BECOME A NEXT-GEN CISO

WITH CYBERSECURITY
PROGRAM MANAGEMENT
AUTOMATION
TODD BOEHLER, VP OF PRODUCT STRATEGY, PROCESSUNITY
ED LEPPERT, CYBERSECURITY, GRC

10 SEPTEMBER 2019
 WEBINAR INFO & QUICK TIPS
▪ Audio can streamed over your computer or dial-
in numbers and codes are on the left.
▪ International numbers can be located in the
PAPERS tab
▪ Have a question for the speaker? Access the
Q&A tab.
▪ Technical issues? Access the HELP tab.
▪ Questions or suggestions? Visit
https://support.isaca.org
To receive your CPE Credit:
1. Complete 3 Attendance Checkpoints
2. Watching the On-Demand recording? Watch from
the beginning to the very end.
3. Don’t forget to take the survey available in the
MyLearning Portal Transcripts Page!
Use the CREDITS tab to track your Checkpoints
Use the PAPERS tab to find the following:
1. PDF Copy of today’s presentation.
2. CPE Submission Guide.
Todd Boehler
Vice President of Product Strategy, ProcessUnity

Todd is the Vice President of Product Strategy at ProcessUnity. He

has more than 20 years experience in product management and
strategic roles for leading technology providers. In 2003, his
governance, risk and compliance (GRC) startup was purchased by
Stellent, which was soon after bought by Oracle Corporation. Todd
worked for Oracle for seven years before joining ProcessUnity in
2014. He has extensive GRC experience, working with
organizations’ engineering, services and sales teams to develop
solutions, enable sales and deliver customer success.

Todd is responsible for collaborating with customers, partners, and

internal product teams to develop and deliver high-value risk and
compliance solutions. In his role, he drives the company’s cloud
services roadmap and defines ProcessUnity’s overall strategic
direction.
Ed Leppert
Cybersecurity GRC

Ed Leppert has been working in Information Technology for all his

career, with a focus on Cybersecurity for the past 15+ years. He's
worked in information security at Goldman Sachs, Moody's and
most recently as Director of Cybersecurity Governance, Risk and
Compliance at Dow Jones. He now works independently with
organizations helping them develop their Cybersecurity GRC
function, implementing those functions within GRC platforms, and
focusing teams on marrying the day-to-day operations of a
Cybersecurity team with overall risk management of the program.
About ProcessUnity
Risk & Compliance Automation
System Uptime
Third-Party Risk Management 99.9% 10+ Years
Risk & Compliance
Policy & Procedure Management
SIMPLIFIED
Risk & Compliance Management Customer
94.3% Retention Rate
Cybersecurity Program Management

2003
FOUNDED
HQ: Concord, Massachusetts
Agenda
• The Changing Role of the CISO
• Establishing a Baseline
• What Makes Up a Good
Program
The Changing Role
of the CISO
 The CISO’s Role
• The CISO role will grow and gain respect.
- PwC found that 71% of consumers studied would stop doing
business with a company for giving away their sensitive data
without permission — and 69% said they believed companies
were vulnerable to attacks.
• The CISO will become an enabler rather than a disabler.
- CISOs will transition in people's minds to enablers — key
consultants in the mandated security elements of development TIME
— rather than barriers to product launches.
Deep Technical Expertise
• Enterprises will embrace CISOs’ teaching function. Executive Management Skillset

- Willis Towers Watson claims 66% of cyber breaches are

caused by employee negligence or malfeasance.

Source: https://www.forbes.com/sites/forbestechcouncil/2019/03/18/the-state-of-the-ciso-role-how-will-it-change-in-2019/#50f953727f27
The CISO’s Organization – Wide Outreach
▪ Cross Functional
▪ Technical Depth &
Guidance
▪ Business
Recommendation &
Policy
▪ Corporate Wide
Enablement &
Testing
▪ Risk & Compliance
Focal Point
▪ Incident
Management
Analytics
CISO Supporting Tools

Source: https://foundationcapital.com/cybersecurity-next-trillion-dollar-market/
 Cross Sectional Responsibility CISO MGT
Metrics

ANALYTICS

PROGRAM MANAGEMENT

Executive Management
Tools

Threat Endpoint Cloud Application

SIEM …
Intelligence Security Security Security
Organization

Third
Applications Org Systems People Policy Networks
Parties
Discussion Question 1

How is the office of the CISO prioritizing their role and responsibilities?

▪ Upward visibility?
▪ Emerging threats?
▪ Tools and technologies?
▪ Awareness and accountability?
▪ What else?
Establishing a
Baseline
 Defining your Cybersecurity Program

Organization Policies Assets Third Parties Training Programs

Threats Risks Control Standards Assessments

Threat Reviews Risk Analysis Control Reviews Questionnaires/Tests

Supporting Systems

Third Party

NIST CSF Systems

Enterprise Threats Risks ISO 27001 Facilities

NIST 800-53 Application

NIST Controls

14 © ProcessUnity, Inc. All Rights Reserved.

Internal Program Assessment
Cybersecurity Assessment Tool (FFIEC): Assessment One: Inherent Risk Profile Matrix

• For each category,

assess the level of
inherent risk based on
current environment.
• This will involve multiple
stakeholders in the
organization that
understand inventory and
configuration.
Internal Program Assessment
Cybersecurity Assessment Tool (FFIEC): Assessment Two: Cybersecurity Maturity Matrix

• Maturity is based on
achieving all
requirements within a
maturity level before
advancing.
• Each company can
evaluate their maturity
differently; however it is
important to cover all
aspects.
Assess Current State
(Cybersecurity Assessment Tool example)

▪ Maturity Assessment
▪ Systems
Identification
▪ Threat Assessment
▪ Risk Assessment
▪ Control
Implementation
▪ Control Testing
▪ Incident
Management
Finding the Gaps
Discussion Question 2

What are some approaches for assessing the current state?

▪ Management Buy-in?
▪ Consulting Firms?
▪ Standards and Frameworks?
▪ Committees and Focus Groups?
▪ What else?
What Makes Up a
Good Program?
 Cybersecurity Program – Overview
Threat Program Risk
Management Development Management

Gaps and
Untreated Issues

▪ Threat/Risk Identification ▪ Controls Inventory ▪ Controls & Processes ▪ Risk Registry

▪ Risk Tolerance ▪ Policies & Standards ▪ 3rd Party Due Diligence ▪ Issue Remediation
▪ Impact Analysis ▪ Awareness/Training ▪ Regulatory & Internal Audits ▪ Risk Acceptance
▪ Assets Subject to Threats ▪ Controls Effectiveness

Reporting & Analytics

Cybersecurity Program Components
▪ Evaluate and maintain a list of threats, their relevance to the organization, and senior management’s tolerance
Threat Landscape level/risk appetite – Threat List/Matrix

Asset Management ▪ Inventory and identify key assets that need to be protected

▪ Develop a customized set of controls, organized by ISO/NIST/… domains for all major cybersecurity, business
Controls Inventory continuity and compliance (PCI/SOX) functions

Policy Management ▪ Establish and maintain formal, key policies and supporting process/standards documents

Security Awareness ▪ Security Framework- Domains, audiences, delivery mechanisms, results and evidence

▪ Risk processes which include: Risk Identification, Analysis, Evaluation, Treatment, and Reporting
Risk Management ▪ Users should also be able to select from a list of common risks

▪ Create and manage assessments – vendors, applications (assets), controls effectiveness, policy adherence,
internal/external audits.
Assessment & Issues Management ▪ Create a questionnaire library. Add dynamic ability to auto-select based on vendor type
▪ Record/track issues from risk assessments, compliance audits, client assurance reviews

Compliance & Audit Support ▪ Manage compliance testing to meet regulatory requirements (SOX/PCI/HIPAA)

Vendor Risk Management * ▪ Identify, assess, and monitor relevant third parties

Business Continuity ▪ Manage BCP Plan documents and test results

▪ Create pre-defined management dashboards to support monthly and executive level reporting and metrics
Reporting & Metrics
 Getting Started – High Level Plan
• Define the Organization
• Perform Baseline Assessments
• Assign Organizational Responsibility
• Create an Annual Schedule
• Leverage External Assessments
- SOC / External Audits
- Penetration Tests
- Cybersecurity Screening
• Incorporate Change Management Triggers
23 © ProcessUnity, Inc. All Rights Reserved.
Example Annual Schedule
Program Activity Q1 Q2 Q3 Q4
Scoping and Planning ◘
Policy Reviews ◘
Risk Assessment and Mitigation ◘
Threat Analysis and Review ◘ ◘ ◘ ◘
Independent Reviews ◘
Asset/Third Party Assessments ◘ ◘
Control Rating Reviews ◘
Training and Awareness ◘ ◘ ◘ ◘
Issues & Remediation ◘ ◘ ◘ ◘

Cyber Review Triggers

Change Management Changes to inventoried assets or the organization
New Third Parties New third parties with access to scoped data
New Threats Emerging threats identified in industry
Incidents Actual cyber incidents within the organization
Example Assessment Flow

1 2 3 4
Asset/Third-
Identify Owners Reporting and
Party Review Results
and Scope Analytics
Assessment

Cyber Team Reviews

Asset Owners Complete Cyber Team Reviews Issues by Asset/Third
Assets and Risks in
Questionnaire the Results Party
Scope

Asset Owners Uploads Cyber Team Analyzes

Cyber Team Reviews Summarized Control
Appropriate Roll-up to Control
Owners and Schedule Standard Coverage
Documentation Standards

Cyber Team Initiates Cyber Team Reviews Issues/Gaps Identified Prioritized List of
Assessments the Results for Remediation Enterprise Threats
Mapping to Threats
• Assessing key assets/third parties should rollup risk to the control
standard that is protecting against the identified threat.

Question 1

Risk Domain 1 Question 2

Asset/Third Party Assessment
Question 3

Risk Domain 2 Question 4 Risk 1

Question 5
Control Standard Risk 2 Threat

Question 1

Risk Domain 1 Question 2 Risk 3

Asset/Third Party Assessment

Question 3

Risk Domain 2 Question 4

Question 5
Practical Step: Establish a Foundation
▪ Identify Threats: Establish a baseline
threat level based on currently known
risks.
▪ Build a Risk Register: Document your
risks (including likelihood, consequence
and impact) and identify which threat(s)
they apply to.
▪ Inventory Controls: Identify relevant
controls that are part of your
Cybersecurity program (select from
NIST, ISO, CSF, etc. control
frameworks) and associate them to the
risks and threats that they can help
detect, prevent or mitigate
▪ Know your Third Parties: Identify,
assess, and monitor third parties that
expose risk through delivered services
▪ Connect Policies: Map your controls
to policies to ensure your policies are
properly enforced
▪ Assess Risk: Conduct risk
assessments against your key assets
(vendors, applications, infrastructure)
and tie findings to your controls
▪ Engage your business partners in
risk reporting and management:
Collaborate with management on
common language and scope
Discussion Question 3

What are you seeing with the current state of cybersecurity in large organizations?

▪ Complexity trends?
▪ Executive management acceptance?
▪ Technology landscape?
▪ Accountability and ownership?
▪ What else?
Discussion Question 4

What considerations are there regarding third parties and a Cybersecurity program?

▪ Outsourced risk?
▪ Extended assessments and remediation activities?
▪ Cybersecurity insurance coverages?
▪ Deeper involvement with Procurement and Legal departments?
QUESTIONS?
Contact ProcessUnity
Thank you for joining us today. To learn more about
ProcessUnity and our Cybersecurity Program Management
tools, contact us at info@processunity.com. Todd Boehler
todd.boehler@processunity.com
Visit www.processunity.com for our latest:

PRODUCT DEMONSTRATIONS BEST-PRACTICE GUIDES ON-DEMAND WEBINARS

Follow @processunity on Twitter for upcoming

webinars and best-practice guides.
This training content (“content”) is provided to you without warranty, “as is” and “with all
faults”. ISACA makes no representations or warranties express or implied, including
those of merchantability, fitness for a particular purpose or performance, and non-
infringement, all of which are hereby expressly disclaimed.

You assume the entire risk for the use of the content and acknowledge that: ISACA has
designed the content primarily as an educational resource for IT professionals and
therefore the content should not be deemed either to set forth all appropriate
procedures, tests, or controls or to suggest that other procedures, tests, or controls that
are not included may not be appropriate; ISACA does not claim that use of the content
will assure a successful outcome and you are responsible for applying professional
judgement to the specific circumstances presented to determining the appropriate
procedures, tests, or controls.

Copyright © 2018 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This webinar may
not be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any
means (electronic, mechanical, photocopying, recording or otherwise).
THANK YOU FOR
ATTENDING THIS
WEBINAR