Cyber Security Scorecard People Process and Technology Ryan
Cyber Security Scorecard People, Process and Technology Ryan Cloutier CISSP® February 27, 2021
Introductions Ryan Cloutier, CISSP® Principal Security Architect for Sourcewell Technology § § § Over 15 years of experience in Cybersecurity § Cybersecurity advisor to Global Education Privacy Standard § Certified Information Security Systems Professional® Chairperson of COSN Cybersecurity program Cybersecurity advisor to Student Data Privacy Consortium Twitter @CLOUTIERSEC 2
You can’t protect what you can’t see
Its’ all about Risk • What is it • How do we measure it • What's the impact 4
Its’ all about Risk • What's the likelihood • What’s the cost • What can be done 5
What’s at risk People Process Technology 6
People, what to know • Security awareness level • What are their role(s) • What can they access 7
People, what to know • What applications • Do they work remote • BYOD 8
People, what to measure • Security Awareness • Access • Risk profile 9
People what to measure • Device management • Behavior • Traceability 10
People who are security aware the key
Process what to know • Automation 1 st • Multi factor • Stick to it 12
Process keeps you safe • Makes it easier • Improves response time • Increase traceability 13
Process what to know • Focus on critical assets • KISS principal • Stick to it 14
Process what to build 15
You can’t measure what you don’t count
Tech what to know • What you have • Were is it • Who uses it 17
Tech what to know • Risk • Incident response • Disaster recovery 18
Tech what to measure • Vulnerabilities • Vendors • Updates 19
Example 20
Security maturity 21
Security maturity 22
How do you measure security maturity? CIS (Center for Internet Security) CMMC (Cybersecurity Maturity Model Certification) CMMI (Capability Maturity Model Index) Proprietary (Private security firm) 23
What are you measuring? • Click Rate (Phishing tests) • Ability to identify risk • Knowledge of employees 24
What are you measuring? • Ability to mitigate risk • Capabilities of IT staff • Alignment to best pratice 25
What are you measuring? • Alignment to compliance • Risk exposure • Defensibility 26
Is Security in your DNA? • Security first culture • Not an IT problem • It’s about safety 27
Any questions? Sourcewelltech. org
Thank you! Use the QR Code or link below http: //bit. ly/SWTonlinesecurity Ryan Cloutier Principal Security Architect, CISSP® Ryan. Cloutier@sourcewelltech. org Sourcewelltech. org
- Slides: 29