youtube-transcript.ai Extract yours →

vCISO Master Class: Build a Security Program From Zero

https://www.youtube.com/watch?v=HC_JKGeEQio

[00:00] Hello team, welcome to my session on coffee with prab and today we're going to discuss about how to start information security from scratch by the VCO.
[00:12] The intent of this video or intent of this master class talk about when you join anywhere as a VCO how you basically do the information security practice what is the first step what is the last step how you do the costing everything we're going to cover in this particular master class.
[00:28] It is a first kind of a video which talk about end to end the practical approach of the VCSO.
[00:36] I'm sure after this particular video you will get 70% visibility about how a VCSO works in the organization and making sure it's really working fine.
[00:45] I also added a case study in the last.
[00:47] So without wasting a time let's start with the first part.
[00:50] Thank you.
[01:08] So the question is who can do this.
[01:11] So the question is who can do this content like you know ideally it is designed for whom.
[01:12] So if you are a person who came from a IT governance and GRC background and you want to learn about VCO this is for you.
[01:14] If you are a person who doing a transition to VCSO roles from technical to operational security background, this video is for you.
[01:20] If you are a person who building a VCO services and offering a structured client delivery practices, this is for you.
[01:24] And if you are a security leader and you want or you're looking for the position of leadership roles, how it works, this is for you.
[01:31] Now when we're talking about this program, this program basically have a 12 modules.
[01:33] We going to cover about 50 detailed lessons practical oriented.
[01:35] I'm not going to show you templates but I will give you a rough idea about that and instead of five I'm going to cover two case study because of the timeline but if depending on the video if you want to make other videos I can make it.
[01:38] So
[02:08] make other videos I can make it.
[02:11] So around these are the detailed content I'm going to cover in this VCO masterass.
[02:13] This is absolutely free.
[02:17] I just need in return from your blessings and if you get any benefit from this content please do share in a comment box which give me idea about how my content is running in the market.
[02:24] Now when we talking about VCO the modern VCO modern VCO does how they think how they lead that's most important part.
[02:37] The most important part from the VCO perspective is that they are looking for building a strategy guidance.
[02:45] Okay, they were doing a risk management.
[02:48] They were doing a compliance leadership.
[02:51] They make sure they comply with the business legal requirement.
[02:53] But to perform that they need some kind of a technical dep definitely you need a technical knowledge.
[02:59] You need a business acument knowledge.
[03:02] Uh you need a communication skills and u and if you're looking to build the trust and authority
[03:09] looking to build the trust and authority quickly, you need to have a effective communication, visible impact and credible relationship.
[03:15] And this is what we're going to cover in the first part.
[03:18] Now when we're talking about modern VCO, what is the VCSO does?
[03:23] So VCO is a senior security executive which provide a strategic security leaderships on a fractional retain or contractual basis not on a sometime you can say it's a permanent role but sometime it's not.
[03:38] And VCO is not a technical person in the room they are the more like a strategic uh defective person and failing to understand this distinction lead to a single biggest failure mode because becoming a client is the most expensive security analyst instead of most trusty security leader.
[03:52] I will tell Tell you why now company ask you about what is the best security solution and without doing a business acumen without doing a risk assessment and all that you simply recommend one vendor vendor specific solution so which is basically expensive uh for the for the customer so the vCO is the one let's say example I will show
[04:10] is the one let's say example I will show you with a reference case study.
[04:13] you with a reference case study so let's say example this is you.
[04:17] so let's say example this is you a vizo.
[04:20] a vizo okay when we say vizo I mean virtual.
[04:22] okay when we say vizo I mean virtual CESO now you're working for a company A,
[04:26] CESO now you're working for a company A, you're working for the company B and.
[04:28] you're working for the company B and you're working for the company C.
[04:30] Is it you're working for the company C. Is it clear?
[04:34] clear? If you talk about the CISO, CESO is the one who come to the office or.
[04:37] is the one who come to the office or remotely work for one office under his.
[04:39] remotely work for one office under his payrolls. He is employee of the company.
[04:41] payrolls. He is employee of the company. Viso mean not physically but virtually.
[04:46] Viso mean not physically but virtually. He will remotely assist the company on.
[04:49] He will remotely assist the company on some services security advisory. He can.
[04:51] some services security advisory. He can represent or she can represent the.
[04:53] represent or she can represent the company on behalf of any security.
[04:55] company on behalf of any security meetings. I will show you what are the.
[04:57] meetings. I will show you what are the areas we have. He can work or she can.
[04:59] areas we have. He can work or she can work for company A, company B, company C.
[05:02] work for company A, company B, company C parallelly because his role is.
[05:03] parallelly because his role is contractual. He's not on a company.
[05:06] contractual. He's not on a company payrolls. So virtually he work for.
[05:08] payrolls. So virtually he work for multiple companies and provide them a
[05:11] multiple companies and provide them a strategic advice.
[05:12] One more important strategic advice.
[05:14] One more important thing when we talk about any organization.
[05:15] organization every organization basically have a three dimensions strategy.
[05:16] every organization basically have a three dimensions strategy.
[05:19] we talk about the tactical and we talk about the operational.
[05:22] So CISO actually works here who who actually act like a a good communicator who act like a advisor to the strategy to explain them why security is important and he also she also like a subject matter expert to the operation operation team to tell them what to deploy when to deploy how to deploy let's say example if you have a DLB if you have a firewall if you think from a technical point of block everything but problem is that that become a roadblock for security toward the business.
[05:25] So CISO actually works here who who actually act like a a good communicator who act like a advisor to the strategy to explain them why security is important and he also she also like a subject matter expert to the operation operation team to tell them what to deploy when to deploy how to deploy let's say example if you have a DLB if you have a firewall if you think from a technical point of block everything but problem is that that become a roadblock for security toward the business.
[05:28] works here who who actually act like a a good communicator who act like a advisor to the strategy to explain them why security is important and he also she also like a subject matter expert to the operation operation team to tell them what to deploy when to deploy how to deploy let's say example if you have a DLB if you have a firewall if you think from a technical point of block everything but problem is that that become a roadblock for security toward the business.
[05:31] good communicator who act like a advisor to the strategy to explain them why security is important and he also she also like a subject matter expert to the operation operation team to tell them what to deploy when to deploy how to deploy let's say example if you have a DLB if you have a firewall if you think from a technical point of block everything but problem is that that become a roadblock for security toward the business.
[05:33] to the strategy to explain them why security is important and he also she also like a subject matter expert to the operation operation team to tell them what to deploy when to deploy how to deploy let's say example if you have a DLB if you have a firewall if you think from a technical point of block everything but problem is that that become a roadblock for security toward the business.
[05:36] security is important and he also she also like a subject matter expert to the operation operation team to tell them what to deploy when to deploy how to deploy let's say example if you have a DLB if you have a firewall if you think from a technical point of block everything but problem is that that become a roadblock for security toward the business.
[05:39] also like a subject matter expert to the operation operation team to tell them what to deploy when to deploy how to deploy let's say example if you have a DLB if you have a firewall if you think from a technical point of block everything but problem is that that become a roadblock for security toward the business.
[05:41] operation operation team to tell them what to deploy when to deploy how to deploy let's say example if you have a DLB if you have a firewall if you think from a technical point of block everything but problem is that that become a roadblock for security toward the business.
[05:43] what to deploy when to deploy how to deploy let's say example if you have a DLB if you have a firewall if you think from a technical point of block everything but problem is that that become a roadblock for security toward the business.
[05:44] deploy let's say example if you have a DLB if you have a firewall if you think from a technical point of block everything but problem is that that become a roadblock for security toward the business.
[05:47] DLB if you have a firewall if you think from a technical point of block everything but problem is that that become a roadblock for security toward the business.
[05:49] from a technical point of block everything but problem is that that become a roadblock for security toward the business.
[05:51] everything but problem is that that become a roadblock for security toward the business.
[05:52] but problem is that that become a roadblock for security toward the business.
[05:54] roadblock for security toward the business.
[05:57] CISO will guide them okay what to allow what not to allow just to make sure this operation team align with the business.
[05:59] to allow what not to allow just to make sure this operation team align with the business.
[06:01] sure this operation team align with the business.
[06:03] business. So this is what a CISO role here.
[06:06] CISO is act like a subject matter expert to the business team talk about why security is important but to explain
[06:08] expert to the business team talk about why security is important but to explain
[06:11] why security is important but to explain why security you should know what is the difference between firewall and DB.
[06:14] difference between firewall and DB.
[06:15] Untilers you don't know this how can you explain that's why we say a good technical depth is definitely required.
[06:19] technical depth is definitely required.
[06:21] So you are act like a subject matter expert to the business team to explain why business is important, why security is important and you are act like a subject matter expert to the operation team why this business is important and you act like a bridge between these two these two parties from a strategic perspective point of view.
[06:37] So when we're talking about a three core functions a viso need to have in today industry because I have not seen much content around that area.
[06:44] Is it clear?
[06:46] So I want to discuss that first.
[06:49] So as you're talking about three core function every CISO should have because I have not seen much books talk about this.
[06:54] Okay.
[06:56] So first is called as a strategic function.
[06:59] See when we say viso vizo is not a part-time you know security manager job.
[07:05] The role exists to do three things that client own the team usually cannot do itself.
[07:07] Is it clear?
[07:10] And these three function must be present
[07:12] And these three function must be present in every engagement.
[07:13] It's not something in every engagement.
[07:13] It's not something okay one is optional or one is you can do like that.
[07:16] It's not like that.
[07:19] So the first function is called strategic function.
[07:21] Now when we say strategic function, what is the meaning of strategic function?
[07:23] Strategic function talk about a very important one which called where is security going?
[07:28] Where is security going?
[07:31] Okay.
[07:34] So where is security going?
[07:36] So this is all about the direction which is the most important knowledge as a VCO you need to have.
[07:41] So vco job here is to answer question that business cannot answer on its own or security practitioner cannot answer its own.
[07:47] Example where the security need to go what is a risk appetite what is a road map what is a board level communication alignment of security with business goal.
[07:51] Let me take example if you talk about how much security is enough okay given its size industry ambitions that come from experience which is given by the
[08:13] from experience which is given by the VCO what will be the two to three year VCO what will be the two to three year of plan road map that is come from a of plan road map that is come from a CISO.
[08:17] VCSO how does security support the CISO.
[08:20] VCSO how does security support the business goals you are entering into new business goals you are entering into new market you want some kind of an market you want some kind of an assistance that come from a VCO.
[08:23] how is assistance that come from a VCO how is all this going to be explained to the all this going to be explained to the board CEO in a language they care about board CEO in a language they care about that come from a VCO so that is one of that come from a VCO so that is one of your strategic function without this your strategic function without this function the security become a series of function the security become a series of disconnected project tool example like disconnected project tool example like you purchase a tool but you're not using you purchase a tool but you're not using the tool you went to any conferences you the tool you went to any conferences you get a best award why because the vendor get a best award why because the vendor has given you award so you bought a tool has given you award so you bought a tool there so tools Get bought audit get there so tools Get bought audit get clear but nobody can answer the simple clear but nobody can answer the simple question where are we heading so that question where are we heading so that will be answered by the VCO.
[08:26] VCO give the clarity about why we need this tool how this tool is going to be used.
[08:56] how this tool is going to be used. Second is called as a governance function.
[08:58] Second is called as a governance function. Governance function all about Governance function all about how do we make security manageable?
[09:01] how do we make security manageable? How do we make the security manageable?
[09:03] How do we make the security manageable? So weo built a framework that actually So weo built a framework that actually turn security from kios into the system turn security from kios into the system and this includes the policy standard
[09:14] and this includes the policy standard roles reporting frameworks and roles reporting frameworks and everything like policy standard talk about written approved communication who own that who decide what what to escalate that's come from the roles and responsibility forming the community member of committee example like security sharing committee risk committee creating a metrics board dashboard provide the visibility about the current security function and more important compliance alignment you need to be complied with DPDPA, GDPR all those things come under the governance.
[09:42] So without this function the security depend entirely on the individual heroes.
[09:46] The day a key person leave everything will fall.
[09:50] So governance is what make the security survive people.
[09:52] Okay.
[09:53] There is a one dedicated video I made on governance.
[09:55] I don't want to spend time on this area.
[09:56] So governance is all about set of operation.
[09:58] So strategy talk about what governance talk about how.
[10:02] Third is called as a oversight.
[10:05] Is this security actually happening?
[10:06] that will answer by the oversight and this is about assurance.
[10:08] I repeat again strategic talk about the direction strategic talk about the direction
[10:17] governance talk about the structure and oversight the most important part.
[10:24] and oversight the most important part oversight talk about the assurance.
[10:30] oversight talk about the assurance.
[10:32] So oversight talk about the assurance.
[10:32] So VCO does not run the firewall.
[10:36] VCZO does VCO does not run the firewall.
[10:36] VCZO does not run the path server or close together.
[10:39] This is what the internal team does.
[10:42] VCZO role is to make sure that these things are done correctly and uh we able to measure effectively.
[10:47] So that's why you know we we review the technical controls which is working as design.
[10:53] We overseeing the instant response process.
[10:55] Do we onboard the right vendors?
[10:59] We need to ensure the critical suppliers are reviewed and risk are tracked.
[11:03] We also need to confirm that you know the awareness training is running measure and all that and we also need to validate whether audit has been done effectively.
[11:12] So the key line is the VCO does not do the work.
[11:15] VCO ensure the work has been done correctly and has
[11:17] work has been done correctly and has been measured.
[11:17] Is it clear?
[11:19] Now why all three to work together?
[11:22] Because strategy without governance this one strategy without governance okay is like a vision with no structure.
[11:28] You can have a lot of slides but no progress.
[11:33] Governance without strategy okay it's just like a paperwork without purpose and born both without oversight okay is just a beautiful program on paper that nobody is actually running.
[11:44] So real VCO is hold all three at the same time and it is like a mix the shift with client maturity like if you have a early stage client okay they need more governance okay the growing client need more better strategy and mature client need more oversight understood this is what I have seen not in much content so that's why I thought I will add this so vczo does not configure firewall he is more like a person who act like a orator between the different activities that something is
[12:18] different activities that something is part of the requirement.
[12:20] Next thing part of the requirement.
[12:22] Next thing we're going to discuss about the core we're going to discuss about the core responsibility of a VCO.
[12:24] responsibility of a VCO.
[12:27] So question is when you join any organization as a VCO I cannot compare with India and India 60 to 70% they're expecting us to just uh pass the 27,0001.
[12:36] odd 31,000 4201 and all that but in reality what I have seen in US Europe Middle East the what is a core responsibility of VCO or what he actually own is creating a security strategy.
[12:50] strategy that is the first thing uh help them to create a risk register.
[12:55] Okay. Build a policy framework, governance, structure, roles and responsibility and inform everything what is happening in the organization from information security point of view.
[13:03] That that is something what he own it.
[13:07] On the other side what he oversee because it is part of a sock.
[13:11] Sock is more like a detective in nature as constantly we evaluate things and all that.
[13:15] So vulnerability management whether it is working what kind of a thing he oversight.
[13:18] I have a dedicated
[13:19] thing he oversight.
[13:22] I have a dedicated slide for that.
[13:22] make sure we have a slide for that.
[13:24] make sure we have a right instant response process in place.
[13:27] right instant response process in place and work with the TPRM team to make sure we see the risk on associated with the vendors.
[13:29] we see the risk on associated with the vendors.
[13:31] vendors.
[13:33] He can advise on the tool selections like you know which tool we can buy.
[13:35] like you know which tool we can buy.
[13:37] So sometime people think okay it can be conflict of interest.
[13:39] He can assist one vendor definitely it's all about the maturity.
[13:41] vendor definitely it's all about the maturity.
[13:42] maturity definitely mature V user doesn't do this all the things.
[13:44] definitely mature V user doesn't do this all the things.
[13:45] Second is he can sit with the architect help them with the architect decisions like the placement of solutions how the data can be flow.
[13:47] with the architect help them with the architect decisions like the placement of solutions how the data can be flow.
[13:49] architect decisions like the placement of solutions how the data can be flow.
[13:52] of solutions how the data can be flow prepare the company for compliance and all that and hiring decision for any security position but what he doesn't do is spent testing which we have seen recently it happening sock analyst work patch management and security engineering so these stuff see viso doesn't do that is it clear so this is the core responsibility what CISO does in the organization do let me in the comment box what you do as a CISO.
[13:53] prepare the company for compliance and all that and hiring decision for any security position but what he doesn't do is spent testing which we have seen recently it happening sock analyst work patch management and security engineering so these stuff see viso doesn't do that is it clear so this is the core responsibility what CISO does in the organization do let me in the comment box what you do as a CISO.
[13:55] all that and hiring decision for any security position but what he doesn't do is spent testing which we have seen recently it happening sock analyst work patch management and security engineering so these stuff see viso doesn't do that is it clear so this is the core responsibility what CISO does in the organization do let me in the comment box what you do as a CISO.
[13:58] security position but what he doesn't do is spent testing which we have seen recently it happening sock analyst work patch management and security engineering so these stuff see viso doesn't do that is it clear so this is the core responsibility what CISO does in the organization do let me in the comment box what you do as a CISO.
[14:00] is spent testing which we have seen recently it happening sock analyst work patch management and security engineering so these stuff see viso doesn't do that is it clear so this is the core responsibility what CISO does in the organization do let me in the comment box what you do as a CISO.
[14:03] recently it happening sock analyst work patch management and security engineering so these stuff see viso doesn't do that is it clear so this is the core responsibility what CISO does in the organization do let me in the comment box what you do as a CISO.
[14:05] patch management and security engineering so these stuff see viso doesn't do that is it clear so this is the core responsibility what CISO does in the organization do let me in the comment box what you do as a CISO.
[14:07] engineering so these stuff see viso doesn't do that is it clear so this is the core responsibility what CISO does in the organization do let me in the comment box what you do as a CISO.
[14:09] doesn't do that is it clear so this is the core responsibility what CISO does in the organization do let me in the comment box what you do as a CISO.
[14:12] the core responsibility what CISO does in the organization do let me in the comment box what you do as a CISO.
[14:14] in the organization do let me in the comment box what you do as a CISO.
[14:17] comment box what you do as a CISO.
[14:17] Okay.
[14:17] Now I will show you a a real practice
[14:21] Now I will show you a a real practice parameter that we follow uh when we parameter that we follow uh when we start information security as a start information security as a practices.
[14:25] Okay.
[14:30] So if you can see uh we need to know what is the name of uh we need to know what is the name of an organization, an organization, what is the type of engagement what is the type of engagement okay prepared by document version and all that.
[14:41] Okay, this is something right now we can skip or if you're doing an uh VCs or practice for any mature company, you can follow this process.
[14:47] Okay, so I will first need to understand what type of business they have, name of the organization, type of industries, justification, if they have a multiple locations, number of employees, annual revenue, business model, what kind of a business industry they are, what kind of a products they are dealing with, what are the primary types, customer base, all those information is important.
[15:11] Because when we talking about engagement, engagement normally made in writing.
[15:15] So first week you you are actually responsible for to understand what is what is out of scope and who own
[15:24] what is what is out of scope and who own the operation security faction.
[15:26] So this the operation security faction.
[15:26] So this written mandate prevent the scope creep and role confusions.
[15:30] Okay.
[15:30] So use a onepage engagement charter.
[15:32] Get it signed by the exit sponsor and make sure you review it regularly quarterly or regularly depending upon the need of the business.
[15:42] Because the first question is asking any new client.
[15:44] Okay.
[15:44] What does success look like to you in 12 months?
[15:48] So answer tell you everything about the motivations and all that.
[15:50] Is it clear?
[15:52] Never accept a vis role without understanding who you will report to.
[15:54] Is it clear?
[15:56] So that is a very important part.
[15:59] So this entire visibility you will get in the engagement mandate.
[16:00] Is it clear?
[16:03] Along with that you need to map the current security landscape.
[16:05] So before making any recommendation understand what exist who own the security today what tool are in place is it clear what incidents have occurred what compliance obligation you have whether we need to comply with GDPR and all that and this mapping take two to four weeks or if you want to save this you can sign the NDA start the engagement and collect this basic data
[16:25] engagement and collect this basic data before you do any kind of an execution
[16:28] before you do any kind of an execution the third part is identify the exit
[16:30] the third part is identify the exit sponsors and build the relationships so
[16:33] sponsors and build the relationships so you schedule one to one meeting with the
[16:34] you schedule one to one meeting with the exit sponsors and frame the security in
[16:37] exit sponsors and frame the security in terms of they care about risk, revenue
[16:39] terms of they care about risk, revenue and all that and make sure you establish
[16:41] and all that and make sure you establish this reporting rhythm. You can set up
[16:42] this reporting rhythm. You can set up the monthly executive reports, quarterly
[16:44] the monthly executive reports, quarterly board updates, weekly operation check-in
[16:47] board updates, weekly operation check-in from day one and make sure the
[16:49] from day one and make sure the consistent reporting establish you know
[16:51] consistent reporting establish you know you as a serious professional and build
[16:53] you as a serious professional and build the trust over the time. So these kind
[16:55] the trust over the time. So these kind of a practice you should do first when
[16:58] of a practice you should do first when it comes to implementation of ECS. So I
[17:00] it comes to implementation of ECS. So I repeat again engagement when date you
[17:02] repeat again engagement when date you can have a one sign copy which is like a
[17:03] can have a one sign copy which is like a green [clears throat] signal for you to
[17:04] green [clears throat] signal for you to join then you try to understand what
[17:06] join then you try to understand what they have. So that give you the
[17:08] they have. So that give you the information about the current state. So
[17:10] information about the current state. So this is what I did here. If you show the
[17:13] this is what I did here. If you show the table here you can see cover page I got
[17:16] table here you can see cover page I got the visibility about uh this
[17:18] the visibility about uh this information. Can you see this live
[17:20] information. Can you see this live control health summary? Okay. What is
[17:22] control health summary? Okay. What is the uh current information? So I get
[17:25] the uh current information?
[17:27] So I get this information engagement context and all that.
[17:29] Is it clear?
[17:31] So this meetings you will get and what are the regulatory context they need to follow that visibility we get because this is basically talk about why they exist why they need a security which is very important and then identify the exit sponsors to understand the overall goal and establish the reporting rhythm.
[17:45] So what kind of an artifacts we have to create here is you need to create a VCSO engagement charter which talk about scope executions reporting cadence role and responsibility metrics and your 30 60 and 90 days VCO boarding plan and you need a executive sponsor communication template.
[18:01] Make sure you should follow the same template about your activity and monthly VCO report template which I will show you what you need.
[18:09] So when we go for client what the client actually want from you.
[18:13] So there is a five trigger sometime what happen client onboard the VCSO because there was a compliance pressure um you know the customer auditors regulator asking for evidence of security program the company does not have and that's why they hired you
[18:27] have and that's why they hired you.
[18:29] Second is recent incident give them a lesson we need a CISO.
[18:32] Third the company scaling and this was a le same example.
[18:34] What happened with one uh chat there was a one uh chatting company was there.
[18:39] Dating company was there was scaling of the business.
[18:43] But along with that they are not able to scale the security program.
[18:47] And later on what happened when they got hacked it impact the reputation.
[18:51] So as the business is increasing growth is theirs we need to recognize security as a supportive function.
[18:57] Or sometime what happen it's a customer requirement they want to go for sock 27,01.
[19:01] And for that they want a security program to be mandated.
[19:05] And sometime what happen it is a requirement come from the investors board member they want a viso for an organization.
[19:13] So these are the multiple triggers we have which can lead to onboard the vc.
[19:19] So you also need to Understand your trigger like what is the reason for the company to hire you.
[19:24] Because here you got the understanding.
[19:27] because here you got the understanding.
[19:29] Okay. But more understanding you will get what was the major reason for that.
[19:33] So you can plan your strategy around that area only.
[19:37] Is it clear?
[19:38] One more important thing before I jump into next part you need to understand this trigger because that define the client as success.
[19:43] Example they onboarded you for a 27,0001 but their objective doesn't match.
[19:48] they can withdraw you from the project.
[19:50] I have seen lot of VCOs who said I don't know why they have terminated my contract.
[19:54] So you should know what is the seriousness behind that what triggered them to hire you as a VCO.
[20:02] Is it clear?
[20:03] So now the question is do you need to be a CCI, CISP strong technical?
[20:08] No. Before that you need to know some competency.
[20:10] See skill is something you perform.
[20:13] Skill is something you carry and based on that you execute the project.
[20:17] But competency is like a level of knowledge for that skill.
[20:19] So the most important competency, the primary important competency is basically required a business acument.
[20:26] Okay. So a CISO must
[20:29] business acument. Okay. So a CISO must understand how the client make money.
[20:31] understand how the client make money. Okay. Where it face a regulatory risk.
[20:34] Okay. Where it face a regulatory risk. What is the strategic priorities because
[20:36] What is the strategic priorities because security decision should always be made
[20:38] security decision should always be made in the context of business impact. So
[20:40] in the context of business impact. So it's very important you need to know the
[20:42] it's very important you need to know the business equipment. Okay. So let me
[20:43] business equipment. Okay. So let me explain with example. Suppose the fo
[20:47] explain with example. Suppose the fo vizo has recommended 2CR or he
[20:49] vizo has recommended 2CR or he recommended
[20:51] recommended $100 million. Let's say example who
[20:53] $100 million. Let's say example who recommended $100 million
[20:56] recommended $100 million for a company who are doing a business
[20:58] for a company who are doing a business of $110 or the company doing a business
[21:01] of $110 or the company doing a business of 8CR and what tool you recommended
[21:03] of 8CR and what tool you recommended 2CR. It mean 2CR cost for the tool.
[21:08] 2CR. It mean 2CR cost for the tool. Okay. To protect your 8CR business.
[21:10] Okay. To protect your 8CR business. Okay. So it's like a failed at business
[21:12] Okay. So it's like a failed at business equipment. No matter how technically
[21:14] equipment. No matter how technically sound the tool it is the same apply in
[21:16] sound the tool it is the same apply in reverse a VCO. So VCO who underinvest
[21:19] reverse a VCO. So VCO who underinvest because the budget field tied when
[21:21] because the budget field tied when business is actually scaling fast and
[21:23] business is actually scaling fast and expose has failed equally. So what this
[21:26] expose has failed equally. So what this competency required understand the
[21:27] competency required understand the revenue model cost structure growth
[21:30] revenue model cost structure growth strategy which is basically most
[21:31] strategy which is basically most important for the business equipment.
[21:33] important for the business equipment. You also need to know which business
[21:34] You also need to know which business process are crown jewels. You need to
[21:37] process are crown jewels. You need to translate your security decision into
[21:38] translate your security decision into your financial impact because revenue at
[21:41] your financial impact because revenue at the risk, cost of downtime, regulatory
[21:43] the risk, cost of downtime, regulatory penalty all are basically important for
[21:45] penalty all are basically important for that and I [clears throat] always
[21:47] that and I [clears throat] always recommend you know read the balance
[21:48] recommend you know read the balance sheet. Okay. So if you read the balance
[21:50] sheet. Okay. So if you read the balance sheet you get to know how the business
[21:52] sheet you get to know how the business can absorb what it cannot. So if if you
[21:54] can absorb what it cannot. So if if you are a VCSO and you cannot sit in a
[21:56] are a VCSO and you cannot sit in a finance meeting and follow the
[21:57] finance meeting and follow the confirmation the rest of the role become
[21:59] confirmation the rest of the role become academic. So it's very important you
[22:01] academic. So it's very important you need to have a business acument and I
[22:03] need to have a business acument and I always recommend a book MBA 10 days MBA
[22:06] always recommend a book MBA 10 days MBA book which can give you this business
[22:08] book which can give you this business acument understanding. The second is
[22:10] acument understanding. The second is called as a executive communication.
[22:13] called as a executive communication. This is the competency most security
[22:15] This is the competency most security professional underestimate and it
[22:17] professional underestimate and it usually the reason why the viso
[22:19] usually the reason why the viso engagement fail. So we need to explain
[22:21] engagement fail. So we need to explain security posture to CEO in 2 minutes
[22:24] security posture to CEO in 2 minutes board in 10 technical team in hour. So
[22:27] board in 10 technical team in hour. So VCSO must explain the complex security
[22:29] VCSO must explain the complex security posture to a C co in 2 minutes. You need
[22:31] posture to a C co in 2 minutes. You need to explain about why this work, why this
[22:33] to explain about why this work, why this is not work, how it work instead of
[22:35] is not work, how it work instead of teaching them what what what is it
[22:37] teaching them what what what is it clear? So each audience required the
[22:39] clear? So each audience required the different language and you need to have
[22:41] different language and you need to have a different framing for that. So you
[22:44] a different framing for that. So you need to translate the technical reality
[22:46] need to translate the technical reality into business language. That's the first
[22:48] into business language. That's the first most important part. You should know
[22:49] most important part. You should know what CEO actually want to hear. So they
[22:52] what CEO actually want to hear. So they want to hear about decisions.
[22:55] want to hear about decisions. They want to hear about risk.
[22:58] They want to hear about risk. They want to hear about the money. Okay?
[23:02] They want to hear about the money. Okay? Versus
[23:04] Versus they want also a assurance,
[23:07] they want also a assurance, they want a accountability and they want
[23:10] they want a accountability and they want a trend.
[23:12] a trend. Okay? Versus what technical want a
[23:14] Okay? Versus what technical want a clarity, priority, support. Is it clear?
[23:16] clarity, priority, support. Is it clear? So you need to write a one-page board
[23:18] So you need to write a one-page board paper that non-technical director can
[23:20] paper that non-technical director can act on. You need to be very stay calm
[23:23] act on. You need to be very stay calm credible during an incident when
[23:24] credible during an incident when everyone is panicking. So VCSO who
[23:26] everyone is panicking. So VCSO who cannot do this will deliver excellent
[23:28] cannot do this will deliver excellent security work that nobody listen to.
[23:30] security work that nobody listen to. Third is called as risk management
[23:32] Third is called as risk management thinking and it's a very very
[23:33] thinking and it's a very very interesting one. Risk management mean
[23:36] interesting one. Risk management mean that you know not all risk are equal
[23:37] that you know not all risk are equal right and not all risk need to be
[23:39] right and not all risk need to be eliminated and it also depending upon
[23:41] eliminated and it also depending upon industry to industry when you join
[23:42] industry to industry when you join e-commerce availability is a priority
[23:45] e-commerce availability is a priority when you join healthcare confidentiality
[23:46] when you join healthcare confidentiality is a priority. So VCSO must able to
[23:50] is a priority. So VCSO must able to assess risk severity quickly and
[23:52] assess risk severity quickly and prioritize the treatment to help the
[23:54] prioritize the treatment to help the business to take a decision. Is it
[23:56] business to take a decision. Is it clear? Now this is harder than sound.
[23:58] clear? Now this is harder than sound. Okay. So most security professional are
[24:00] Okay. So most security professional are trained on reducing risk not to balance
[24:02] trained on reducing risk not to balance them. A VCO must comfortably saying this
[24:06] them. A VCO must comfortably saying this risk is acceptable. We are not going to
[24:08] risk is acceptable. We are not going to fix this or we're defending their
[24:09] fix this or we're defending their position on the board. So what is the
[24:12] position on the board. So what is the competency here required? The first is
[24:14] competency here required? The first is be comfortable about the uncertaintity.
[24:18] be comfortable about the uncertaintity. uncertaintity and communicating in
[24:20] uncertaintity and communicating in ranges. Communicate in a ranges.
[24:23] ranges. Communicate in a ranges. Communicate in ranges not a false
[24:25] Communicate in ranges not a false precisions. You really need to
[24:27] precisions. You really need to understand about inherent risk. What is
[24:30] understand about inherent risk. What is the inherent risk you have and what is a
[24:31] the inherent risk you have and what is a residual risk? Inherent risk before risk
[24:34] residual risk? Inherent risk before risk assessment risk after risk assessment.
[24:36] assessment risk after risk assessment. Let's say example company has decided to
[24:38] Let's say example company has decided to move data on the cloud. Simply saying
[24:41] move data on the cloud. Simply saying no, it's a bad risk management thinking.
[24:44] no, it's a bad risk management thinking. Okay, let me do risk assessment.
[24:45] Okay, let me do risk assessment. Identify possible risk what we have in
[24:47] Identify possible risk what we have in the cloud like direct you don't have any
[24:49] the cloud like direct you don't have any control you don't have any visibility
[24:50] control you don't have any visibility these are your inherent risk which
[24:53] these are your inherent risk which persist there before doing any
[24:54] persist there before doing any assessment after doing an assessment you
[24:56] assessment after doing an assessment you identify some data we can move but we
[24:58] identify some data we can move but we encrypt the data then we move so you
[25:00] encrypt the data then we move so you mitigate some of the risk and then you
[25:02] mitigate some of the risk and then you move the risk that's called residual
[25:04] move the risk that's called residual risk so you should know this in a plain
[25:06] risk so you should know this in a plain language you should also know when to
[25:08] language you should also know when to recommend mitigation when to recommend
[25:11] recommend mitigation when to recommend transfer and make sure you should resist
[25:14] transfer and make sure you should resist the urging to overengineer. Every
[25:16] the urging to overengineer. Every addition control has a cost. So the VCO
[25:19] addition control has a cost. So the VCO job is to spend the client with the risk
[25:21] job is to spend the client with the risk budget wisely. That's a very important
[25:23] budget wisely. That's a very important part. And last part is basically called
[25:25] part. And last part is basically called as a governance program. Actually we
[25:27] as a governance program. Actually we have a seven. So fourth part is called
[25:28] have a seven. So fourth part is called as a governance program and design. So
[25:31] as a governance program and design. So when we talking about governance program
[25:32] when we talking about governance program design it's a it's another important
[25:34] design it's a it's another important part we have [snorts]
[25:36] part we have [snorts] here. You should have a ability to
[25:37] here. You should have a ability to design the security program end to end
[25:39] design the security program end to end which include the policies and
[25:41] which include the policies and everything and we we should have a
[25:43] everything and we we should have a competency where we can design the
[25:45] competency where we can design the policy standard which are usable. We can
[25:47] policy standard which are usable. We can sequencely implementing so the client
[25:49] sequencely implementing so the client get early value. We can map the program
[25:51] get early value. We can map the program with your regulations. You should know
[25:53] with your regulations. You should know which control deliver outside the value
[25:55] which control deliver outside the value like MFA backup and all that and build
[25:57] like MFA backup and all that and build the governance forum. Okay. because
[25:59] the governance forum. Okay. because security engineer build tool and VCso
[26:01] security engineer build tool and VCso build a system that decide which tool uh
[26:04] build a system that decide which tool uh when to buy and how to buy. So that is
[26:06] when to buy and how to buy. So that is basically the matrix we have. We also
[26:09] basically the matrix we have. We also have another three uh competency. Now
[26:12] have another three uh competency. Now we're going to discuss.
[26:14] we're going to discuss. Now the next matrix um as a fifth matrix
[26:17] Now the next matrix um as a fifth matrix we talk about the stakeholder
[26:19] we talk about the stakeholder management. See as a viso usually has no
[26:22] management. See as a viso usually has no direct reporting to be frank but they
[26:25] direct reporting to be frank but they lead through a influence. they actually
[26:27] lead through a influence. they actually convincing the IT they're convincing the
[26:29] convincing the IT they're convincing the IT team to prioritize you know the
[26:31] IT team to prioritize you know the security because security is a
[26:32] security because security is a non-functional parameter so what is the
[26:35] non-functional parameter so what is the competency required from the stakeholder
[26:37] competency required from the stakeholder perspective is political intelligence
[26:39] perspective is political intelligence you should you should read the room you
[26:41] you should you should read the room you should understand who actually decide
[26:43] should understand who actually decide who blog who is silently powerful so
[26:45] who blog who is silently powerful so that is the most important part second
[26:48] that is the most important part second is you require the empathy I agree the
[26:52] is you require the empathy I agree the most important part is empathy
[26:55] most important part is empathy empathy meaning you need to recognize
[26:56] empathy meaning you need to recognize the IT team uh you know pushing back on
[26:58] the IT team uh you know pushing back on your patches so been difficult they're
[27:01] your patches so been difficult they're protecting an SLA so you have not yet
[27:03] protecting an SLA so you have not yet helped them to rewrite third is patience
[27:06] helped them to rewrite third is patience most visces of win are worn in the
[27:08] most visces of win are worn in the second and third conversion not the
[27:09] second and third conversion not the first so patience required and you
[27:11] first so patience required and you should have a ability to disagree
[27:12] should have a ability to disagree without losing the room okay you're not
[27:15] without losing the room okay you're not having any ego so security advice reject
[27:17] having any ego so security advice reject today must still welcome next quarter so
[27:19] today must still welcome next quarter so VCO who fail here are actually or
[27:22] VCO who fail here are actually or usually are technically excellent they
[27:24] usually are technically excellent they build the right plan present presented
[27:26] build the right plan present presented it well and cannot understand why
[27:28] it well and cannot understand why nothing happened. So answer is almost
[27:31] nothing happened. So answer is almost always they try to lead through a logic
[27:32] always they try to lead through a logic alone. So logic is necessary but it is
[27:34] alone. So logic is necessary but it is not sufficient. Okay. Next is called
[27:38] not sufficient. Okay. Next is called decision making under uncertaintity. See
[27:40] decision making under uncertaintity. See security decisions are never made with
[27:42] security decisions are never made with the complete information. There is there
[27:44] the complete information. There is there is always a missing data points. The
[27:46] is always a missing data points. The actual exploitability of a
[27:47] actual exploitability of a vulnerability. The true risk appetite of
[27:49] vulnerability. The true risk appetite of the board. The real risk likelihood of a
[27:51] the board. The real risk likelihood of a regulator enforcement action. So VCSO
[27:52] regulator enforcement action. So VCSO must comfortably making a
[27:54] must comfortably making a recommendation. Is it clear? So we need
[27:56] recommendation. Is it clear? So we need to convert recommending action with 60
[27:58] to convert recommending action with 60 to 70% audience not waiting for 95% you
[28:02] to 70% audience not waiting for 95% you know stating the uncertainty explicitly
[28:03] know stating the uncertainty explicitly in the language that does not undermine
[28:05] in the language that does not undermine the credibility like you know based on
[28:07] the credibility like you know based on what we know today is the strongest
[28:09] what we know today is the strongest phrase I think adjusting a publicly when
[28:11] phrase I think adjusting a publicly when news information emerge you know
[28:13] news information emerge you know refusing to paralyze by edge cases so
[28:16] refusing to paralyze by edge cases so failure mode the failure mode here is
[28:18] failure mode the failure mode here is not a overcon but you know it's it's
[28:21] not a overcon but you know it's it's dive the function so it is opposite the
[28:22] dive the function so it is opposite the vizo who keep the requesting one more
[28:24] vizo who keep the requesting one more assessment
[28:25] assessment before committing to decision that's
[28:27] before committing to decision that's that's what we need to do. So board lose
[28:30] that's what we need to do. So board lose confidence in those advisor faster than
[28:32] confidence in those advisor faster than they lose the confidence in the
[28:33] they lose the confidence in the occasionally wrong. So that's something
[28:35] occasionally wrong. So that's something you know uh very important you need to
[28:37] you know uh very important you need to consider. And last is called as a
[28:39] consider. And last is called as a document discipline. Every CVC's or
[28:41] document discipline. Every CVC's or recommend on decide observe escalate
[28:43] recommend on decide observe escalate must be documented and this is not a
[28:45] must be documented and this is not a bureaucracy it is a survival because
[28:48] bureaucracy it is a survival because documentation reflect your work decision
[28:50] documentation reflect your work decision logs uh risk acceptance in writing
[28:53] logs uh risk acceptance in writing minutes of meeting evidence trail clear
[28:56] minutes of meeting evidence trail clear hand over pack all those things reflect
[28:58] hand over pack all those things reflect your discipline so discipline most vo
[29:01] your discipline so discipline most vo underestimate is the email or document
[29:03] underestimate is the email or document rule if client verbally accept the risk
[29:05] rule if client verbally accept the risk in meeting it never happen if it's not
[29:07] in meeting it never happen if it's not in writing it cannot be defined in 6
[29:09] in writing it cannot be defined in 6 months
[29:10] months When regulators so viso who follow up
[29:12] When regulators so viso who follow up every meeting with one paragraph email
[29:14] every meeting with one paragraph email summarizing the decision so they always
[29:16] summarizing the decision so they always take everyone in the room including
[29:18] take everyone in the room including themsel and this is a very important
[29:20] themsel and this is a very important competency they need to have otherwise
[29:23] competency they need to have otherwise it is a problem okay and you have to
[29:26] it is a problem okay and you have to consider this matrix properly. So the
[29:29] consider this matrix properly. So the typical competency gap are executive
[29:31] typical competency gap are executive communication stakeholder influence
[29:33] communication stakeholder influence business acument not a technical
[29:35] business acument not a technical knowledge. So they are learnable skills
[29:37] knowledge. So they are learnable skills require the deliverable practice. That's
[29:39] require the deliverable practice. That's a very important part.
[29:41] a very important part. So now the question is how we can build
[29:45] So now the question is how we can build a trust and authority quickly. First is
[29:48] a trust and authority quickly. First is that you know I have seen you know even
[29:51] that you know I have seen you know even you spending 30 60 days
[29:53] you spending 30 60 days and even you're talking about the rest
[29:55] and even you're talking about the rest of engagement the trust has a three
[29:57] of engagement the trust has a three components.
[29:59] components. First is called credibility.
[30:02] First is called credibility. Okay. Second is called reliability and
[30:04] Okay. Second is called reliability and third is called as a intimacy. So when
[30:06] third is called as a intimacy. So when we talking about um
[30:09] we talking about um credibility, credibility is is a very
[30:12] credibility, credibility is is a very important part because it talk about you
[30:14] important part because it talk about you are a subject matter expert. Okay, you
[30:17] are a subject matter expert. Okay, you know what you're talking about.
[30:19] know what you're talking about. Reliability is basically mean you do
[30:22] Reliability is basically mean you do what you say. Okay. Yeah, we can trust
[30:24] what you say. Okay. Yeah, we can trust PRB. Whatever he's saying it come from
[30:26] PRB. Whatever he's saying it come from experience. And third intimacy is all
[30:29] experience. And third intimacy is all about your
[30:31] about your you act in the client interest. Okay,
[30:33] you act in the client interest. Okay, you are not doing something against the
[30:35] you are not doing something against the metrics. So these are the basic
[30:38] metrics. So these are the basic parameter we have that we need to
[30:39] parameter we have that we need to consider. I repeat again credibility as
[30:41] consider. I repeat again credibility as you are a subject matter expert which is
[30:43] you are a subject matter expert which is also called as a competency. Second is
[30:45] also called as a competency. Second is called as a reliability. You do what you
[30:47] called as a reliability. You do what you say. And third most part is called as a
[30:50] say. And third most part is called as a intimacy. Intimacy we talk about your
[30:52] intimacy. Intimacy we talk about your you understand the client special
[30:53] you understand the client special situations. You're not bring your ego.
[30:56] situations. You're not bring your ego. Okay. Oh, I have experience how they can
[30:58] Okay. Oh, I have experience how they can ignore this. So that should not be
[31:00] ignore this. So that should not be there. Okay, that's a very important
[31:02] there. Okay, that's a very important part. So when you're talking about 30
[31:06] part. So when you're talking about 30 days, the first 30 days basically play a
[31:08] days, the first 30 days basically play a very important role actually. So there
[31:10] very important role actually. So there is a one tip and trick which I can
[31:12] is a one tip and trick which I can suggest which I do. Your first week is
[31:15] suggest which I do. Your first week is very important. So be listen, don't
[31:17] very important. So be listen, don't react. That's a very important part.
[31:20] react. That's a very important part. Make meet every stakeholder. Ask about
[31:22] Make meet every stakeholder. Ask about the concern, frustration, priorities.
[31:24] the concern, frustration, priorities. Document everything. make no
[31:26] Document everything. make no recommendation just just observe that's
[31:28] recommendation just just observe that's a very important part second the week
[31:31] a very important part second the week two okay week two is you're going to
[31:34] two okay week two is you're going to assess and validate because now you have
[31:36] assess and validate because now you have a data pointers is it clear that's a
[31:38] a data pointers is it clear that's a very important part so you begin the
[31:39] very important part so you begin the current state assessment share your
[31:42] current state assessment share your observation no conclusions okay uh with
[31:44] observation no conclusions okay uh with the exit responsors the third is called
[31:46] the exit responsors the third is called as a quick win see if you can able to
[31:49] as a quick win see if you can able to mitigate some of the major issues and
[31:51] mitigate some of the major issues and all that so that's something you can try
[31:54] all that so that's something you can try is it clear You can basically provide
[31:56] is it clear You can basically provide some with minimal budget prioritize
[31:59] some with minimal budget prioritize everything reducing the risk deliver at
[32:01] everything reducing the risk deliver at least one so that build the trust and
[32:03] least one so that build the trust and the week four present the initial
[32:05] the week four present the initial security finding brief leadership make
[32:07] security finding brief leadership make them aware about things so that
[32:09] them aware about things so that something is part of the function. This
[32:11] something is part of the function. This is my general recommendation.
[32:14] is my general recommendation. So every organization has a
[32:16] So every organization has a stakeholders. Okay. So you must identify
[32:19] stakeholders. Okay. So you must identify all three groups within the first two
[32:20] all three groups within the first two weeks. Who is the champion? Who is the
[32:22] weeks. Who is the champion? Who is the neutral? Who is the resistor? So if you
[32:24] neutral? Who is the resistor? So if you take example of champion is the exit
[32:26] take example of champion is the exit sponsors compliance legal team
[32:29] sponsors compliance legal team okay they are basically champion the
[32:32] okay they are basically champion the second part when you're talking about uh
[32:34] second part when you're talking about uh we call as a neutral so neutral is
[32:36] we call as a neutral so neutral is basically mean finance team HR operation
[32:39] basically mean finance team HR operation they need to show how security help them
[32:41] they need to show how security help them so you need to be a educator third a
[32:44] so you need to be a educator third a resistor the team who doesn't like you
[32:46] resistor the team who doesn't like you is IT team who see security as a
[32:48] is IT team who see security as a overhead so you need to play with all
[32:51] overhead so you need to play with all three people according to their civil
[32:53] three people according to their civil you know champion they are the one. So
[32:54] you know champion they are the one. So you need to see how you handle them.
[32:57] you need to see how you handle them. Neutral peoples they don't say anything
[32:59] Neutral peoples they don't say anything but you need to balance them and
[33:00] but you need to balance them and resistors how you basically explain
[33:02] resistors how you basically explain them. So your your knowledge thoughts
[33:04] them. So your your knowledge thoughts and everything can be varied. So what is
[33:07] and everything can be varied. So what is the process? Build a simple matrix.
[33:10] the process? Build a simple matrix. Document the name role security
[33:12] Document the name role security attributes why they care about those how
[33:15] attributes why they care about those how security affect the priorities. That's
[33:17] security affect the priorities. That's something we should do. That's that
[33:19] something we should do. That's that should be a first thing. Second is
[33:20] should be a first thing. Second is schedule the listening tour where in the
[33:23] schedule the listening tour where in the first week book 30-minute conversation
[33:24] first week book 30-minute conversation with everyone understand your your only
[33:27] with everyone understand your your only agenda is to understand their
[33:28] agenda is to understand their perspective on security. Don't react
[33:30] perspective on security. Don't react anything. Okay. The third most important
[33:33] anything. Okay. The third most important part is that identify and deliver the
[33:35] part is that identify and deliver the quick win. We just discussed right and
[33:38] quick win. We just discussed right and the fourth most important part deliver
[33:40] the fourth most important part deliver the first security brief. Okay. So right
[33:44] the first security brief. Okay. So right now we are not doing anything. We just
[33:46] now we are not doing anything. We just having a meeting. We categorize the
[33:48] having a meeting. We categorize the people. You don't need to share these
[33:49] people. You don't need to share these things with them. Okay, this is only for
[33:51] things with them. Okay, this is only for your knowledge. Okay, so this is how you
[33:53] your knowledge. Okay, so this is how you can organize the elements. Okay, so you
[33:56] can organize the elements. Okay, so you can schedule the meeting properly.
[33:59] can schedule the meeting properly. So after understanding the organization
[34:00] So after understanding the organization context and priorities, now it's time to
[34:03] context and priorities, now it's time to create a action plan which is called
[34:04] create a action plan which is called strategy. So and before you can build
[34:06] strategy. So and before you can build anything, [snorts] you must know what
[34:08] anything, [snorts] you must know what you have to work with.
[34:10] you have to work with. Assessing the low maturity organization
[34:13] Assessing the low maturity organization is about looking for everything that is
[34:15] is about looking for everything that is wrong about understanding the
[34:17] wrong about understanding the organization risk profile identifying
[34:19] organization risk profile identifying highest consequences gaps and prioritize
[34:22] highest consequences gaps and prioritize your activity. So when I join any
[34:24] your activity. So when I join any organization as a VCO the first thing I
[34:27] organization as a VCO the first thing I want to understand what business process
[34:28] want to understand what business process are most critical for them. When I
[34:31] are most critical for them. When I shortlist the departments and all that I
[34:33] shortlist the departments and all that I ask the mostly the question to the CFO
[34:36] ask the mostly the question to the CFO because CFO getting a revenue. Second is
[34:38] because CFO getting a revenue. Second is I need to understand what type of data
[34:39] I need to understand what type of data they have. So if you talk about any
[34:41] they have. So if you talk about any organization we only have a three type
[34:42] organization we only have a three type of data. One is called as a business
[34:45] of data. One is called as a business data,
[34:47] data, one is called as a regulatory data and
[34:50] one is called as a regulatory data and one is called as an operational data. So
[34:52] one is called as an operational data. So we have a three type of data and based
[34:54] we have a three type of data and based on that we take a decision. So business
[34:56] on that we take a decision. So business data is your trade secrets, regulatory
[34:58] data is your trade secrets, regulatory data is your PI information and um
[35:01] data is your PI information and um operation data is your logs. Third, what
[35:03] operation data is your logs. Third, what are the most likely damaging threats?
[35:05] are the most likely damaging threats? Based on a past history, we can get this
[35:07] Based on a past history, we can get this information.
[35:08] information. what current current control we have
[35:10] what current current control we have which we can achieve with the help of
[35:11] which we can achieve with the help of gap assessment and finally what is the
[35:13] gap assessment and finally what is the highest priority in the gaps. So this
[35:16] highest priority in the gaps. So this initial assessment is not a penetration
[35:17] initial assessment is not a penetration test. It is not a compliance gap
[35:19] test. It is not a compliance gap analysis. It is just a business
[35:21] analysis. It is just a business contextual security review that
[35:23] contextual security review that basically give the visibility. Is it
[35:25] basically give the visibility. Is it clear? Now when we drive this assessment
[35:28] clear? Now when we drive this assessment uh we focus on five domain. Okay. The
[35:31] uh we focus on five domain. Okay. The first domain called governance.
[35:32] first domain called governance. Governance is very important because
[35:34] Governance is very important because when you structure your assessment, you
[35:36] when you structure your assessment, you should do the assessment across the five
[35:38] should do the assessment across the five domains and this ensure you capture the
[35:40] domains and this ensure you capture the full picture without disappearing into
[35:41] full picture without disappearing into the technical details. So governance
[35:44] the technical details. So governance does the organization have a document
[35:46] does the organization have a document security policy because we have to start
[35:47] security policy because we have to start with the top down approach. Do they have
[35:49] with the top down approach. Do they have a roles accountability? Is there a
[35:52] a roles accountability? Is there a security budget? Who is responsible for
[35:54] security budget? Who is responsible for security today? That's something we get.
[35:57] security today? That's something we get. Second, do you have a risk assessment
[35:59] Second, do you have a risk assessment procedure? Is there a risk register?
[36:01] procedure? Is there a risk register? Does a board receive the risk reporting?
[36:03] Does a board receive the risk reporting? Third, we talk about the compliance.
[36:05] Third, we talk about the compliance. What regulatory contractual obligation
[36:07] What regulatory contractual obligation are exist? Are you certifying for 2701,
[36:10] are exist? Are you certifying for 2701, GDPR, HIPPA? What evidence of compliance
[36:13] GDPR, HIPPA? What evidence of compliance has been collected? Then we look for the
[36:16] has been collected? Then we look for the operations also which talk about what
[36:18] operations also which talk about what technical control exist firewall, EDR,
[36:20] technical control exist firewall, EDR, MDR, backups and do we conduct a regular
[36:23] MDR, backups and do we conduct a regular security awareness session. So if you
[36:25] security awareness session. So if you can see this document what we have.
[36:29] can see this document what we have. So here you can see when I'm getting
[36:31] So here you can see when I'm getting this kind of a thing I can able to
[36:33] this kind of a thing I can able to prioritize okay they want to go for
[36:35] prioritize okay they want to go for certification so for for me also it is a
[36:38] certification so for for me also it is a priority they want a certification first
[36:40] priority they want a certification first they had a similar past incident so I
[36:42] they had a similar past incident so I believe they need to establish a good
[36:44] believe they need to establish a good instant response process risk management
[36:46] instant response process risk management process as the DPP is coming they need
[36:48] process as the DPP is coming they need to be comply with DPDP also
[36:51] to be comply with DPDP also uh we believe that okay security
[36:53] uh we believe that okay security awareness is important because one of
[36:54] awareness is important because one of the biggest threat is called as a human
[36:57] the biggest threat is called as a human threat and uh zero trust architecture is
[36:59] threat and uh zero trust architecture is a secondary priority but I believe these
[37:01] a secondary priority but I believe these are basically my first priority that I
[37:04] are basically my first priority that I need to have and based on that I have a
[37:05] need to have and based on that I have a budget. Now based on that around I will
[37:08] budget. Now based on that around I will build the programs like governance and
[37:11] build the programs like governance and risk identity access management and
[37:13] risk identity access management and points
[37:15] points data protection privacies security
[37:17] data protection privacies security operations. So around that I will build
[37:20] operations. So around that I will build these activities. So according to that I
[37:22] these activities. So according to that I can able to drive the functions. So this
[37:24] can able to drive the functions. So this is how I can take this element and
[37:26] is how I can take this element and create a security strategy. So next is
[37:29] create a security strategy. So next is that maturity scoring. As I did the
[37:32] that maturity scoring. As I did the assessment I get to know uh they don't
[37:34] assessment I get to know uh they don't have a normal there's no formal process.
[37:36] have a normal there's no formal process. So currently we are in a level one.
[37:38] So currently we are in a level one. So we have to move from level one to
[37:40] So we have to move from level one to level two where we need some process and
[37:43] level two where we need some process and procedures. Then we need a process and
[37:46] procedures. Then we need a process and procedure which need to be followed
[37:48] procedure which need to be followed common throughout the organization. Then
[37:50] common throughout the organization. Then we need to introduce a metrics to start
[37:52] we need to introduce a metrics to start measuring those effectiveness. And
[37:54] measuring those effectiveness. And finally we move to the optimization. So
[37:56] finally we move to the optimization. So this is called as a maturity of the
[37:58] this is called as a maturity of the security function. We have to do that
[37:59] security function. We have to do that and this visibility you will get when
[38:01] and this visibility you will get when you do the gap assessment around your
[38:03] you do the gap assessment around your benchmark. Benchmark mean these are the
[38:05] benchmark. Benchmark mean these are the areas.
[38:06] areas. Now the universal gaps in a low maturity
[38:09] Now the universal gaps in a low maturity organization I have seen is no MFA, no
[38:11] organization I have seen is no MFA, no document instant response plan, things
[38:13] document instant response plan, things are running on ad hoc share administered
[38:15] are running on ad hoc share administered credentials,
[38:16] credentials, no formal offboarding process,
[38:18] no formal offboarding process, onboarding process and commonly
[38:20] onboarding process and commonly overlooked areas are you know the
[38:22] overlooked areas are you know the backups are untested, personal data in
[38:24] backups are untested, personal data in email, no security awareness training.
[38:26] email, no security awareness training. Do let me know in a comment box what you
[38:28] Do let me know in a comment box what you have seen as a uh the gap in a companies
[38:31] have seen as a uh the gap in a companies when you join. So these are some of the
[38:33] when you join. So these are some of the areas what I have seen which is a very
[38:37] areas what I have seen which is a very common trend for the low majority
[38:38] common trend for the low majority organization. So document request list
[38:40] organization. So document request list is often more revealing than document
[38:43] is often more revealing than document themselves. So an organization that
[38:44] themselves. So an organization that cannot produce any requested document 2
[38:46] cannot produce any requested document 2 weeks has no governance infrastructure.
[38:48] weeks has no governance infrastructure. So that's something very important for
[38:50] So that's something very important for you understand. We still in a stage of
[38:53] you understand. We still in a stage of understanding the maturity okay of the
[38:54] understanding the maturity okay of the organization. Now we are moving to the
[38:58] organization. Now we are moving to the next part which is called as a crown
[39:00] next part which is called as a crown jewels. Security cannot protect
[39:03] jewels. Security cannot protect everything equally. So organization that
[39:06] everything equally. So organization that try to apply same level of protection to
[39:08] try to apply same level of protection to every system and data sets they might
[39:10] every system and data sets they might lead to the overend. It is not possible
[39:12] lead to the overend. It is not possible for you to protect everything with the
[39:13] for you to protect everything with the same parameter and that is why we need
[39:15] same parameter and that is why we need to identify crown jewels. Now what is
[39:17] to identify crown jewels. Now what is crown jewels? Crown jewels is like your
[39:19] crown jewels? Crown jewels is like your asset which creating a value for you. So
[39:22] asset which creating a value for you. So we have organized the crown jewels into
[39:26] we have organized the crown jewels into the industry but as I said crown jewels
[39:28] the industry but as I said crown jewels are the
[39:30] are the are the assets. Now what is this asset?
[39:32] are the assets. Now what is this asset? Crown jewel stand for so let's say
[39:34] Crown jewel stand for so let's say example data
[39:36] example data is my crown jewel
[39:39] is my crown jewel system is my crown jewel
[39:43] system is my crown jewel processes is my crown jewel
[39:46] processes is my crown jewel and
[39:48] and capability is my crown jewel. Is it
[39:51] capability is my crown jewel. Is it clear? So who compromise would have a
[39:53] clear? So who compromise would have a most severe impact on the organization
[39:55] most severe impact on the organization ability to operate, generate revenue,
[39:57] ability to operate, generate revenue, meet the legal regulatory requirements.
[39:59] meet the legal regulatory requirements. Every organization has a crown jewell
[40:00] Every organization has a crown jewell but it significantly vary from industry
[40:02] but it significantly vary from industry to industry. Let's say example in
[40:04] to industry. Let's say example in financial services customer financial
[40:06] financial services customer financial record, trading system, payment
[40:08] record, trading system, payment processing, regulatory reporting is a
[40:10] processing, regulatory reporting is a crown. If you're working in the
[40:12] crown. If you're working in the healthcare, e- health records, clinical
[40:14] healthcare, e- health records, clinical system, patient build data is the
[40:16] system, patient build data is the priority in the SAS technology. source
[40:18] priority in the SAS technology. source code customer product authentication
[40:19] code customer product authentication infrastructure is the crown jewel in a
[40:23] infrastructure is the crown jewel in a manufacturing the OT system product IP
[40:25] manufacturing the OT system product IP customer order supply chain data is the
[40:28] customer order supply chain data is the crown jewell when you're working in the
[40:29] crown jewell when you're working in the legal and professional client files
[40:31] legal and professional client files privilege communication billing system
[40:32] privilege communication billing system is a and in the case of e-commerce
[40:35] is a and in the case of e-commerce customer PI order management system is a
[40:37] customer PI order management system is a crown jewell one more important thing if
[40:39] crown jewell one more important thing if you're joining a financial sector your
[40:41] you're joining a financial sector your priority will be integrity and
[40:43] priority will be integrity and confidentiality over the availability if
[40:45] confidentiality over the availability if you're joining a e-commerce for your
[40:47] you're joining a e-commerce for your avail Availability is a priority. So
[40:48] avail Availability is a priority. So whenever you're trying to talk about the
[40:50] whenever you're trying to talk about the controls also you need to understand the
[40:52] controls also you need to understand the primary intent of the business process
[40:54] primary intent of the business process that something is very important. So
[40:58] that something is very important. So when you identifying the crown jewels
[41:00] when you identifying the crown jewels you ask some basic question because
[41:02] you ask some basic question because crown jewel identification is a
[41:03] crown jewel identification is a foundation of you can say risk
[41:06] foundation of you can say risk proportionate security. So not all
[41:08] proportionate security. So not all assets are equal and the security
[41:10] assets are equal and the security program that treat them as if they were
[41:12] program that treat them as if they were you know will be both ineffective and
[41:14] you know will be both ineffective and inefficient. So we see our job here is
[41:16] inefficient. So we see our job here is to lead the business in identifying what
[41:20] to lead the business in identifying what matter most and classify the asset based
[41:22] matter most and classify the asset based on the sensitivity and criticality and
[41:23] on the sensitivity and criticality and build the program around that area. One
[41:25] build the program around that area. One of the most important foundation
[41:27] of the most important foundation principle we actually follow is um
[41:31] principle we actually follow is um uh you can say we give more attention to
[41:33] uh you can say we give more attention to the high value asset first. Is it clear?
[41:35] the high value asset first. Is it clear? So here you can see uh the first thing
[41:37] So here you can see uh the first thing we ask about unavailability impact. We
[41:39] we ask about unavailability impact. We asked one question is if asset is
[41:41] asked one question is if asset is unavailable for next 24 to 48 hour what
[41:43] unavailable for next 24 to 48 hour what will be the impact on the business? Will
[41:45] will be the impact on the business? Will it have a revenue loss, operation loss,
[41:47] it have a revenue loss, operation loss, shutdown and all that? Average will take
[41:49] shutdown and all that? Average will take 24 hour to 48 hours. Second, if asset is
[41:51] 24 hour to 48 hours. Second, if asset is compromised, data is stolen, system
[41:54] compromised, data is stolen, system corrupted, what would the worst case
[41:55] corrupted, what would the worst case outcome? Okay, because see if you ask
[41:58] outcome? Okay, because see if you ask every business owner asset owner, they
[41:59] every business owner asset owner, they will say their asset is important. But
[42:01] will say their asset is important. But indirectly asking this question, you
[42:02] indirectly asking this question, you will get a better visibility.
[42:05] will get a better visibility. Third, how attractive is this asset to
[42:06] Third, how attractive is this asset to adversary like financial data and all
[42:08] adversary like financial data and all that and risk appetite is a business
[42:11] that and risk appetite is a business decision not a security decision. Based
[42:12] decision not a security decision. Based on this appetite only you take a call.
[42:14] on this appetite only you take a call. Appetite mean the level of risk they to
[42:16] Appetite mean the level of risk they to accept. So VCO inform the decision and
[42:19] accept. So VCO inform the decision and executive team will make it. [snorts]
[42:21] executive team will make it. [snorts] When we talking about this crown jewels
[42:24] When we talking about this crown jewels okay I also follow when I'm doing the
[42:26] okay I also follow when I'm doing the assessment. Is it clear? So here what
[42:28] assessment. Is it clear? So here what happened? I will also add two more
[42:30] happened? I will also add two more important practice BIA and risk appetite
[42:33] important practice BIA and risk appetite because let's take example I joined the
[42:35] because let's take example I joined the organization
[42:36] organization and uh the organization told okay one of
[42:40] and uh the organization told okay one of the business is e-commerce
[42:42] the business is e-commerce okay around the e-commerce there is a
[42:44] okay around the e-commerce there is a web server so e-commerce is a crown
[42:47] web server so e-commerce is a crown jewel for me web server associate data
[42:49] jewel for me web server associate data crown gel for me data in the web server
[42:52] crown gel for me data in the web server is a crown gel for me so overall I see
[42:54] is a crown gel for me so overall I see if this is done it has a big impact
[42:56] if this is done it has a big impact because CFO told me about the revenue so
[42:58] because CFO told me about the revenue so VIA basically helped me to identify what
[43:00] VIA basically helped me to identify what is critical what is not so that in terms
[43:03] is critical what is not so that in terms of priority we can protect and what is
[43:06] of priority we can protect and what is the reason of it go downtime that
[43:08] the reason of it go downtime that visibility we get from a risk appetite
[43:10] visibility we get from a risk appetite and prioritization. So it is very
[43:11] and prioritization. So it is very important that when you list down the
[43:13] important that when you list down the chronjo assets you need to also
[43:15] chronjo assets you need to also prioritize which one have a more impact
[43:17] prioritize which one have a more impact and which one has a less impact and
[43:19] and which one has a less impact and further we also need to identify the
[43:22] further we also need to identify the possible threats and vulnerability which
[43:24] possible threats and vulnerability which trigger that particular impact because
[43:26] trigger that particular impact because if you don't have that visibility it is
[43:27] if you don't have that visibility it is a problem. So in my case what I did is I
[43:30] a problem. So in my case what I did is I conduct the interview. I hold the 30
[43:33] conduct the interview. I hold the 30 minutes interview uh with the CEO, CTO,
[43:37] minutes interview uh with the CEO, CTO, director, CFO at least two business
[43:39] director, CFO at least two business unit. Okay. And uh I asked very one
[43:42] unit. Okay. And uh I asked very one question is if you had to protect one
[43:43] question is if you had to protect one thing above all other what we going to
[43:46] thing above all other what we going to protect what would be the most damaging
[43:48] protect what would be the most damaging if was stolen or destroyed that's the
[43:50] if was stolen or destroyed that's the first question. So that give me the
[43:51] first question. So that give me the insight about their asset. Second is I
[43:54] insight about their asset. Second is I try to map the critical business process
[43:56] try to map the critical business process to support the asset. So I create a very
[43:58] to support the asset. So I create a very simple
[44:00] simple simple table. What is a business
[44:01] simple table. What is a business process? Okay. What is a criticality?
[44:05] process? Okay. What is a criticality? High, low, medium. What is a key system?
[44:08] High, low, medium. What is a key system? I already shown you website and all
[44:09] I already shown you website and all that. What kind of a data it basically
[44:12] that. What kind of a data it basically hold? Okay. What kind of a technology
[44:15] hold? Okay. What kind of a technology has a dependency and what is the MTD of
[44:18] has a dependency and what is the MTD of the function? So the same thing we have
[44:20] the function? So the same thing we have can you see this business process
[44:22] can you see this business process criticality key system key data
[44:24] criticality key system key data technology dependency and RT and RPO. If
[44:27] technology dependency and RT and RPO. If you take example in my case
[44:31] business process
[44:34] business process e-commerce
[44:39] uh criticality very high
[44:43] uh criticality very high key system web server
[44:47] key system web server and database
[44:49] and database data operation data regulated data
[44:53] data operation data regulated data technology
[44:55] technology net apache
[44:57] net apache Okay, dependency yes critical systems we
[45:00] Okay, dependency yes critical systems we have emptyd is 1 hour because they're
[45:03] have emptyd is 1 hour because they're giving commitment right 99% uptime and
[45:05] giving commitment right 99% uptime and all this kind of a visibility data we
[45:07] all this kind of a visibility data we have to create then third is that group
[45:10] have to create then third is that group the asset into three tires or two tires
[45:12] the asset into three tires or two tires tier one most critical tier two is less
[45:15] tier one most critical tier two is less critical so that's something you do so
[45:16] critical so that's something you do so that according to that you can able to
[45:18] that according to that you can able to prioritize the security investments
[45:20] prioritize the security investments fourth validate the asset priation
[45:23] fourth validate the asset priation leaderships you know you need to present
[45:24] leaderships you know you need to present the uh draft chron on list and asset
[45:27] the uh draft chron on list and asset prioritization to execute team for a
[45:28] prioritization to execute team for a validation and this conversation
[45:30] validation and this conversation frequently reveals surprises because
[45:32] frequently reveals surprises because asset that it consider critical but the
[45:34] asset that it consider critical but the business consider replaceable so that's
[45:36] business consider replaceable so that's something we need to understand and then
[45:38] something we need to understand and then you build the asset register that should
[45:40] you build the asset register that should be your first program that we need to
[45:42] be your first program that we need to create this element we can add in the
[45:46] create this element we can add in the strategy so this is how after this we
[45:48] strategy so this is how after this we create a security strategy now security
[45:50] create a security strategy now security strategy
[45:52] strategy always start with the business context
[45:55] always start with the business context Okay. Then we talk about security
[45:58] Okay. Then we talk about security drivers like they have enterprise sale.
[45:59] drivers like they have enterprise sale. They need to be comply with DPDPA. They
[46:02] They need to be comply with DPDPA. They need to have a certain they need to be
[46:05] need to have a certain they need to be comply with RBI. They need to ensure uh
[46:08] comply with RBI. They need to ensure uh cyber insurance. They need a talent
[46:10] cyber insurance. They need a talent culture. Now then I did the current
[46:12] culture. Now then I did the current security posture assessment. I found the
[46:14] security posture assessment. I found the governance strategy is weak, risk
[46:16] governance strategy is weak, risk management is weak, compliance and all
[46:18] management is weak, compliance and all that. Then I create a framework. So
[46:21] that. Then I create a framework. So first business first then risk
[46:23] first business first then risk proportionation then blending capability
[46:26] proportionation then blending capability continual improvement evidence-based
[46:27] continual improvement evidence-based approach people as a first line fine
[46:29] approach people as a first line fine after that we talk about the landscape
[46:32] after that we talk about the landscape this visibility you will get after doing
[46:34] this visibility you will get after doing a risk assessment is it clear so
[46:35] a risk assessment is it clear so initially you did the risk assessment
[46:37] initially you did the risk assessment you identify some of the top risk and
[46:39] you identify some of the top risk and now you're talking about the strategic
[46:41] now you're talking about the strategic plan so this is your strategic plan okay
[46:45] plan so this is your strategic plan okay so you need to build a governance
[46:47] so you need to build a governance program then you need to have a risk
[46:49] program then you need to have a risk management then You need to have a
[46:52] management then You need to have a policy compliance and then you need to
[46:54] policy compliance and then you need to have a security operations and then we
[46:56] have a security operations and then we talk about the culture. So strategy is
[46:58] talk about the culture. So strategy is always a default five-year plan. Okay.
[47:02] always a default five-year plan. Okay. Or you can basically create a review
[47:04] Or you can basically create a review annually. So now we are in a stage where
[47:07] annually. So now we are in a stage where we need to create a security program. So
[47:10] we need to create a security program. So sequence wise first we create a strategy
[47:12] sequence wise first we create a strategy then we include the policies and then
[47:14] then we include the policies and then based on a policy we introduce a program
[47:16] based on a policy we introduce a program like you know we say is SMS program seem
[47:18] like you know we say is SMS program seem like we have a program. So security
[47:19] like we have a program. So security program is not a collection of tool. It
[47:21] program is not a collection of tool. It is a management system which is actually
[47:23] is a management system which is actually connection of governance policy
[47:25] connection of governance policy structures controls everything and we
[47:27] structures controls everything and we sees a job is to connect formalize and
[47:30] sees a job is to connect formalize and systemize those activity. Okay. So eight
[47:32] systemize those activity. Okay. So eight pillar of security program is
[47:34] pillar of security program is governance.
[47:36] governance. Second is called as a risk management.
[47:38] Second is called as a risk management. That something is basically required.
[47:41] That something is basically required. Third is basically called as a
[47:43] Third is basically called as a compliance. Okay. Fourth is asset
[47:45] compliance. Okay. Fourth is asset management.
[47:47] management. Fifth is security operations. Sixth is
[47:49] Fifth is security operations. Sixth is third party risk. Seventh is people
[47:52] third party risk. Seventh is people awareness and resilience. If you take
[47:53] awareness and resilience. If you take example of any
[47:55] example of any common tendency and all that this is the
[47:58] common tendency and all that this is the very common which is basically followed
[48:00] very common which is basically followed by everyone. I repeat again governance
[48:02] by everyone. I repeat again governance is required. Then second is risk
[48:04] is required. Then second is risk management is required. Third is
[48:06] management is required. Third is compliance is required because we need
[48:08] compliance is required because we need to be comply with legal regulatory.
[48:12] Then we have a asset management. uh we
[48:15] Then we have a asset management. uh we talk about the security operation third
[48:17] talk about the security operation third party which include what is the kind of
[48:19] party which include what is the kind of an assessment you need for onboarding
[48:20] an assessment you need for onboarding the vendor you need to add the security
[48:24] the vendor you need to add the security metrics in that people awareness
[48:26] metrics in that people awareness resiliency this is the expectation but
[48:27] resiliency this is the expectation but now the question is how can I include
[48:30] now the question is how can I include implement this program so to implement
[48:32] implement this program so to implement the program you need to select some best
[48:34] the program you need to select some best practices one you can use your own
[48:36] practices one you can use your own experience
[48:38] experience or the second is you will use some kind
[48:41] or the second is you will use some kind of a you know frameworks which give give
[48:44] of a you know frameworks which give give you the idea about implement the
[48:45] you the idea about implement the controls. Okay. So we have a Nest CSF
[48:47] controls. Okay. So we have a Nest CSF one of the best program I can recommend
[48:50] one of the best program I can recommend because it talk about from a zero how to
[48:52] because it talk about from a zero how to build security program from zero. So you
[48:54] build security program from zero. So you can refer the NIST CSF 2.0 as a
[48:57] can refer the NIST CSF 2.0 as a framework you can go with the 27,0001
[49:01] framework you can go with the 27,0001 standard you have a CIS control if
[49:03] standard you have a CIS control if you're going for attestation then sock 2
[49:06] you're going for attestation then sock 2 or if you do involving it with lot of AI
[49:08] or if you do involving it with lot of AI systems and all that you can basically
[49:11] systems and all that you can basically add the NIST AI RMF framework. So no
[49:13] add the NIST AI RMF framework. So no security program is designed from a
[49:15] security program is designed from a scratch in isolation. It is built on the
[49:18] scratch in isolation. It is built on the established framework that provide you a
[49:20] established framework that provide you a structured completeness and external
[49:22] structured completeness and external validation and the most commonly used
[49:24] validation and the most commonly used framework in VCSO engagement are primary
[49:27] framework in VCSO engagement are primary I have seen in US companies are NIST
[49:29] I have seen in US companies are NIST because it basically give a foundation
[49:31] because it basically give a foundation on the other countries I have seen the
[49:32] on the other countries I have seen the ISO 27,0001 which is a starting point of
[49:34] ISO 27,0001 which is a starting point of building a information security
[49:36] building a information security management program which is also called
[49:38] management program which is also called as security program. See the the
[49:40] as security program. See the the question is it is always good to start
[49:42] question is it is always good to start with a framework because framework can
[49:44] with a framework because framework can be customized as per requirement. Is it
[49:46] be customized as per requirement. Is it clear? Let's say example I want to
[49:48] clear? Let's say example I want to promote information security practices.
[49:50] promote information security practices. One based on my experience or second is
[49:53] One based on my experience or second is I can refer some benchmark which give
[49:55] I can refer some benchmark which give some clarity and credibility also and it
[49:57] some clarity and credibility also and it helped me to implement things more
[49:59] helped me to implement things more better. So that is the reason I always
[50:02] better. So that is the reason I always go for the industry framework framework
[50:04] go for the industry framework framework which is acceptable in the market
[50:07] which is acceptable in the market and you know if you talking about
[50:09] and you know if you talking about completely from a scratch even the IT
[50:11] completely from a scratch even the IT function then on top of it I will first
[50:13] function then on top of it I will first recommend coit
[50:15] recommend coit is the IT governance framework okay now
[50:17] is the IT governance framework okay now let's say example you want to implement
[50:18] let's say example you want to implement IT function let's take example
[50:23] IT function let's take example now you want to implement IT function in
[50:25] now you want to implement IT function in the organization now how to implement IT
[50:27] the organization now how to implement IT function what are the things are
[50:28] function what are the things are required in IT function I need a service
[50:30] required in IT function I need a service management.
[50:32] management. I need a infosc.
[50:36] I need a
[50:38] I need a BCP.
[50:41] BCP. I need a quality management. Now if I
[50:44] I need a quality management. Now if I just go by their exclusive standard,
[50:46] just go by their exclusive standard, service management have a standard
[50:47] service management have a standard called uh 20 20,000.
[50:51] called uh 20 20,000. Infosc have a 27,0001. BCP has a 22301.
[50:55] Infosc have a 27,0001. BCP has a 22301. Quality management have a 9,0001. If you
[50:58] Quality management have a 9,0001. If you start implementing each and every
[50:59] start implementing each and every standard I will be confused. So what I
[51:00] standard I will be confused. So what I did I first adopt cobbit. Cobbit
[51:03] did I first adopt cobbit. Cobbit actually capture all the necessary
[51:04] actually capture all the necessary practice which is required for running
[51:06] practice which is required for running the IT function. They say this is the
[51:07] the IT function. They say this is the minimum security practice for
[51:09] minimum security practice for information security. There's a minimum
[51:11] information security. There's a minimum practice for a quality. There's a
[51:12] practice for a quality. There's a minimum practice for service management.
[51:14] minimum practice for service management. So I will follow each and every detailed
[51:17] So I will follow each and every detailed practice and procedures to implement the
[51:18] practice and procedures to implement the things. So my requirement is not to go
[51:20] things. So my requirement is not to go for certification. I'm just looking to
[51:21] for certification. I'm just looking to build one kind of a structure. So your
[51:24] build one kind of a structure. So your framework selection must be driven by
[51:25] framework selection must be driven by the client and regulatory applications
[51:27] the client and regulatory applications and your customer base current maturity
[51:29] and your customer base current maturity and budget. So I as a CISO I can only
[51:32] and budget. So I as a CISO I can only give a recommendation. Is it clear?
[51:33] give a recommendation. Is it clear? That's a very important part. So now
[51:36] That's a very important part. So now it's time to create a program. As I said
[51:38] it's time to create a program. As I said security program charter is the
[51:40] security program charter is the foundation document of security program
[51:42] foundation document of security program and define the program purpose, scope,
[51:44] and define the program purpose, scope, governance structure which you create
[51:45] governance structure which you create after the strategy. Now I will show you
[51:48] after the strategy. Now I will show you how the program look like because
[51:51] how the program look like because program is something what you execute.
[51:53] program is something what you execute. You can see program charter
[51:57] You can see program charter the information security program
[51:58] the information security program applicable for the information assets
[52:02] applicable for the information assets including cloud because that is the
[52:03] including cloud because that is the asset registry we got who is a program
[52:06] asset registry we got who is a program owner VCSO who report to executive
[52:07] owner VCSO who report to executive sponsors and it is basically relation to
[52:10] sponsors and it is basically relation to the information security strategy
[52:13] the information security strategy because program charter define how and
[52:15] because program charter define how and strategy talk about why then we talk
[52:18] strategy talk about why then we talk about board of directors we given the
[52:21] about board of directors we given the information their roles Security
[52:23] information their roles Security steering committee their roles.
[52:26] steering committee their roles. Security operation reviews their roles.
[52:28] Security operation reviews their roles. Risk workingshops.
[52:30] Risk workingshops. These are the AC metrics that we have
[52:32] These are the AC metrics that we have created.
[52:34] created. What policy we need? We document all the
[52:36] What policy we need? We document all the policies. Comply with ISO. What is a
[52:39] policies. Comply with ISO. What is a policy life cycle?
[52:41] policy life cycle? What is a boundary security control
[52:43] What is a boundary security control framework? You know we are following we
[52:46] framework? You know we are following we creating a program cha. We already done
[52:48] creating a program cha. We already done monthly meetings. all things whatever
[52:50] monthly meetings. all things whatever the gap we have risk management
[52:51] the gap we have risk management functions
[52:53] functions identity management
[52:55] identity management okay so these are the stuff we added
[52:59] okay so these are the stuff we added then security operation program we need
[53:01] then security operation program we need a dedicated sock program so we add sock
[53:04] a dedicated sock program so we add sock here so vulnerability management instant
[53:06] here so vulnerability management instant response classification security
[53:07] response classification security operation metrics all has been captured
[53:10] operation metrics all has been captured then how frequently we doing a security
[53:12] then how frequently we doing a security awareness so that is something added in
[53:14] awareness so that is something added in this program so it's a very important
[53:17] this program so it's a very important part that we need to talk about after
[53:19] part that we need to talk about after the strategy. So we select the document
[53:22] the strategy. So we select the document uh you know based on the client
[53:25] uh you know based on the client obligation document Y framework was
[53:27] obligation document Y framework was selected write the security program
[53:29] selected write the security program charter I have shown you then we
[53:31] charter I have shown you then we establish the security steering
[53:32] establish the security steering committee it's a team of all the uh
[53:35] committee it's a team of all the uh nontechnical technical team because we
[53:37] nontechnical technical team because we need a independent viewpoint then we
[53:39] need a independent viewpoint then we build the policy framework structure and
[53:41] build the policy framework structure and design the security operation model and
[53:43] design the security operation model and then we create a 12-month program road
[53:46] then we create a 12-month program road map so these are stuff they need to do
[53:49] map so these are stuff they need to do in this process process.
[53:52] in this process process. So now we are moving to the next part
[53:53] So now we are moving to the next part called risk management because now you
[53:55] called risk management because now you need to execute the control and to
[53:57] need to execute the control and to execute the controls you need to first
[53:59] execute the controls you need to first identify the possible threats and
[54:00] identify the possible threats and vulnerability against the assets and
[54:03] vulnerability against the assets and risk management is a driving factor for
[54:06] risk management is a driving factor for any kind of initiative. So if you're
[54:07] any kind of initiative. So if you're hiring anyone, if you're firing anyone,
[54:09] hiring anyone, if you're firing anyone, when you're prioritizing the control,
[54:11] when you're prioritizing the control, you do purely based on risk management
[54:13] you do purely based on risk management and risk management is the intellectual
[54:14] and risk management is the intellectual core of the VC's role because when we
[54:17] core of the VC's role because when we say we need to protect this asset, we
[54:18] say we need to protect this asset, we need to protect this crown jewel. It is
[54:20] need to protect this crown jewel. It is very important to know the likelihood
[54:22] very important to know the likelihood and impact of that area. So when you're
[54:24] and impact of that area. So when you're doing a risk management, it always start
[54:26] doing a risk management, it always start with identifying risk, then we analyze
[54:29] with identifying risk, then we analyze the risk, then we evaluate the risk and
[54:32] the risk, then we evaluate the risk and then you treat and then you monitor.
[54:35] then you treat and then you monitor. VCSO who cannot perform a credible risk
[54:38] VCSO who cannot perform a credible risk management is not a VCO. They are a
[54:41] management is not a VCO. They are a security administrator with the senior
[54:42] security administrator with the senior title. So risk management is a mechanism
[54:45] title. So risk management is a mechanism with which you can do security
[54:46] with which you can do security priorities are set. The budgets are
[54:49] priorities are set. The budgets are justified and executive orders are been
[54:51] justified and executive orders are been informed. There is a one dedicated video
[54:53] informed. There is a one dedicated video I made on ERM. You can check that video
[54:56] I made on ERM. You can check that video and also there is a 27,01 risk
[54:58] and also there is a 27,01 risk management video I have in which I talk
[55:00] management video I have in which I talk about how to set the likelihood, how to
[55:01] about how to set the likelihood, how to set the impact. You can check that video
[55:03] set the impact. You can check that video because there is no point of discussing
[55:05] because there is no point of discussing the same topic here. Is it clear? So
[55:08] the same topic here. Is it clear? So definitely you have to do risk
[55:09] definitely you have to do risk management. But I will give one basic
[55:11] management. But I will give one basic example when you're doing a risk
[55:13] example when you're doing a risk assessment also.
[55:16] It is done in a different way. Some do
[55:19] It is done in a different way. Some do by asset based risk assessment.
[55:24] Some basically do scenario- based risk
[55:26] Some basically do scenario- based risk assessment.
[55:28] assessment. Some basically do process based risk
[55:30] Some basically do process based risk assessment.
[55:33] assessment. and some basically do based on a threat
[55:35] and some basically do based on a threat based risk assessment. So if it's your
[55:37] based risk assessment. So if it's your complex organization, so many assets are
[55:39] complex organization, so many assets are there, it is not possible for you to go
[55:41] there, it is not possible for you to go by the asset base. In that case, you go
[55:43] by the asset base. In that case, you go by the scenario base. If you have a so
[55:45] by the scenario base. If you have a so many processes, then you can do process
[55:48] many processes, then you can do process based risk assessment. I already have a
[55:50] based risk assessment. I already have a two videos. Please do check that. Okay?
[55:52] two videos. Please do check that. Okay? Because there's no point of discussing
[55:54] Because there's no point of discussing again in my new video. But risk
[55:56] again in my new video. But risk management is a very important stuff
[55:58] management is a very important stuff which required for implementation of a
[56:00] which required for implementation of a control. Now
[56:03] control. Now the next important thing okay but if you
[56:06] the next important thing okay but if you want I can give one small sample. So we
[56:10] want I can give one small sample. So we have a asset let's say example we have a
[56:12] have a asset let's say example we have a asset
[56:13] asset which is a web server
[56:16] which is a web server the threat is called as a doss
[56:20] the threat is called as a doss attack.
[56:23] attack. The vulnerability
[56:25] The vulnerability uh no load balancer
[56:29] uh no load balancer likelihood as the server is exposed on
[56:31] likelihood as the server is exposed on the internet the likelihood of attack is
[56:33] the internet the likelihood of attack is high
[56:34] high and impact is always mapped based on
[56:37] and impact is always mapped based on three category confidentiality
[56:42] three category confidentiality integrity
[56:44] integrity and availability
[56:48] and then we give the final thing
[56:51] and then we give the final thing and then we talk about final risk. K. So
[56:53] and then we talk about final risk. K. So as I said confidentiality is uh low
[56:56] as I said confidentiality is uh low because it doesn't hold any data.
[56:58] because it doesn't hold any data. Integrity low, availability high. So
[57:00] Integrity low, availability high. So overall value I give medium. So overall
[57:02] overall value I give medium. So overall value is basically medium. This is how I
[57:04] value is basically medium. This is how I do the qualitative risk assessment.
[57:07] do the qualitative risk assessment. Okay. And what I did here is a kind of a
[57:09] Okay. And what I did here is a kind of a assetbased qualitative risk assessment.
[57:12] assetbased qualitative risk assessment. Now when we're talking about treating
[57:15] Now when we're talking about treating the risk we have a four options. We can
[57:17] the risk we have a four options. We can basically mitigate, we can accept, we
[57:19] basically mitigate, we can accept, we can transfer, we can avoid. Okay. Okay,
[57:22] can transfer, we can avoid. Okay. Okay, the most proactive is basically avoid
[57:25] the most proactive is basically avoid as I said how you set the likelihood in
[57:27] as I said how you set the likelihood in matrix. So likelihood you set based on
[57:29] matrix. So likelihood you set based on the rating 1 2 3 4 5 that is how we set
[57:34] the rating 1 2 3 4 5 that is how we set the likelihood and then we talk about
[57:36] the likelihood and then we talk about the impact. So 1 to four will be low 20
[57:39] the impact. So 1 to four will be low 20 25 is basically critical. So this is how
[57:41] 25 is basically critical. So this is how we do that. So when you're doing a
[57:44] we do that. So when you're doing a treatment as I said we have a four type
[57:46] treatment as I said we have a four type of treatment mitigate like you implement
[57:47] of treatment mitigate like you implement the control to reduce the risk. You
[57:50] the control to reduce the risk. You accept the risk because you believe the
[57:52] accept the risk because you believe the control cost is higher than the cost of
[57:56] control cost is higher than the cost of impact. You transfer the risk to third
[57:57] impact. You transfer the risk to third party which is insurance and all that.
[57:59] party which is insurance and all that. In my case I always take a transfer in
[58:02] In my case I always take a transfer in that case when the likelihood is low
[58:04] that case when the likelihood is low impact is high. Example you taking a
[58:06] impact is high. Example you taking a cyber insurance or health insurance.
[58:08] cyber insurance or health insurance. Okay. You are went to gym you do every
[58:10] Okay. You are went to gym you do every activity but if one thing happen the
[58:13] activity but if one thing happen the impact will be high. The hospital cost
[58:15] impact will be high. The hospital cost is very high. So whenever the likelihood
[58:17] is very high. So whenever the likelihood is low and impact is basically high, we
[58:20] is low and impact is basically high, we transfer the impact to third party. And
[58:22] transfer the impact to third party. And finally we also decided to avoid the
[58:24] finally we also decided to avoid the risk. Avoid the risk basically mean you
[58:28] risk. Avoid the risk basically mean you avoid the chance to bring any kind of
[58:29] avoid the chance to bring any kind of impact. So that is called as a avoidance
[58:31] impact. So that is called as a avoidance of the risk. So these are the you know
[58:34] of the risk. So these are the you know four metrics we have that we need to
[58:35] four metrics we have that we need to consider. Avoidance we do in that case
[58:37] consider. Avoidance we do in that case also when we believe that new business
[58:39] also when we believe that new business bringing more liability. So let me avoid
[58:41] bringing more liability. So let me avoid this issue right now and we will treat
[58:43] this issue right now and we will treat it later or I will discont continue the
[58:45] it later or I will discont continue the business right now because the risk
[58:47] business right now because the risk value is basically very high. So VCO
[58:50] value is basically very high. So VCO always recommend the treatment options
[58:51] always recommend the treatment options and it is a business who decide what
[58:53] and it is a business who decide what need to be go further. So I have a
[58:55] need to be go further. So I have a process here. Okay. So how we can do
[58:57] process here. Okay. So how we can do that? So I will conduct the 2-hour risk
[59:00] that? So I will conduct the 2-hour risk identification workshop where I will use
[59:03] identification workshop where I will use the uh following structure 30 minutes on
[59:05] the uh following structure 30 minutes on threat landscape 60 minutes on asset
[59:08] threat landscape 60 minutes on asset based risk identification. what could
[59:10] based risk identification. what could happen if each crown gel is basically
[59:12] happen if each crown gel is basically compromised and then we do the process
[59:13] compromised and then we do the process based risk assessment where I document
[59:15] based risk assessment where I document all the things in a risk register then I
[59:18] all the things in a risk register then I will map with a likelihood impact we
[59:20] will map with a likelihood impact we have a discussions and all that and then
[59:22] have a discussions and all that and then we document each in a risk register this
[59:24] we document each in a risk register this is a format we have
[59:26] is a format we have okay you can full stop this you can stop
[59:28] okay you can full stop this you can stop this uh video and you can check that
[59:30] this uh video and you can check that pause the video and you can check that
[59:32] pause the video and you can check that then we talk about development of
[59:34] then we talk about development of treatment plan where we score the risk
[59:37] treatment plan where we score the risk based on high low and medium them and
[59:39] based on high low and medium them and finally we present the risk register to
[59:41] finally we present the risk register to the leadership teams. So the tools the
[59:44] the leadership teams. So the tools the artifacts that we create in this
[59:46] artifacts that we create in this particular stages risk register risk
[59:48] particular stages risk register risk identification workshop guide risk heat
[59:50] identification workshop guide risk heat map and risk acceptable form. So these
[59:53] map and risk acceptable form. So these are the some of the artifacts are
[59:55] are the some of the artifacts are required in this particular stage but
[59:58] required in this particular stage but but but we have some common mistakes
[01:00:01] but but we have some common mistakes that we should avoid in this field. Your
[01:00:04] that we should avoid in this field. Your business building a risk register as a
[01:00:05] business building a risk register as a technical exercise which is wrong.
[01:00:08] technical exercise which is wrong. Second is score every risk as a higher
[01:00:10] Second is score every risk as a higher critical. No, you're destroying the
[01:00:11] critical. No, you're destroying the credibility. Creating a risk register
[01:00:14] credibility. Creating a risk register never update. So make sure risk register
[01:00:16] never update. So make sure risk register update monthly basis or depending upon
[01:00:18] update monthly basis or depending upon the dynamic environment. You actually
[01:00:20] the dynamic environment. You actually confusing a vulnerability with a risk.
[01:00:22] confusing a vulnerability with a risk. Vulnerability is a weakness. Risk is an
[01:00:23] Vulnerability is a weakness. Risk is an impact. So this is what I've seen and
[01:00:25] impact. So this is what I've seen and make sure you should present the raw
[01:00:27] make sure you should present the raw risk score to the executive without
[01:00:30] risk score to the executive without translating them to business. So this is
[01:00:31] translating them to business. So this is a biggest mistake we do. So now after
[01:00:34] a biggest mistake we do. So now after doing a risk assessment you able to
[01:00:35] doing a risk assessment you able to figure out what controls are required
[01:00:37] figure out what controls are required and uh as we discussed in the previous
[01:00:39] and uh as we discussed in the previous section selecting a framework now it's
[01:00:41] section selecting a framework now it's time to execute the framework because
[01:00:43] time to execute the framework because all the controls we will taking from
[01:00:46] all the controls we will taking from those framework only because based on
[01:00:48] those framework only because based on risk assessment whatever the gap you
[01:00:50] risk assessment whatever the gap you identify definitely that need to be
[01:00:52] identify definitely that need to be addressed with the help of controls
[01:00:53] addressed with the help of controls only. So organization can face multiple
[01:00:56] only. So organization can face multiple organization compliance obligations and
[01:00:59] organization compliance obligations and it is difficult for me to follow all the
[01:01:02] it is difficult for me to follow all the framework standards and everything. So
[01:01:05] framework standards and everything. So what we need here is we will basically
[01:01:07] what we need here is we will basically check which requirement can be common
[01:01:09] check which requirement can be common across the framework. So we have a ISO
[01:01:11] across the framework. So we have a ISO 27,000 sock to NIST we have a
[01:01:13] 27,000 sock to NIST we have a significant control gap. Let's say
[01:01:16] significant control gap. Let's say example we have a MFA policy. Now by
[01:01:18] example we have a MFA policy. Now by having this you can meet the satisfy
[01:01:20] having this you can meet the satisfy criteria for 2701 NIST also sock 2. So
[01:01:23] criteria for 2701 NIST also sock 2. So select the primary framework based on
[01:01:25] select the primary framework based on your client obligations and risk
[01:01:27] your client obligations and risk assessment. Then you map the framework
[01:01:29] assessment. Then you map the framework with your gap assessment and then you
[01:01:31] with your gap assessment and then you build your integral control library and
[01:01:33] build your integral control library and then you create a compliance calendar.
[01:01:35] then you create a compliance calendar. So I will show you an example um the
[01:01:38] So I will show you an example um the template uh which I did which can give
[01:01:40] template uh which I did which can give you a kind of visibility. So if you can
[01:01:43] you a kind of visibility. So if you can see here I organized everything because
[01:01:46] see here I organized everything because when we talking about building a
[01:01:47] when we talking about building a information security governance it is
[01:01:49] information security governance it is around GRC governance risk and
[01:01:51] around GRC governance risk and compliance. So for the governance we
[01:01:54] compliance. So for the governance we have following things. Then based on
[01:01:56] have following things. Then based on that we have a asset management to
[01:01:58] that we have a asset management to protect the asset we need a identity
[01:02:00] protect the asset we need a identity access management and then we talking
[01:02:03] access management and then we talking about the endpoint and then we need to
[01:02:05] about the endpoint and then we need to discuss about further data protection.
[01:02:07] discuss about further data protection. So if you notice here I have organized
[01:02:09] So if you notice here I have organized everything in a sequence and it is
[01:02:10] everything in a sequence and it is actually mapped with the respective
[01:02:13] actually mapped with the respective framework. Is it clear? I repeat again
[01:02:14] framework. Is it clear? I repeat again governance following stuff then asset
[01:02:18] governance following stuff then asset management because once you have a
[01:02:19] management because once you have a governance bas based on that we create
[01:02:21] governance bas based on that we create asset we manage the assets once you
[01:02:22] asset we manage the assets once you classify the assets we need to protect
[01:02:24] classify the assets we need to protect them so parameter security required
[01:02:27] them so parameter security required further we need a endpoint security data
[01:02:29] further we need a endpoint security data protection security operations so this
[01:02:32] protection security operations so this is how I created
[01:02:34] is how I created okay so it's up to you you know how you
[01:02:37] okay so it's up to you you know how you define the things so when you talking
[01:02:38] define the things so when you talking about implementation of a controls the
[01:02:41] about implementation of a controls the most important part here is that policy
[01:02:43] most important part here is that policy Policy is a foundation for anything
[01:02:45] Policy is a foundation for anything because any kind of a initiative you
[01:02:48] because any kind of a initiative you want to introduce in the organization
[01:02:50] want to introduce in the organization you need first policy. So let's say
[01:02:52] you need first policy. So let's say example you want incident management in
[01:02:54] example you want incident management in the organization. Let's take example
[01:02:56] the organization. Let's take example okay you want incident management in the
[01:02:58] okay you want incident management in the organization. The first thing we need a
[01:02:59] organization. The first thing we need a policy
[01:03:02] policy okay then you introduce a program you
[01:03:04] okay then you introduce a program you want a patch management in the
[01:03:06] want a patch management in the organization. So first we need a
[01:03:07] organization. So first we need a patchment policy because policy talk
[01:03:09] patchment policy because policy talk about why we are exist. So policy
[01:03:11] about why we are exist. So policy documentation is a starting point for
[01:03:14] documentation is a starting point for any kind of a control implementation we
[01:03:16] any kind of a control implementation we have. So policy is the first thing let's
[01:03:19] have. So policy is the first thing let's say example every system must be protect
[01:03:22] say example every system must be protect with the password. So policy is a very
[01:03:24] with the password. So policy is a very high level statement.
[01:03:27] high level statement. Okay. So every system must be protect
[01:03:30] Okay. So every system must be protect with the password. Okay.
[01:03:33] with the password. Okay. Password must be eight character because
[01:03:35] Password must be eight character because we need to define the standard.
[01:03:38] we need to define the standard. Go to start setting. create a password
[01:03:40] Go to start setting. create a password that is more detailed in nature which is
[01:03:42] that is more detailed in nature which is called as a procedure good to have not
[01:03:44] called as a procedure good to have not mandatory in nature that is called
[01:03:45] mandatory in nature that is called guideline. Okay. So organization
[01:03:47] guideline. Okay. So organization security requirement commitment highle
[01:03:50] security requirement commitment highle statement management intention
[01:03:52] statement management intention everything comes in policy. Policy is
[01:03:54] everything comes in policy. Policy is something which is strategic in nature.
[01:03:56] something which is strategic in nature. Then it is actually backed and supported
[01:03:57] Then it is actually backed and supported by the standard. Okay. Which talk about
[01:04:00] by the standard. Okay. Which talk about the specific measurable requirement that
[01:04:02] the specific measurable requirement that support the policy like MFA must be
[01:04:03] support the policy like MFA must be enabled and all that. Standard is
[01:04:06] enabled and all that. Standard is something which talk about the
[01:04:07] something which talk about the uniformity throughout the organization.
[01:04:09] uniformity throughout the organization. Okay. So tomorrow if you are in a
[01:04:10] Okay. So tomorrow if you are in a session I said I make sure you should
[01:04:12] session I said I make sure you should come on time. So that's a policy. But
[01:04:14] come on time. So that's a policy. But question is what is the time? 7:00 a.m.
[01:04:17] question is what is the time? 7:00 a.m. So that's a standard. Go to Gmail, check
[01:04:19] So that's a standard. Go to Gmail, check your email invite, click on the zoom
[01:04:21] your email invite, click on the zoom link and then join the session. That is
[01:04:23] link and then join the session. That is a procedure. Make sure you install
[01:04:25] a procedure. Make sure you install necessary software. That is a guideline.
[01:04:27] necessary software. That is a guideline. So these are the necessary stuff we have
[01:04:30] So these are the necessary stuff we have which is required to implement the
[01:04:31] which is required to implement the things. So we create some necessary
[01:04:34] things. So we create some necessary policy when you join as a information
[01:04:36] policy when you join as a information security officer or CISO like
[01:04:38] security officer or CISO like information security policy is the
[01:04:40] information security policy is the umbrella. Second we create a acceptable
[01:04:43] umbrella. Second we create a acceptable use policy. There is a dedicated video I
[01:04:44] use policy. There is a dedicated video I made how to write a policy. Okay, you
[01:04:46] made how to write a policy. Okay, you can check that acceptable use policy.
[01:04:48] can check that acceptable use policy. It's a very common policy do and don't
[01:04:50] It's a very common policy do and don't talk about. Then we have a access
[01:04:52] talk about. Then we have a access control policy. Then we have a instant
[01:04:55] control policy. Then we have a instant response policy. And last but not the
[01:04:57] response policy. And last but not the least we have a data classification
[01:04:58] least we have a data classification handling policy. I repeat again when
[01:05:01] handling policy. I repeat again when you're talking about policy benchmark
[01:05:02] you're talking about policy benchmark policy parameter we based on the five
[01:05:04] policy parameter we based on the five criteria. The first is called
[01:05:06] criteria. The first is called information security policy. Second is
[01:05:08] information security policy. Second is called as a acceptable use policy. Third
[01:05:11] called as a acceptable use policy. Third we have a access control policy. Fourth
[01:05:14] we have a access control policy. Fourth we have a instant response policy and
[01:05:16] we have a instant response policy and fifth is called as a data classification
[01:05:18] fifth is called as a data classification policy. It's a very common policy term
[01:05:21] policy. It's a very common policy term we actually follow. So when you're
[01:05:24] we actually follow. So when you're creating a policy make sure it should
[01:05:26] creating a policy make sure it should not be more than four pages because then
[01:05:27] not be more than four pages because then no one going to read. Make sure you
[01:05:30] no one going to read. Make sure you should not use any kind of a jarens.
[01:05:32] should not use any kind of a jarens. Okay. Third, make it policy in a way
[01:05:34] Okay. Third, make it policy in a way which easy to understand. Policy created
[01:05:37] which easy to understand. Policy created by you definitely but it is approved by
[01:05:39] by you definitely but it is approved by the management. You cannot create and
[01:05:40] the management. You cannot create and approve yourself because it is a
[01:05:42] approve yourself because it is a conflict of interest. And make sure your
[01:05:44] conflict of interest. And make sure your policy talk about the clear requirement
[01:05:46] policy talk about the clear requirement whether it based on the
[01:05:49] whether it based on the any standard legal and everything.
[01:05:51] any standard legal and everything. Another important thing is that someone
[01:05:53] Another important thing is that someone should be accountable for the policy.
[01:05:55] should be accountable for the policy. Okay, that's why management will sign
[01:05:56] Okay, that's why management will sign off. You also need to document the
[01:05:58] off. You also need to document the enforcable you know fail to abide with
[01:06:00] enforcable you know fail to abide with the policy what is the violation
[01:06:01] the policy what is the violation definitely you cannot give punishments
[01:06:03] definitely you cannot give punishments and all that but you need to document
[01:06:04] and all that but you need to document the consequences and you have to publish
[01:06:07] the consequences and you have to publish in a shareepoint with read only so
[01:06:08] in a shareepoint with read only so anyone can read and all that that's the
[01:06:10] anyone can read and all that that's the one thing we have policy default need to
[01:06:12] one thing we have policy default need to review annually or it can be changed
[01:06:15] review annually or it can be changed major change in the case of business
[01:06:16] major change in the case of business impact and all that that's something you
[01:06:18] impact and all that that's something you can do that which is a very common
[01:06:20] can do that which is a very common practice we follow for the policy one
[01:06:22] practice we follow for the policy one more important thing we have to maintain
[01:06:24] more important thing we have to maintain the version history.
[01:06:27] the version history. Every policy document has a version
[01:06:28] Every policy document has a version history. You can check that. So let's
[01:06:29] history. You can check that. So let's say example HR sent a policy 2025
[01:06:33] say example HR sent a policy 2025 policy but today is 2026.
[01:06:36] policy but today is 2026. So today when we HR say please find the
[01:06:38] So today when we HR say please find the revised updated policy which we updated
[01:06:40] revised updated policy which we updated today but in the version history it was
[01:06:43] today but in the version history it was mentioned 2025.
[01:06:45] mentioned 2025. So according to criteria the policy is
[01:06:47] So according to criteria the policy is invalid. So make sure version history
[01:06:50] invalid. So make sure version history need to be updated if you're doing any
[01:06:51] need to be updated if you're doing any kind of a changes in the policy. That's
[01:06:53] kind of a changes in the policy. That's a very important part. And when you're
[01:06:55] a very important part. And when you're creating a policy document, make sure
[01:06:57] creating a policy document, make sure every policy should have a policy
[01:06:58] every policy should have a policy statement,
[01:07:01] statement, policy scope,
[01:07:03] policy scope, where it is applicable, requirement and
[01:07:06] where it is applicable, requirement and approvals because that's a very
[01:07:08] approvals because that's a very important part and during awareness
[01:07:10] important part and during awareness sessions and all that you can also
[01:07:11] sessions and all that you can also educate about the policy. So in my case
[01:07:13] educate about the policy. So in my case what I follow is one of the best
[01:07:14] what I follow is one of the best practices that you build the policy
[01:07:16] practices that you build the policy inventory because if you see this excel
[01:07:18] inventory because if you see this excel sheet you can see in security strategy
[01:07:22] sheet you can see in security strategy and policy register I have documented
[01:07:24] and policy register I have documented all the minimum policies. Can you see
[01:07:26] all the minimum policies. Can you see this?
[01:07:28] this? So I have created all the minimum policy
[01:07:29] So I have created all the minimum policy and also talk about the status and why
[01:07:31] and also talk about the status and why and we have meeting this against some
[01:07:33] and we have meeting this against some benchmark. So you can use such kind of a
[01:07:36] benchmark. So you can use such kind of a inventory to create a policy template.
[01:07:40] inventory to create a policy template. You can when you're talking about the
[01:07:41] You can when you're talking about the policy as I said draft the policy with
[01:07:43] policy as I said draft the policy with audience in mind so they can able to
[01:07:44] audience in mind so they can able to understand and once they understand they
[01:07:47] understand and once they understand they can able to follow that's a very
[01:07:49] can able to follow that's a very important part we need to understand for
[01:07:50] important part we need to understand for the function.
[01:07:53] the function. So next part when you implement the
[01:07:56] So next part when you implement the policy it is a starting point of
[01:07:58] policy it is a starting point of building a governance because you
[01:07:59] building a governance because you address one risk with the help of
[01:08:01] address one risk with the help of policy.
[01:08:02] policy. Next important part is oversight because
[01:08:05] Next important part is oversight because it is now time to do the oversight of
[01:08:08] it is now time to do the oversight of the technical operations that what we
[01:08:10] the technical operations that what we have in the organization. So we have to
[01:08:12] have in the organization. So we have to understand about the security operations
[01:08:14] understand about the security operations because as a VCO here you don't involved
[01:08:18] because as a VCO here you don't involved in doing practical activities but here
[01:08:20] in doing practical activities but here you need to understand about how you
[01:08:23] you need to understand about how you oversight the security operation because
[01:08:25] oversight the security operation because that is part of your operations. Okay.
[01:08:27] that is part of your operations. Okay. So we're going to discuss about several
[01:08:30] So we're going to discuss about several operations of security.
[01:08:33] operations of security. uh the first when you're talking about
[01:08:36] uh the first when you're talking about vulnerability management as a
[01:08:38] vulnerability management as a [clears throat] VCO he doesn't run
[01:08:40] [clears throat] VCO he doesn't run vulnerability you can say management but
[01:08:42] vulnerability you can say management but he oversight he make make sure we follow
[01:08:46] he oversight he make make sure we follow the key SLAs like you know the critical
[01:08:48] the key SLAs like you know the critical patch should be closed in 24 to 48 hours
[01:08:52] patch should be closed in 24 to 48 hours high patch need to be closed in 7 to 14
[01:08:55] high patch need to be closed in 7 to 14 days 30 days no open vulnerability so as
[01:08:58] days 30 days no open vulnerability so as a VCO he need to look to oversight all
[01:09:01] a VCO he need to look to oversight all this thing and make sure he also Check
[01:09:02] this thing and make sure he also Check is the scan conducted regularly um you
[01:09:05] is the scan conducted regularly um you know is the false positive has been
[01:09:08] know is the false positive has been reduced is the false negative have been
[01:09:10] reduced is the false negative have been improved all those things has to be
[01:09:12] improved all those things has to be looked for because by end of the day
[01:09:13] looked for because by end of the day what you uh create it get executed on
[01:09:16] what you uh create it get executed on the operation level and sock is
[01:09:18] the operation level and sock is basically the operation level. Second I
[01:09:21] basically the operation level. Second I have seen recently that okay VC is also
[01:09:23] have seen recently that okay VC is also involved in identity access management
[01:09:24] involved in identity access management because identity is a new parameter.
[01:09:27] because identity is a new parameter. So you will basically check how soon we
[01:09:29] So you will basically check how soon we are revoking, how soon we are giving
[01:09:31] are revoking, how soon we are giving access, what kind of a monitoring
[01:09:32] access, what kind of a monitoring metrics we have for privilege access
[01:09:34] metrics we have for privilege access accounts, lease privileges, what is MFA
[01:09:37] accounts, lease privileges, what is MFA adoption rate we have and quarterly
[01:09:39] adoption rate we have and quarterly access review. These are the stuff we
[01:09:41] access review. These are the stuff we look for when we check for the identity
[01:09:43] look for when we check for the identity access management. Now the next one is
[01:09:45] access management. Now the next one is called as a instant response because if
[01:09:47] called as a instant response because if any incident happen, if there's a
[01:09:49] any incident happen, if there's a failure of preventative control, we need
[01:09:51] failure of preventative control, we need to respond to the incidents. So we need
[01:09:53] to respond to the incidents. So we need to check is the instant response plan is
[01:09:56] to check is the instant response plan is been documented properly. Is a team has
[01:09:58] been documented properly. Is a team has get a defined roles are they conducting
[01:10:01] get a defined roles are they conducting regular tabletop exercise because if you
[01:10:03] regular tabletop exercise because if you comply with certain DPDPA you need to
[01:10:05] comply with certain DPDPA you need to report the breach in 6 hour in India and
[01:10:06] report the breach in 6 hour in India and GDB is 72 hours. So make sure our plan
[01:10:09] GDB is 72 hours. So make sure our plan should be have a proper metrics. We also
[01:10:12] should be have a proper metrics. We also need to include okay how soon we can
[01:10:14] need to include okay how soon we can report incident. How soon we can detect
[01:10:16] report incident. How soon we can detect the incidents. We need to have some this
[01:10:18] the incidents. We need to have some this kind of a dashboards.
[01:10:20] kind of a dashboards. Then we have a G4, G5, G6 which cover
[01:10:22] Then we have a G4, G5, G6 which cover about login, vendor risk and business
[01:10:25] about login, vendor risk and business continuity. So the key question in login
[01:10:27] continuity. So the key question in login is what would we know if we were breach
[01:10:29] is what would we know if we were breach ensure the log source are collected
[01:10:31] ensure the log source are collected review retain
[01:10:33] review retain uh how we onboarding a vendor? What is
[01:10:34] uh how we onboarding a vendor? What is the parameter we are using to assist the
[01:10:36] the parameter we are using to assist the vendors
[01:10:38] vendors and when it come to the business
[01:10:39] and when it come to the business continuity part we also look for how
[01:10:41] continuity part we also look for how regularly we doing a BCP test? Are we
[01:10:43] regularly we doing a BCP test? Are we able to restore the data backups on a
[01:10:45] able to restore the data backups on a respective time frame? So these stuffs
[01:10:47] respective time frame? So these stuffs we actually look when we doing the
[01:10:49] we actually look when we doing the oversight of an operations. Now it's
[01:10:52] oversight of an operations. Now it's time to discuss all these things to the
[01:10:55] time to discuss all these things to the management. How to speak to CEO? How to
[01:10:58] management. How to speak to CEO? How to speak to board? What is the most
[01:11:00] speak to board? What is the most important output we need to present?
[01:11:02] important output we need to present? Because it's not about the policy or
[01:11:03] Because it's not about the policy or risk. It's about the executive
[01:11:05] risk. It's about the executive decisions. So how do you communicate
[01:11:07] decisions. So how do you communicate that basically matter here.
[01:11:10] that basically matter here. So if you ask me every security
[01:11:12] So if you ask me every security communication must work at three layers.
[01:11:15] communication must work at three layers. One is emotional layer. How safe does
[01:11:17] One is emotional layer. How safe does the organation feel or how secure the
[01:11:19] the organation feel or how secure the organation feel with your statements.
[01:11:22] organation feel with your statements. Second is what does the data tell us
[01:11:24] Second is what does the data tell us about our risk? Everything is about your
[01:11:26] about our risk? Everything is about your data. If you giving something on gimmick
[01:11:28] data. If you giving something on gimmick or assumption, it will not work. And
[01:11:29] or assumption, it will not work. And third is what does leadership need to do
[01:11:32] third is what does leadership need to do with those data. So when you're talking
[01:11:34] with those data. So when you're talking about the communication um this is
[01:11:37] about the communication um this is something is a best practices you should
[01:11:38] something is a best practices you should follow. So what should be the board
[01:11:41] follow. So what should be the board brief document we have? So as I said we
[01:11:44] brief document we have? So as I said we can talk about the current security
[01:11:46] can talk about the current security posture. So you should have a 10 to 12
[01:11:48] posture. So you should have a 10 to 12 slides not more than that. One slide
[01:11:51] slides not more than that. One slide talk about your current security
[01:11:53] talk about your current security posture. We talk about your security
[01:11:55] posture. We talk about your security maturity. What is a current status
[01:11:58] maturity. What is a current status discuss only top three risk in a plain
[01:12:00] discuss only top three risk in a plain business language. What could happen
[01:12:01] business language. What could happen likelihood impact? Current treatment
[01:12:03] likelihood impact? Current treatment status. Program progress. What you
[01:12:05] status. Program progress. What you implemented program is a one-year plan
[01:12:07] implemented program is a one-year plan and how much percentage of incident has
[01:12:09] and how much percentage of incident has been reduced. What was happen? how it
[01:12:11] been reduced. What was happen? how it handle lesson learn and decision
[01:12:13] handle lesson learn and decision basically required about specifically
[01:12:15] basically required about specifically what you need to do from the today next
[01:12:17] what you need to do from the today next quarter. So the brief board meeting is
[01:12:20] quarter. So the brief board meeting is very important. Now sometime what happen
[01:12:22] very important. Now sometime what happen you need to communicate the bad news
[01:12:23] you need to communicate the bad news also but make sure you should be very
[01:12:25] also but make sure you should be very careful when you're presenting such kind
[01:12:27] careful when you're presenting such kind of a nudes whatever you submitting it
[01:12:29] of a nudes whatever you submitting it should be come with the proper context
[01:12:31] should be come with the proper context and it short give the proper
[01:12:33] and it short give the proper recommendation you know here is what
[01:12:35] recommendation you know here is what happened here is the impact
[01:12:38] happened here is the impact here is why it has happened you know
[01:12:40] here is why it has happened you know what we have done so far here is what we
[01:12:42] what we have done so far here is what we need to do next here's what need so you
[01:12:44] need to do next here's what need so you should be also come with the action plan
[01:12:45] should be also come with the action plan it's not something okay you should do
[01:12:47] it's not something okay you should do like this no if you're talking about any
[01:12:49] like this no if you're talking about any kind of bad news it should become come
[01:12:51] kind of bad news it should become come with the impact why it is happen what is
[01:12:53] with the impact why it is happen what is the root cause of that how we can move
[01:12:55] the root cause of that how we can move further all those things are basically
[01:12:56] further all those things are basically required
[01:12:58] required and it is something a two to three page
[01:13:00] and it is something a two to three page of report that you need to document
[01:13:02] of report that you need to document [clears throat]
[01:13:03] [clears throat] now what is the consulting mechanics so
[01:13:06] now what is the consulting mechanics so how to structure your services how do
[01:13:09] how to structure your services how do you manage multiple clients which I do
[01:13:12] you manage multiple clients which I do so I'm sharing that part so we deliver
[01:13:14] so I'm sharing that part so we deliver the candles like we have some monthly
[01:13:16] the candles like we have some monthly deliverables
[01:13:17] deliverables okay we have some quarterly deliverables
[01:13:20] okay we have some quarterly deliverables and we have Some annual deliverables,
[01:13:22] and we have Some annual deliverables, monthly deliverables about your status,
[01:13:24] monthly deliverables about your status, about exit security report, log review,
[01:13:26] about exit security report, log review, postures, policy governance, action
[01:13:28] postures, policy governance, action tracking, operational meeting. This is
[01:13:30] tracking, operational meeting. This is more like a combination of strategic and
[01:13:32] more like a combination of strategic and operational. Quarterly, you can deliver
[01:13:34] operational. Quarterly, you can deliver about board security briefing, risk res,
[01:13:37] about board security briefing, risk res, program road map, compliance and all
[01:13:39] program road map, compliance and all that. And annual deliver is basically
[01:13:41] that. And annual deliver is basically all about your full security program
[01:13:42] all about your full security program review, risk assessment that you've
[01:13:45] review, risk assessment that you've refresh, policy framework, strategic
[01:13:47] refresh, policy framework, strategic plan for next 12 months. So these things
[01:13:48] plan for next 12 months. So these things need to be delivered. Sometime what
[01:13:50] need to be delivered. Sometime what happen you are managing multiple
[01:13:52] happen you are managing multiple clients. So if you're handling three to
[01:13:53] clients. So if you're handling three to five clients simultaneously make sure
[01:13:55] five clients simultaneously make sure you should create a calendar plan. So
[01:13:57] you should create a calendar plan. So they can you can have a time
[01:13:58] they can you can have a time allocations. So fix the monthly hour per
[01:14:00] allocations. So fix the monthly hour per client then you can have also have a
[01:14:02] client then you can have also have a client separations where you create a
[01:14:04] client separations where you create a separate document repositories because
[01:14:05] separate document repositories because it is a conflict of interest. If you're
[01:14:07] it is a conflict of interest. If you're working for the similar project make
[01:14:09] working for the similar project make sure you should have a scope discipline.
[01:14:10] sure you should have a scope discipline. Everything which is out of scope request
[01:14:12] Everything which is out of scope request require formal scope. Don't do okay in
[01:14:15] require formal scope. Don't do okay in this course I will do this that and make
[01:14:17] this course I will do this that and make sure you should screen for conflict of
[01:14:19] sure you should screen for conflict of interest before accepting new client you
[01:14:20] interest before accepting new client you let's say example you're working for one
[01:14:22] let's say example you're working for one bank and new customer is also a bank so
[01:14:25] bank and new customer is also a bank so it will not give a very good impression
[01:14:26] it will not give a very good impression to be frank
[01:14:28] to be frank make sure you should demonstrate the
[01:14:30] make sure you should demonstrate the values example your maturity progression
[01:14:32] values example your maturity progression like you know before I join as a CEO now
[01:14:34] like you know before I join as a CEO now what is the thing before I join what was
[01:14:36] what is the thing before I join what was the risk right now current state of risk
[01:14:39] the risk right now current state of risk compliance achievement that's another
[01:14:40] compliance achievement that's another important part uh by introducing my
[01:14:44] important part uh by introducing my security enabler what is the business we
[01:14:45] security enabler what is the business we got and what we can avoid the cost and
[01:14:48] got and what we can avoid the cost and everything so that is why I said you
[01:14:50] everything so that is why I said you know writing does not mean happen go
[01:14:53] know writing does not mean happen go look and verify this is a statement we
[01:14:54] look and verify this is a statement we follow in the information security
[01:14:56] follow in the information security governance and that's why we need a good
[01:14:58] governance and that's why we need a good matrix matrix are the way you can able
[01:15:00] matrix matrix are the way you can able to track entire program entire
[01:15:02] to track entire program entire activities and all that that something
[01:15:04] activities and all that that something is part of the program so here also you
[01:15:05] is part of the program so here also you can see I have created this kind of a
[01:15:07] can see I have created this kind of a matrix security program maturity policy
[01:15:10] matrix security program maturity policy view
[01:15:13] view secure retaining completion rate, budget
[01:15:15] secure retaining completion rate, budget utilization, open critical risk. So this
[01:15:18] utilization, open critical risk. So this is basically important and then we have
[01:15:19] is basically important and then we have a program tracker.
[01:15:22] a program tracker. Okay. And this is basically my security,
[01:15:25] Okay. And this is basically my security, [clears throat] maturity, gap
[01:15:26] [clears throat] maturity, gap assessment. After implementing what is
[01:15:28] assessment. After implementing what is the thing we have and then we have a
[01:15:30] the thing we have and then we have a risk registers and everything. Okay. So
[01:15:33] risk registers and everything. Okay. So CISO metrics are very important because
[01:15:35] CISO metrics are very important because it give the insight and from there you
[01:15:37] it give the insight and from there you extract the data and present to the
[01:15:38] extract the data and present to the management. So how to build matrix? I
[01:15:40] management. So how to build matrix? I have a d there is a detailed video on
[01:15:42] have a d there is a detailed video on how to build KPI KI from scratch. You
[01:15:45] how to build KPI KI from scratch. You can check that. So three KPIs are there.
[01:15:47] can check that. So three KPIs are there. One is called key performance
[01:15:49] One is called key performance indicators.
[01:15:51] indicators. Key performance indicators which talk
[01:15:52] Key performance indicators which talk about how well the program perform
[01:15:54] about how well the program perform against objective. Example 9% of the
[01:15:56] against objective. Example 9% of the critical vulnerability patch within SLA.
[01:15:58] critical vulnerability patch within SLA. So we have some objectives based on that
[01:16:00] So we have some objectives based on that we define things. Second is called as a
[01:16:03] we define things. Second is called as a KI key risk indicators which about lead
[01:16:06] KI key risk indicators which about lead indicator of increasing risk which is
[01:16:07] indicator of increasing risk which is worn before problem occur like unpatch
[01:16:09] worn before problem occur like unpatch critical vulnerability count trending
[01:16:11] critical vulnerability count trending upward for three consecutive months we
[01:16:13] upward for three consecutive months we have to increase the patterns and the
[01:16:15] have to increase the patterns and the third is called as a operational matrix
[01:16:17] third is called as a operational matrix which measure the health of the security
[01:16:19] which measure the health of the security operations and all that moreover you can
[01:16:21] operations and all that moreover you can have only KPI k that that basically
[01:16:24] have only KPI k that that basically cover everything now one thing we need
[01:16:27] cover everything now one thing we need to understand is when you creating a
[01:16:30] to understand is when you creating a cisometric dashboard report.
[01:16:32] cisometric dashboard report. Okay, you should talk about the security
[01:16:34] Okay, you should talk about the security maturity score. You talk about your open
[01:16:36] maturity score. You talk about your open critical risk. You talk about the
[01:16:38] critical risk. You talk about the critical vulnerability patch rate, MFA
[01:16:40] critical vulnerability patch rate, MFA adoption, security incident, training
[01:16:42] adoption, security incident, training completion rate. So metrics
[01:16:46] completion rate. So metrics can be created as per what you have.
[01:16:47] can be created as per what you have. Don't create any fancy metrics which can
[01:16:49] Don't create any fancy metrics which can unnecessarily creating a trouble for you
[01:16:52] unnecessarily creating a trouble for you even for the customer. So make sure
[01:16:54] even for the customer. So make sure whatever the way you're creating a
[01:16:55] whatever the way you're creating a matrix, it should give a clarity.
[01:16:58] matrix, it should give a clarity. So I will show you one use case. Okay, I
[01:17:00] So I will show you one use case. Okay, I have a five little bit I will show you
[01:17:02] have a five little bit I will show you limited use case. So the first use case
[01:17:04] limited use case. So the first use case we have a tech launch headquarter one
[01:17:06] we have a tech launch headquarter one startup company it's I don't know
[01:17:08] startup company it's I don't know whether it exists but I just use one
[01:17:10] whether it exists but I just use one gimmick word 65% SAS startup series A
[01:17:14] gimmick word 65% SAS startup series A trigger investor required so to type two
[01:17:16] trigger investor required so to type two before series B maturity level B so key
[01:17:19] before series B maturity level B so key finding was no policy no MFA [snorts]
[01:17:22] finding was no policy no MFA [snorts] share admin credentials no Rback so this
[01:17:24] share admin credentials no Rback so this is what we get the gap assessment so we
[01:17:27] is what we get the gap assessment so we create a road map we create a first
[01:17:28] create a road map we create a first program charter involve the sock to
[01:17:30] program charter involve the sock to auditor for engagement build the policy
[01:17:33] auditor for engagement build the policy framework
[01:17:35] framework then we will go for sock two controls
[01:17:37] then we will go for sock two controls where we include the access management
[01:17:38] where we include the access management and all that we did the observation
[01:17:40] and all that we did the observation awareness training sock two audit has
[01:17:42] awareness training sock two audit has been passed so my objective of hiring
[01:17:44] been passed so my objective of hiring them they have to hire me because they
[01:17:46] them they have to hire me because they want to pass so that was a pressure
[01:17:48] want to pass so that was a pressure remember we discussed in the first slide
[01:17:49] remember we discussed in the first slide pressure sock two was basically the goal
[01:17:52] pressure sock two was basically the goal and we made it second is Midwest
[01:17:55] and we made it second is Midwest manufacturing 450 employees tier 2
[01:17:57] manufacturing 450 employees tier 2 automate supplier ran aware encrypt this
[01:17:59] automate supplier ran aware encrypt this is 70% of system no MFA MFA flat So 90
[01:18:03] is 70% of system no MFA MFA flat So 90 days priority implement MFA enable the
[01:18:05] days priority implement MFA enable the EDR fishing simulation network
[01:18:08] EDR fishing simulation network circulations have been appointed and
[01:18:10] circulations have been appointed and they basically did that. So this is one
[01:18:12] they basically did that. So this is one case studies we have that we are talking
[01:18:14] case studies we have that we are talking about. Okay. Now question is how to
[01:18:17] about. Okay. Now question is how to become a successful VCSO professionally.
[01:18:21] become a successful VCSO professionally. First as I said you need to have a
[01:18:23] First as I said you need to have a business management where you need to
[01:18:24] business management where you need to think about PL thinking contract
[01:18:26] think about PL thinking contract negotiations and all that. Second is you
[01:18:28] negotiations and all that. Second is you need to have a consulting discipline,
[01:18:31] need to have a consulting discipline, project management, deliverable, quality
[01:18:32] project management, deliverable, quality timeline, good documentation. It should
[01:18:34] timeline, good documentation. It should not look like AI generated content.
[01:18:36] not look like AI generated content. Third, leadership presence, authority
[01:18:38] Third, leadership presence, authority without organization power. So you need
[01:18:40] without organization power. So you need to show how you basically lead the team
[01:18:42] to show how you basically lead the team and all that. You need to have a good
[01:18:44] and all that. You need to have a good communication master written skills and
[01:18:46] communication master written skills and all that and make the risk based
[01:18:47] all that and make the risk based recommendations which we already
[01:18:48] recommendations which we already discussed in the previous section. Now
[01:18:50] discussed in the previous section. Now this is a cost vary. Okay. So if you
[01:18:52] this is a cost vary. Okay. So if you have an entry- level VCO example, you
[01:18:54] have an entry- level VCO example, you have a 10 year of experience and your
[01:18:55] have a 10 year of experience and your first project is a freelance project,
[01:18:56] first project is a freelance project, you can make around 1 to 2.5 lakh per
[01:18:59] you can make around 1 to 2.5 lakh per month, experienced VCSO can go up to
[01:19:02] month, experienced VCSO can go up to four to five and senior VCSO go to five
[01:19:04] four to five and senior VCSO go to five lakhs. It's all about how you
[01:19:07] lakhs. It's all about how you define the price. This is what I have
[01:19:09] define the price. This is what I have seen as per the market trend. So
[01:19:12] seen as per the market trend. So credibility like CSSP cism CISA you can
[01:19:14] credibility like CSSP cism CISA you can have because if you have active
[01:19:16] have because if you have active certification it can build the quality
[01:19:18] certification it can build the quality track record of document client outcome
[01:19:20] track record of document client outcome testimonials uh good strong presence on
[01:19:22] testimonials uh good strong presence on LinkedIn social media these are some of
[01:19:24] LinkedIn social media these are some of the activities we have and uh
[01:19:27] the activities we have and uh information from one client never share
[01:19:28] information from one client never share with other you know to impress the new
[01:19:30] with other you know to impress the new customer sharing the previous don't do
[01:19:31] customer sharing the previous don't do that don't involve in any project which
[01:19:33] that don't involve in any project which has a conflict of interest and advice
[01:19:36] has a conflict of interest and advice always given in the client best interest
[01:19:38] always given in the client best interest it should not be a vendor specific it
[01:19:40] it should not be a vendor specific it should be a vendor neutral neutral. So
[01:19:42] should be a vendor neutral neutral. So that's something you should do. So some
[01:19:45] that's something you should do. So some of the templates we need to create
[01:19:46] of the templates we need to create engagement charter. Okay. Security
[01:19:49] engagement charter. Okay. Security assessment questionnaire, risk reser
[01:19:51] assessment questionnaire, risk reser template, policy library, board deck,
[01:19:53] template, policy library, board deck, security metrics, compliance gap,
[01:19:56] security metrics, compliance gap, tabletop, crown jewel identification
[01:19:58] tabletop, crown jewel identification worksheet and 30 to 60 days work out. So
[01:20:00] worksheet and 30 to 60 days work out. So this is something we had. So this is the
[01:20:02] this is something we had. So this is the summary. We discuss with the foundation,
[01:20:04] summary. We discuss with the foundation, talk about the assessment, we design the
[01:20:06] talk about the assessment, we design the program. We talk about the risk
[01:20:07] program. We talk about the risk management framework. We talk about the
[01:20:10] management framework. We talk about the policies, operation, communications,
[01:20:11] policies, operation, communications, delivery metrics, case study and your
[01:20:14] delivery metrics, case study and your practice. I really put a lot of effort
[01:20:16] practice. I really put a lot of effort in building this content. Do let me know
[01:20:18] in building this content. Do let me know in comment box how do you find the video
[01:20:20] in comment box how do you find the video and shall I bring some more more
[01:20:22] and shall I bring some more more interesting thing on AI security. Your
[01:20:24] interesting thing on AI security. Your feedback is most important for me. And
[01:20:26] feedback is most important for me. And if you're finding useful this video, do
[01:20:28] if you're finding useful this video, do share in network and uh do subscribe to
[01:20:31] share in network and uh do subscribe to the channel and click on the bell icon
[01:20:32] the channel and click on the bell icon to make sure you should not miss the
[01:20:34] to make sure you should not miss the future videos on a similar topic. Good
[01:20:36] future videos on a similar topic. Good day. Bye.