All Quiet On The Western Front: Your First 100 Days As A CISO - Jim Djoka

so I don't know if you've seen the movie okay that's a great movie I love that picture too by the way so um All Quiet on the Western Front your first 100 days as a CAO my name gazim Joka as you can tell or imagine I'm from Albanian origin also known as Jim Joka because uh well they have some difficulties pronouncing that name in Belgium for some reason so feel free to send me an email you have my reference there or hit me up on LinkedIn if you want to um yeah the views I'm expressing here are my own okay and the image credits goes to their owners we are not going to discuss a lot

about information security to be to be honest but more about a role we've been discussing here I think during the morning and perhaps also later in the afternoon about how to try to break things or how to get inside things uh but from the other perspective on the a defending aspect you would have one person sitting on the top of the food chain trying to organize all this so we're going to talk about that person a little bit what are the skill set that person would need to perform a great job and uh yeah some some advices or some um uh some pitfalls you may want to avoid so I'm putting in the in here my

experience I have like 20 years of experience in cyber security 10 or 11 as a SEO but again uh that's not my customer's view that's mine so yeah you're up for it you want that job you want to be head of security you probably have already some experience in cyber security and well you need some skills to get to get there and to do a good job so what are those skills you don't see some information security skills or testing skills here and focus on the rest so first of all business skills why business skills I mean usually we talk about tooling uh scanning this and that well if information security is about protecting confidentiality integrity and

availability of information or assets well you may want to First go and protect what is of value to the company so first of all you need to understand what is of value what is the value chain of a company in General so how do you identify it and how do you work with that information how profit is generated so this doesn't necessarily this isn't necessarily taught uh at the University especially if you if you've uh been learning it what are the market trends and also uh when you are dealing with a uh specific uh business try to anticipate what's coming try to anticipate what's the effect of it changes on the cyber security landscape because cyber security initially was

seen as a cost so what is the return on investment of a firewall that would be the question you would get like 10 15 years ago again firewalls no we don't have enough no you you want more so that was seen as a cost then there were some s successful attacks and getting budget was uh a lot more easier and then cyber security was seen then as a differentiator how do you differentiate from the companies doing the same business well cyber security can help you with that and now it's just an essential components of any service so you can't discuss with that that's your business skills then that's the main one one on the bottom social soft interpr

inter personal skills man people management skills you you need them to manage your team you need them to manage your management as well so going looking down on your team you have to try to be in their shoes but also looking up to your management you also you know have to manage them in some way do they understand cyber security do you have to you know Tau them a little bit what what it is about then you're looking sideways left and right the othero division within your company how do you handle the relationship with them most probably well there are chances they won't like you from the start so you may want to fix that as well you will have also to

manage suppliers your own suppliers as a security provider but also the other suppliers of the company so that's also a totally different relationship and then usually something which is not told when you sign for that type of position you have to manage customers okay they may have questions before signing the contract but you also have to deal with their audits you may have audit close allowing them to audit you you have external Auditors and Regulators if you are working on a heavily regulating Market that's a lot of uh audits to to deal with and for some reason I don't know why but they tend to go to cyber security to manage relationship with those Auditors probably because you're

in in aideal spot between the management and it in general last but not least manage yourself you are your key asset your best asset you need to manage yourself listen to yourself are you happy this is something you need to to do as well okay and itical skills well we we went through um on the previous presentation uh a lot of specific Concepts um you don't need to know my opinion uh all the bits and pieces all the details but you need at least to know how things work especially in an Ever Changing environment an Ever Changing landscape so you need to understand those Concepts uh usually there are many Concepts you need to to

understand you can go from Identity access management uh vulnerability management and whatever so all these have their specifics and you need to take decision based on that which direction would you want to take so yeah and keeping your head cool and take decision yeah that's a of course decisive part then communication skill [Music] yeah as it so myself one of the hardest skills that probably does hold into that analytical skills is quantify risk to the management that is the hardest thing trying to explain to business people the risk and they always talk in dollars and euros and they never talk about Ram databases vulnerability they don't understand none of that so the hardest thing is trying

to tell them how much money they're going to lose and probably the second which you have put it in here is uh trying to keep a balance between security and operational effectiveness just my two sense great great presentation so far thank you I would I would tend to agree with you uh and this is why the next uh Point comes there communication skill so how do you convey that message how do you manage to explain well as you said risk management okay again it may see may be seen as a as a cost and we'll come back to to risk management later so yeah communication towards your uh management but also towards your other stakeholders and well indeed when you

communicate especially towards your management you will communicate needed on risk on problems you come across but also on achievements we tend to forget that we tend to do well we have we have a problem we have an incident we have an outage you also need to show to them well we didn't have an outage last week because we blocked so many tentatives so this also must be uh communicated to towards your management and put forward then of course technical skills is it nice to have okay um I've seen people cesos having great careers without even having a technical back background you can have Sportsmen now being put as a C position because they have the right mindset they Thrive for

excellence sometimes this is more important that knowing how you configure a server so you have the skills or at least you know on which you have to work on I haven't mentioned here information security you can have various um security certification cism cissp all those are good but focus on these skills I would say so now okay you're looking on the market for a Cesar position you have found one what you need to do first well first do your due diligence well this is a basic part of it you would say you can you have to do this for every position uh you would try to get but at least do it in a very specific way what

is the cyber security organization already in that in that company and you could even ask but we'll come back to that later where is the Cel right now is it still there is he in a mental institution this is a question worth asking so yeah what is the profile of that company is it public private is it profitable you may want you know to get 10 extra resources if the money is not if the company is not making money you won't get those resources what is their existing maturity so at least you know where you're going so try to find someone working in that company go get a coffee for that person ask a few

question do they still have Windows Server 2003 uh things like this will give you a bit of an indication or where you're going into and is there any high visibility incidents that's also gives you an idea of uh where you're going going of course cyber security incidents depending on the country you are uh living in uh that has to be made public but well outages usually they don't need to make that public the public knows so you've made your due diligence you have your uh interviews with a Char so a few orange or red flags in here as well what happened to the previous SEO as a question so is it a new position there were no Cel before well that's

great gives you an indication there is as well of the maturity level otherwise ask where he is why he left why he's been sacked did you you know learn something out of it because it's it's hardly usually one person's fault when you have this sort of situation second part another red flag lowall offer so you are competing for a position that tell you this is what we are proposing you this is the package and is super low they are not serious don't waste your time just leave and also one thing that I've heard here and there there was an audit okay so okay why am I here am I here just to uh fill a gap in an audit

recommendation or there's total chaos total mayem and I we'll need to to fix that this is a good indication as well another point you never necessarily think about it the or chart to whom will you report to the CEO okay does he know anything about cyber security to the CIO okay he may know something about security that's good to the CTO well is it is it security manager or is it the top ranking guy the Cal position you are being proposed so you went through HR you have a proposal what you do you have two possibilities so if the job is offered to you you can say no sometimes it's better to say no it's not because it's a

C position you're dreaming of that sort of position sometimes when the situation just bad just say no it's better for you believe me otherwise say yes and then the fund starts so you get the job you start you have 100 days usually to make an impact otherwise people won't notice you you're just doing the same thing it's more of the same basically so what do you do for these 100 days well make a plan you check where you are or where do the company where where is the company right now in terms of security where do you want to go terms here are different where do you want to go where do you want to lead security and then

transformation how do you get from A to B so where do we stand you have four questions I've taken this from I think the C risk book it's uh this is gold first of all are we doing the right things do you cover with the right Security Services what you are supposed to do then are we doing them the right way have you designed are these Security Services designed the right way this is all about design in there and and then you look at performance are we getting them done well what is the performance check the indicators and then based on that are we seeing expected benefits this is where you have to really put some Focus

because if the performance is not where it is it means you need to where the performance is not to the expected level let's say this is where you need to look into so this is the initial situation where do you want to go well look at what the company is trying to to do first what is what are the business goals of that company and adjust to that and based on that put yourself on a new organizational model how do you are going how are you going to organize these Security Service what is it you propose to the company and also draw a line draw a line on security operations I will take two examples two extreme

examples you have the example where you do only risk management I don't care about the rest I do risk management I perform assessments I do reports I go check the different indicators coming from the internal service providers look at the kpis am I happy good am I not happy well you go take your whip and start hitting people that's a possibility that's one extreme The Other Extreme is okay I have a lot of skills within the team I will do the services myself or my division will do the services well that's good okay you could say uh you have the skills you do your own vulnerability scanning you do the management of uh of the patching with it if you if you want

to again the same for identity and access management but if you are going to that extreme it means you need skills in cyber security and also in it chances are you already have those skills inside the company so that would mean having tce the same set of skills it's probably not the best way to so you have to draw to to to draw the line somewhere and hold that line because this is where the fun begins so you know where you are you know where you want to go and then you have to prepare this transformation how do you go from A to B make a plan do you have the right resources when you have

when you have a resource Gap what is it you do do you hire new people do you try to get some help from temporarily help from the outside this is the plan you need to make then you define your transformation plan with the with the associated timing and get the budget I say obtain I didn't say request the budget you have to get the object the the budget sorry so well that was it that was really easy now you're good for uh a steady simple ride so I give you a couple of tips uh to end the presentation just so um you have an easy ride afterwards so first of all get a good picture of the company

culture company culture and subcultures because you may have a company coming across different countries you will have local subcultures you need to adjust to that figure out business priorities and how to enable them you will be a star if you help the business getting their achievements good you will be a star find your business sponsor this is associated to the previous point get success stories quick find the low hanging fruits good stories so that people know people see that you are doing a good job it is well it was quite a grim presentation initially I tried to make it a little bit lighter but it is a very demanding job but also very rewarding we have a lot of wor stories

to discuss afterwards so enjoy it last but not least as I briefly mentioned it before you are the most important said without you it doesn't work so treat yourself accordingly and that's it