Viktor on Digital Evolution

To content | To menu | To search

Wednesday 5 April 2017

The first 100 days of the next generation CISO, CISO 360 Congress, Barcelona 5-7 July 2017

The first 100 days of the next generation CISO

Whether you are starting a new job, or engaging with a new customer in the role of a CISO- as-a- Service you are facing the challenge of how to effectively and efficiently identify areas of critical importance, establish partnership with key stakeholders, identify crown jewels within organizational value chain, map business risk to technology risk, and finally define and implement sound information security strategy that would foster security as a business enabler and not an obstacle.

Key takeaways:

- Effective communication examples with key partners such as Business process owners, Chief internal auditor/investigator, Chief enterprise risk officer, Legal advisor, Chief Finance Officer, Chief Information Officer, Chief of human resources, Ethics officer, Data privacy officer, and other.

- What are useful documents that can provide insights to critical business processes and related crown jewels.

- How to leverage innovative technology and processes such as machine learning to identify areas of critical importance and related key roles?

- How to build a successful security team?

Presentation slides: The first 100 days of next generation CISO

More on CISO 360 Congress.

Sunday 2 April 2017

CISO Challenge: Bridging the Gap between Tactical and Strategic Information Security Risk Management, CISO Summit Middle East, 27 March 2017, Dubai

CISO Challenge: Bridging the Gap between Tactical and Strategic Information Security Risk Management

• Effectively communicating key risk indicators through risk intelligence

• Collecting information on the most important business activities and prioritizing information security program activities accordingly

• Focusing on human-oriented rather than technology-oriented information security

Viktor Polic CISO Dubai 2017Presentation slides

CISO Summit agenda

Wednesday 8 February 2017

Presentation on Improving corporate identification and authentication controls by using 2-factor mobile authentication - (ISC)2 Security Congress EMEA 2016, Dublin

Outline:

  • Introduction: 2016 massive data breaches
  • Threats to credentials
 - Brute force
 - Credentials dumping (pwdump, Mimikatz)
 - Input capture (keylogging)
 - Authentication interception
  • What are the alternatives to passwords
  • Communication channel segregation reduces the risk of business transaction meta-data collection and potential misuse
  • Solution: Cryptographic protocol construction based on two separate sub-systems enables externalization of user’s identity from business transaction

Presentation slides: Improving corporate identification and authentication controls by using 2-factor mobile authentication

Panelist: Cloud security - (ISC)2 Security congress EMEA, Dublin 2016

PANEL: CLOUD SECURITY

  • Do you really know who has access to your data? How do we manage third parties to ensure full visibility and control of information?
  • What are the lessons learned with cloud security to date - steps/missteps?
  • As Europe undergoes the biggest privacy & security regulatory reforms, how are cloud providers making it easier to embrace new compliance developments?
  • What changes are we likely going to see in cloud agreements? Are the new laws going to improve security in practice? How will this impact the role of the CISO?
  • What consequences to expect in terms of security, privacy?

Chaired by:

   Adrian Davis, Managing Director EMEA, (ISC)²

Panelists:

Jacqueline Johnson, Head of IT Security, Nordea Bank (Denmark)

Gezahegn Tadesse, Chief Technology Officer, Awash Bank (Ethiopia)

Fabio Cerullo, Managing Director, Cycubix Limited (Ireland)

Viktor Polic, Chief of Information Security and Assurance Services, International Labour Organization

Presentation on Using Big Data Analytics for Information Security Risk Management Decision Support - CISO Summit Europe, Copenhagen 2016

Summary: This study explained how information security related key risk indicators depend on heterogeneous data sources, high data volumes and high data velocity, and how large organizations with international presence and with combined internal and outsourced IT services are challenged with balancing risk monitoring scope with related costs. The case study presented a possible approach to cost optimization by using combined proprietary and open-source software solutions for big data analytics using commodity hardware. It also explored how some challenges such as finding and hiring people with right skills, establishing partnerships and collaboration are important.

Outline:

  • Bridge the gap between tactical and strategic risk management
  • Strategic level: Building risk intelligence capacity:
 - Assembling risk relevant information sources
 - Performing risk data analytics 
    * Risk profiling, clustering risk factors
    * InfoSec – business risk mapping
    * Identifying anomalies
    * Threats data feedback; Reports; Dashboards; Alarms
  • Building risk management knowledge creation engine based on Apache Spark and Tableau for data visualization
  • Spark: Applying machine learning:
 - Principal Component Analysis
 - Local Outlier Factor
 - k-Means analysis
  • Behavior analytics: more examples
  • Next step: Augmented Risk Preparedness - risk contextualization
  • Challenges:

- Develop tools and processes that efficiently address data velocity within lag time

- Effectively address source data quality

- Find and retain people with right skills

- Improve analytical methodologies (try new, test, simulate, peer review,…)

- Be ready for black swan events (foreseen but unexpected)

Presentation slides: Using Big Data Analytics for Information Security Risk Management Decision Support

Presentation on Optimizing Information Security Management process with focus on risk management - CISO Summit Europe, Geneva 2015

Outline:

• Risk impact awareness – Perform business impact analysis systematically on all categories of risk with subject matter experts

• Effective risk communication – Ensure that risk metrics and treatment plan recommendations reach risk owners in a timely and unbiased manner directly from risk analysis experts

• Formally integrate information and technology governance with risk management – that would ensure metrics as lag indicators (achievement of goals) and lead indicators (application of practice)

• Develop tools and processes to search for unexpected information security events (use analytics on as much data as feasible)

• Perform descriptive and/or predictive data mining to reduce risk uncertainty

• Shift focus to end-points where information is created, stored, processed and consumed

• Identify location of your most critical information and monitor in near-real time

• Focus on quality of software implementation

• Engage data owners in ISMS process (InfoSec role is broker between data owners and data custodians)

 – Information classification
 – Risk analysis and awareness
 – Security assessment and audit
 – Incident management and reporting

• Develop Risk Intelligence taking into account all risk components

 – Vulnerabilities – Standard enumeration exists(CVE)
 – Impact – Simpler to quantify in monetary units
 – Threats – Only technical threats are comparable
 – Monitor Key Risk Indexes (KRX) when above 3 risk components
are comparable as weighted averages of incident occurrence - And likelihoods, or even probabilities?

Presentation slides: Optimizing ISMS: Focus on risk management

Presentation on How to Maintain Proactive Security in the Post-"Heartbleed" "Shell Shock" World with the Case Study: Geneva e-voting system - CISO Summit Asia, Singapore 2014

Outline:

  • Information centric and people centric security
  • Revisiting identity and access management
  • Cryptographic controls risk analysis
  • What should CISOs focus on to ascertain data owners' confidence in information systems and maintain proactive nature of information security management?
  • What aspects of information security management process cannot be outsourced in order to remain in control of data ownership?
  • Holistic approach to information system audit (auditing application, infrastructure, and process) - case study: Geneva e-voting system

Presentation slides: How to Maintain Proactive Security in the Post-"Heartbleed" "Shell Shock" World?

Tuesday 7 February 2017

Presentation on Vulnerability Assessment: Latest Generation of Hybrid Vulnerability Scanners - CISO Summit Middle East, Dubai 2014

Outline - Reducing the effect of the weakest link in the security chain by using automated Vulnerability scanning tools on all Internet exposed systems - Increasing the accuracy of assessment by including ethical hacking (pen-testing) assessments - Reducing operational costs by using hybrid vulnerability scanners that combine automated scanning with manual ethical hacking

Presentation slides: Vulnerability Assessment: Latest Generation of Hybrid Vulnerability Scanners CISO summit Dubai 2014

Presentation on Data Owner’s Cloud Survival and Exit Strategies - Cloud Security Alliance EMEA Congress, Edinburgh 2013

A Data Owner’s Cloud Survival and Exit Strategies Outline:

  • Data owners issues
  • Lessons learned from outsourcing
  • Data ownership – the basic
  • Data management activities
  • Data Governance framework
  • Due Diligence in the Cloud
  • Data owners contract needs
  • Data owners risk assessments
  • Metrics for data owners
  • Data owners controls
  • Some encryption issues
  • Preparing for exit

Presentation slides: Presentation on Data Owner’s Cloud Survival and Exit Strategies