Hi folks Ed Amaroso, here and for this video I want to start by first telling
you a little bit about a position that exists in the industry and in business and
in academia called the Chief Information Security Officer, CSO CISO.
There's a lot of different way that it's referred to.
I think I may have been the second one ever.
My good friend Steve Katz from the financial services industry here
in New York City,
where we're filming this showed me in the mid-90s his business card.
And it said, Chief Information Security Officer.
I was working at AT&T at the time,
big telecommunications company here in America.
And I looked at it and I went CISO, wow, that's a cool title.
And he said yeah, and I went back to work and I said, could I be that?
And they said, yeah, yeah be whatever you want.
So I started writing CISO, I think I was the second guy to do it.
But here's what that position is.
It's about the stuff we've been doing in these videos.
It's about doing risk analysis in a structured manner on an organization,
and then making determinations about what to do.
I used to have a boss who used to say to me all the time, he'd say,
like I'd put these big charts up and explain stuff, and I'd be so
proud of myself, and he'd be sitting with his arms folded.
And would say invariably.
So Ed, you've shown me the what.
Now show me the so what.
[LAUGH] He's a little weaker on the so what.
What should we do about it?
Probably anybody could say hey boss, boom boom boom,
look at all these problems we've got, and then have no idea what to do about it.
But this is where we start talking about using threat asset matrices.
Threat asset matrices as the basis for deciding what sort
of security technology or procedures we're going to put in place or
policies to actually deal with the problem.
And again the CISO is the lead person in an organization making that decision.
CISO's, in the old days were sort of like back office IT folks.
And little by little that position is beginning to bubble up
in the hierarchy in a typical company reminds me
of the personnel departments in most companies say, 50 years ago.
If you go back and read old business books like one of my favorites
is by one of the guy who ran General Motors for many years, Alfred Sloan.
He wrote a book called My Years with General Motors.
And in the back of his book, actually three of the book but
in the back, the last one, is a bunch of organizational charts
from General Motors in like 1960 and it's so cool to look at.
because you thumb through and you look at the org chart, and
there on the last page in the bottom.
There's a little group called personnel department and
you think of it as two people with typewriters typing badges for
new employees, well, what's happened to that position since then?
In the 50 years since then that personnel department became a personnel group,
and then human resources group, and then HR team.
And now can you find a company anywhere that doesn't have a human resources or
people executive probably reporting to the CEO?
It's accepted as so vital that the position is bubbled up.
Information security is going through the same kind of of thing.
Where the little IT security group,
a couple of people in the back office typing firewall rules on your first
firewall became an IT group doing antivirus, there's a file a little bit.
And then, they became a bigger group doing something for the CIO.
And then they become peer to the CIO, as a CISO and I think inevitably,
you're going to see Chief Security Officers at the top level,
probably reporting to the CEO.
And what is it that they'll be doing?
They'll be mapping assets to threats,
doing risk management projects in each case.
And the output of the risk management will be action.
What is it you're going to do?
And from that action, programs get built and
big systems get put in place, and teams are hired to tend to them.
That's how it works, that's how an organization, a company, an enterprise,
a government, a sector, a country protects itself from cyber attack.
It's not just you whip a firewall in place and
here's how we stop threats to some little thing.
That's security in the small and we will spend some time on that.
For those of you who stick with this and continue on to later videos, [LAUGH] we
are going to get into the nuts and bolts of some very, very, very specific things.
But I think it's important for you to understand the context.
So what we're going to do here and I got
a chart here that just shows the matrix that we had in our previous case study.
And you can see, I've sort of drawn some arrows to where the highs are,
which imply that if you got a budget now and you're going to do something.
You're going to focus on the high activities and
your going to do something called the safeguard.
And we'll get into definitions of safeguard later and
the categories and how they work and which are functional, and how they get embedded.
But you should have in your mind this idea that the output of a risk management
activity is in fact action.
If it's not action, you're doing it wrong.
What's the point, right?
Think about it, if I show you a problem, and
we don't have a corresponding solution, then you're probably wasting my time.
So let's kind of recap here.
We said, threat asset matrices were a good way to organize our thinking.
Made sense, Finite set, finite set.
Then we said, each of those different slots is
basically a Risk Management activity, that makes sense.
Then we said, risk management should be something you do in a complete manner,
like Threat Trees and hierarchically decomposing instead of just
willy-nilly doing structured brainstorming and guessing.
You'd rather have a more structured process.
And then from that,
you make some sort of quasi-quantitative determination of risk on a scale of 1-10.
High, medium, low, whatever makes sense.
Whatever sensitivity matches the importance of the system
you're working on.
And then from that, a team will make decisions about what to do and
that's based on how much money is available.
How much cost, how many resources are available to apply to the problem.
That's a complete view of how one goes about doing this.
Now, in a subsequent video we're just going to touch on one sort of
theoretical under pinning of that, that I want to make sure that you understand.
But for now, just keep in mind that the basis for
all of this is the fact that thread asset matrices can be built that are finite.
So I hope this has been useful and I'll see you in the next video.