness: attackers choose when but defenders choose where
  • custom detection: there’s value in things put together by defense, also, there’s value in a little of security by obscurity as long as it’s not the only thing you rely on. add variables that attackers can’t easily guess

what we can do

  • expect breach: how quickly can we detect it, how we can contain, how we can respond. and KNOW your network
  • Learn your stuff
    • USENIX Enigma 2016 – NSA TAO Chief on Disrupting Nation State Hackers bDJb8WOJYdA
  • Build it! Embrace the hackiness as in, get the solution that works; defense is a series of hacks too.

Hello world!

Welcome to WordPress. This is your first post. Edit or delete it, then start writing!