InnoTech Dallas

Most businesses have minimal IT resources, and even fewer dedicated security staff, yet are faced with essentially the same breadth of control requirements that larger organizations have been attempting to enable and mature. Threat actors and criminals do not discriminate by size or wait for organizations to get cybersecurity capable. Everyone has a similar mountain to climb, and in need of effective ways of getting more capable faster, more efficiently, and without breaking the bank.

Implementing and operating an information security program is a lot like leading a mountain climbing expedition. Each control in the program is like a group of a climbers: a collection of people, processes and technologies each striving to be capable of reaching a point on the mountain. The CISO, as expedition leader, is trying to help each climber group increase in capability in order to reach higher points on the mountain, with the goal of reaching the peak. Like the expedition, the security program needs a strategy, planning, logistics, and execution. The expedition will have groups (controls) at varying points along the mountain, all needing support, structure, and guidance. The information security program, like the expedition on the mountain, faces condition that are unpredictable and treacherous. When the summit is approached, the sky darkens, the winds increase, and the mountain’s sheer face of rock and ice certainly seem impossible to approach.

What the mountaineer can expect to learn:
• Every expedition has a trek in requiring an evaluation and analysis of current state, strategy for the expedition and a plan to get things moving.
◦ Security framework applications for assessment, gap analysis, and objectives-oriented program goals.
• Planning for the full expedition – finite resources are precious; learn how to obtain and use them wisely.
◦ Strategic planning for developing program maturity to meet risk-oriented priorities.
• When climbing the mountain, sometimes you have to retrace your steps, revert, and try again. Regrouping strategies for when things bog down and for those beginning the climb after the expedition is underway.
◦ Operations expense vs. capital investment for program enablement
◦ Services vs. in-house expertise for program operations
◦ Activity based costing for program activities
◦ Business case for progress and risk management for decision making