Cyber Security Scorecard People Process and Technology Ryan

Cyber Security Scorecard People, Process and Technology Ryan Cloutier CISSP® February 27, 2021

Introductions Ryan Cloutier, CISSP® Principal Security Architect for Sourcewell Technology § § § Over 15 years of experience in Cybersecurity § Cybersecurity advisor to Global Education Privacy Standard § Certified Information Security Systems Professional® Chairperson of COSN Cybersecurity program Cybersecurity advisor to Student Data Privacy Consortium Twitter @CLOUTIERSEC 2

You can’t protect what you can’t see

Its’ all about Risk • What is it • How do we measure it • What's the impact 4

Its’ all about Risk • What's the likelihood • What’s the cost • What can be done 5

What’s at risk People Process Technology 6

People, what to know • Security awareness level • What are their role(s) • What can they access 7

People, what to know • What applications • Do they work remote • BYOD 8

People, what to measure • Security Awareness • Access • Risk profile 9

People what to measure • Device management • Behavior • Traceability 10

People who are security aware the key

Process what to know • Automation 1 st • Multi factor • Stick to it 12

Process keeps you safe • Makes it easier • Improves response time • Increase traceability 13

Process what to know • Focus on critical assets • KISS principal • Stick to it 14

Process what to build 15

You can’t measure what you don’t count

Tech what to know • What you have • Were is it • Who uses it 17

Tech what to know • Risk • Incident response • Disaster recovery 18

Tech what to measure • Vulnerabilities • Vendors • Updates 19

Example 20

Security maturity 21

Security maturity 22

How do you measure security maturity? CIS (Center for Internet Security) CMMC (Cybersecurity Maturity Model Certification) CMMI (Capability Maturity Model Index) Proprietary (Private security firm) 23

What are you measuring? • Click Rate (Phishing tests) • Ability to identify risk • Knowledge of employees 24

What are you measuring? • Ability to mitigate risk • Capabilities of IT staff • Alignment to best pratice 25

What are you measuring? • Alignment to compliance • Risk exposure • Defensibility 26

Is Security in your DNA? • Security first culture • Not an IT problem • It’s about safety 27

Any questions? Sourcewelltech. org

Thank you! Use the QR Code or link below http: //bit. ly/SWTonlinesecurity Ryan Cloutier Principal Security Architect, CISSP® Ryan. Cloutier@sourcewelltech. org Sourcewelltech. org