CISO workshop slides

A glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning.

The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142):

Aside from my gripes with the example metrics (see below), the remainder of the presentation has a lot of useful information, lots of details, plenty of busy, thought-provoking diagrams and, as I said, an uncommon polish for free slide decks.

Here's a nice, fairly simple example slide that I could happily present and discuss in some depth as part of a workshop or training course:

 

Naturally, the slide deck emphasises Microsoft's own 'security posture', such as:

• IT, cyber and data-centric, virtually ignoring the wider field of information risk and security management (e.g. protecting and exploiting workers' knowledge and other intangible forms of intellectual property) with limited, almost incidental reference to information risk and security management being truly driven by business objectives;
• Hacking and malware i.e. deliberate, malicious and often targeted attacks, downplaying accidental threats (e.g. floods and fires) and other incidents such as human error, theft, sabotage and fraud, plus enterprise risk management as a whole (e.g. financial risk, market risk, compliance risk, strategic risk ....);
  
• Zero-trust - whatever that means to the presenter and audience;
• Cloud - meaning Azure, specifically;
• DevOps and DevSecOps - whatever those terms mean ;
  
• MS threat intelligence including artificial intelligence/machine learning rapid responses to novel malware (a cool idea, provided it works reliably).
  

I'm intrigued by their choice of example Security Scorecard Metrics (slide 63):

These examples supposedly focus on 'continuous improvement' (of what I'm not exactly sure), so let's take a closer look:

1. Business Enablement appears to refer to IT and IT security services 'enabling' the business, although 'Number of security interruptions in user workflow' implies the need to prevent security getting in the way of business, a curious take on 'enable'.
   
   
2. Security Posture suggests a confusing mix of application and account security metrics. I'm really not sure what 'security posture' even means in this context, and curious as to why those two aspects in particular have been selected as example metrics. Other slides in the deck appear to equate 'security posture' to vulnerability management and software/systems patching - a rather narrow/specific technical concern for metrics suggested to senior management, although arguably it is a major factor in cybersecurity - or to security strategy. Personally, I favour a much broader perspective on the organisation's overall posture (meaning its brands, corporate personality, customer perceptions ...) including security-relevant aspects (e.g. being a trusted partner).  Generally, though, the risk management and security arrangements quietly support and enable the business from the inside, as it were, rather than being exposed externally - unless they fail anyway!
   
   
3. Security Response: the example metrics suggest the classical (outdated!) incident-response-and-recovery line i.e. dealing with business discontinuity, although thankfully later slides (#82-85) discuss resilience:
   
   
   
   
   
4. Security Improvement as a category within this set of example metrics all supposedly focused on continuous improvement, confuses me. If these metrics are about improving security, what are the others improving? The example metrics don't help clarify the intent of this category either, referring to 'modernization' and automation (possibly in the realm of security, but not stated), although '# of Lessons learned from internal/external incidents' could indicate security improvements provided they are counted rationally (e.g. is an incident relating to weak passwords counted as just one incident or one per account compromised?).

For me, continuous improvement implies three things that don't exactly sing out from the example metrics:

1. Clarity on the meaning of 'improve' in the present context, implying the need for management to understand what are the key parameters, as well as being able to measure and control/drive them in a positive direction.
   
   
   
2. Some version of the classic Deming-style Plan-Do-Check-Act cycle.
   
   
3. Process maturity, leading naturally towards maturity metrics.
   

So, I have concerns about the overall thrust, the categories and the individual metrics offered as examples ... which is ironic given that the very next slide hints at an altogether better approach:

How is management supposed to achieve those objectives without the corresponding metrics ... or is the previous slide intended to illustrate the selection of metrics for just one of these bullets? How would the others be measured?  What's more, how were these 'key business outcomes' selected for the slide? What about all the other 'key business outcomes' - of which there are many, especially in any sizeable, mature, complex organisation. Even a tiny micro-business has to juggle numerous objectives simultaneously within its finite resources - a significant information risk right there.

All in all, though, it's well worth browsing the slides and thinking about what's included and what's missing, in your own context. In contrast to Microsoft's usual crude in-yer-face full-on marketing, it's a reasonably subtle, well-balanced, comprehensive and interesting presentation. Thank you MS for releasing it.