Topic: Breaches Are Everywhere. What's a Good Security Leader to Do?
Summary: Amazingly, despite what our expectation might be, a huge portion of organizations do not have a fully developed Information Security Program. Organizations might be addressing certain areas of cybersecurity that are highly visible, but too often the thoughtful planning, implementation, and testing on an ongoing basis of many solutions just is not occurring. Too often we find haphazard purchases, based not on an internal assessment of culture strengths and weaknesses, but just in response to vendors showing up and making a pitch for their product. There are so many areas that need a thoughtful understanding of security that it is very easy for organizations to leave gaps to be addressed at some later time.
What about the executive decision makers in organizations? Have they been brought into the discussions on what to secure and what is required? They speak the language of risk, and is this the same language that Security leaders are speaking, or are they still bogged down talking about attacks, tools, and vulnerabilities? My presidency of both the local ISSA and OWASP chapters here in Los Angeles for many years has afforded me the unique ability to interact with many world class Information Security leaders and gain from them valuable insight into how they have developed Information Security Programs. I will be able to share their and my experiences, visions and strategies as a CISO for 15 years to combat the ever-increasing rise and cybercrime and the seemingly impossible to defend array of attacks that we are seeing today. I will share insight of what controls I have been able to implement and the many different ways I was able to be successful. Personal interactions with various key players in organizations is the basis for success for every information security leader. Yet we often see a lack of this in favor of tools, tools, and more tools. The people problem cannot be emphasized enough, and the role of the CISO as a great communicator and collaborator does not get enough publicity. Speaking of publicity, good security leaders need to be PR people, as selling security is a huge part of any viable plan and deployment of security controls across the entire organization. I will discuss this important facet of any good program and ways to reach across the many business units to get buy-in and support for a culture that includes security. What about testing? How often do organizations test their Disaster Recovery & Incident Response Plans?
BIO: Richard Greenberg, CISSP is a well-known Cyber Security Leader and Evangelist, CISO, Advisor, and speaker. Richard brings over 30 years of management experience and has been a strategic and thought leader in IT and Information Security. His Project Management, Security Management and Operations, Policy, and Compliance experience has helped shape his broad perspective on creating and implementing Information Security Programs.
Richard has been a Chief Information Security Officer (CISO) for 15 years, Director of Surveillance and Information Systems, Chief of Security Operations, Director of IT, and Project Manager for various companies and agencies in the private and public sectors.
Richard is the Founder and CEO of Security Advisors LLC, which offers fully-managed security assessments and network and software penetration testing services that allows organizations to continuously assess their internal and external cyber risk posture, and helps companies with compliance issues. Richard is an Information Systems Security Association (ISSA) Distinguished Fellow, one of only 64 worldwide, and has received their Honor Roll designation (only 55 worldwide). He has also been selected as a finalist for both the (ISC)2 Americas Information Security Leadership Award in the Senior Information Security Professional category and the Los
Angeles Business Journal CIO of the Year in Security.
Richard has served on the OWASP Global Board of Directors, leads the OWASP LA Chapter, and has been Co-Chair of the highly successful AppSec California conferences. Richard also is President of the Information Systems Security Association Los Angeles Chapter and is Chair of their widely recognized annual Security Summit and CISO Forum.
Richard has been a published author and has spoken worldwide on Information Security, individually and on panels.
You may have heard Richard’s interview as a Cyber Security expert on Will Ferrell’s Ron Burgundy podcast: Pod Cast
