Information Security Management / Leadership

Webinar: Information Security Management Overview

Webinar Deck (PDF): Information Security Management Overview

February 1, 2018: Stan’s Guest: Bill Leider, Managing Partner, Axies Group

Webinar: Cybersecurity: Board Responsibilities. Board Leadership.

Webinar Deck (PDF): Cybersecurity: Board Responsibilities. Board Leadership.

September 5, 2019: Stan’s Guest: Bob Zukis, CEO and Founder, Digital Directors Network, Board Member, USC Marshall Professor, Forbes Contributor, xPwC Partner, Keynote Speaker

SecureTheVillage Webinar: The Information Security Management & Leadership Team

Webinar: The Information Security Management & Leadership Team

Webinar Deck (PDF): The Information Security Management & Leadership Team

March 1, 2018: Stan’s Guest: Dennis Duitch, CEO & Founder, Duitch Consulting Group

SecureTheVillage Webinar: The Great Reboot: Succeeding in a World of Catastrophic Risk and Opportunity – September 10th, 2020

Webinar: The Great Reboot

Stan’s Guest: Bob Zukis, CEO and Founder, Digital Directors Network, Board Member, USC Marshall Professor, Forbes Contributor, xPwC Partner, Keynote Speaker

Webinar: Embracing the New Mindset: Governing Your Business’s Cyber & Privacy Risk – August 13th, 2020

Webinar: Embracing the New Mindset: Governing Your Business’s Cyber & Privacy Risk

Stan’s Guests:

George Usi, CEO, Omnistruct Inc, SecureTheVillage Board Member
Jordan Fischer, CIPP-E, CIPP-US, CIPM, Co-Founder and Managing Partner at XPAN Law Group

WSJ PRO Cybersecurity Symposium – How to Protect Your Company Without Breaking the Bank, January 9, 2020

Event Recording: How to Protect Your Company Without Breaking the Bank

Speakers:

Dr. Stan Stahl, Founder of SecureTheVillage, President and Co-Founder of Citadel Information Group, Inc, recently acquired by top-100 CPA firm Miller Kaplan

Kiersten Todt, Managing Director, Cyber Readiness Institute;

Moderator: Kimberly S. Johnson, Editor, WSJ Professional Products, The Wall Street Journal

ResourceKit Articles

Information Security Manager - The Information Security Manager [ISM] is the organization’s most-senior level person with management and leadership responsibility for information security. The ISM may also be called the Chief Information Security Officer, CISO. In mid-size and smaller organizations, the Information Security Management position is often not a full-time position. Thus the ISM will have other responsibilities, such as CFO, […]
The NIST Framework — The Information Security Management Chain - Following the NIST Framework for Improving Critical Infrastructure Cybersecurity, managing the security of information hinges on five security management capabilities: Identify: what information needs to be protected and where it is located Protect: that information Detect: information attacks and other incidents Respond: to information attacks and other incidents, especially successful attacks Recover: from the incident, […]
Team Mission, Goals, and Objectives - The Information Security Management & Leadership Team is responsible for managing the organization’s risk-based Information Security Management Program, designed to protect the confidentiality, integrity, and availability of the organization’s information. This article outlines it's objectives, function, and membership.
Team Membership, Chair, and Meetings - Team Membership Team Selection: The Chief Executive and the Information Security Manager (ISM) identify the team members. Selection Criteria: Given the above Mission, Goals and Objectives, the team needs to include members at an executive level of authority. The team also must be sufficiently broad so that all staff and vendors are in a management […]
The Objective of Information Security Management - Overview of the objectives of Information Security Management
Team Operations - Get Started Initial Team Training. Implement information security management policies and standards. Provide basic awareness training to staff. Conduct an Information Security Risk Assessment. Develop Findings and Recommendations. Develop the Initial Action Plan Develop an Initial Action Plan based on the Findings and Recommendations of the Information Security Risk Assessment. What’s to be done in […]
Team Authority, Accountability, and Governance - Team Authority In coordination with the Chief Executive, the Team has the authority to establish information security policies, standards and other materials and to hold staff accountable for compliance. In coordination with the Chief Financial Officer, the Team has the authority to establish budgets, commit resources and direct expenditure of organizational resources. Accountability and Governance […]
A Few Quotes about High Performance Teams - Trust is knowing that when a team member does push you, they’re doing it because they care about the team. … Patrick Lencioni Talent wins games, but teamwork and intelligence wins championships. … Michael Jordan Coming together is a beginning. Keeping together is progress. Working together is success. … Henry Ford Perfection is not attainable, […]
Information Security Management — Seven Critical Success Strategies - Critical points for understanding effective information security management and success.
A Few Quotes about Information Security and Privacy - Distrust and Caution Are the Parents of Security … Benjamin Franklin The secret of success lies in managing risk, not avoiding it. … Merryle Rukeyser, Financial Journalist / Educator The number one thing at the Board level and CEO level is to take cybersecurity as seriously as you take business operations and financial operations. It’s […]

Additional Resources

Cybersecurity: Surviving the Growing Cyber Tsunami. What the Executive Must do. Stan Stahl, SecureTheVillage President, Presentation to Vistage Executive Summit, September, 2018.

Boards Acknowledge Need to Better Manage Cyber Risk as the Consequences of a Breach Climb. A short video summarizing analysis of 5,000 Board Members in over 60 countries. Harvard Business Review

Cyber Crime, Cyber Security – and YOU: Cyber crime is technological climate change. … Becoming cyber secure requires cultural adaptability – only the CEO can lead that effort. Bill Leider, Axies Group. SecureTheVillage Leadership Council, September 21, 2017

CFOs Don’t Worry Enough About Cyber Risk: Every executive team and board of directors is asking themselves the same question in regard to their cyber risk right now: what can we do differently to avoid being the next Equifax, Yahoo! or Target, and protect our shareholder value? Harvard Business Review, December 2017.

Cybersecurity And The Board’s Responsibilities — ‘What’s Reasonable Has Changed’:Michael Yaeger focuses his practice on white collar criminal defense and investigations, securities enforcement, internal investigations, accounting fraud, cybercrime/cybersecurity and data security matters, as well as related civil litigation. Yaeger also leads internal investigation and cybercrime-related representations for financial services companies and provides guidance on drafting written information security plans and incident response plans for investment advisers. Forbes, April 2018

External Resources

How-to-Guides

Small Business Information Security: The Fundamentals . The guide from the National Institute of Standards and Technology (NIST) is written for small-business owners not experienced in cybersecurity and explains basic steps they can take to better protect their information systems.
Protecting Personal Information: A Guide for Business — Federal Trade Commission (FTC)
Start with Security: A Guide for Business; Lessons Learned from FTC Cases — Federal Trade Commission (FTC)
Cybersecurity for Small Businesses, Small Business Administration Learning Center
Cybersecurity Basics for the Work From Home Economy, California Lawyers Association (CLA)

Information Security and Governance Management Overviews

The Citadel Way to Information Security Management … A Management Guide, Citadel Information Group
Cybersecurity for middle market companies (5-minute video with transcript) — Robert Braun, Michael Gold; Cybersecurity and Privacy Law Group; Jeffer Mangels Butler & Mitchell
Hacker stories: Case studies — Insights for the C-Suite. Target. Sony. Wendy’s and more — Presentation to SecureTheVillage Pasadena Roundtable, July 2016, Stan Stahl, Citadel Information Group

Illustrative Compliance Requirements

HIPAA HITECH: The Security Rule. The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
Cybersecurity requirements for financial services companies, Information security management requirements from the New York State Department of Financial Services (DFS), 2017.

Deeper Looks at Information Security Management

ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements: ISO/IEC 27001 formally specifies an Information Security Management System (ISMS), a suite of activities concerning the management of information risks (called ‘information security risks’ in the standard). The ISMS is an overarching management framework through which the organization identifies, analyzes and addresses its information risks. The ISMS ensures that the security arrangements are fine-tuned to keep pace with changes to the security threats, vulnerabilities and business impacts – an important aspect in such a dynamic field, and a key advantage of ISO27k’s flexible risk-driven approach as compared to, say, PCI-DSS.
NIST Cybersecurity Framework: The NIST Cybersecurity Framework provides a framework for how organizations can assess and improve their ability to prevent, detect, respond to, and recover from cyber attacks.
California Data Breach Report, February 2016 — A good source for CA information security laws and regulations. The report provides a summary of 20 specific controls that the California Attorney General describes as “a minimum level of information security that all organizations that collect or maintain personal information should meet.” Former California Attorney General, Kamala Harris, asserts in the report that “failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”

Creating a Cybersecurity culture

Beyond Information Security Awareness Training: It’s Time to Change the Culture, Stan Stahl, Information Security Management Handbook, Sixth Edition, edited by Hal Tipton and Micki Krause, Auerbach, 2006

The Compelling Case For The CISO As Change Agent

CISO Desk Reference Guide Volume 1, 2nd Edition: A Practical Guide for CISOs, Bill Bonney, Gary Hayslip, Matt Stamper, 2019
CISO Desk Reference Guide Volume 2: A Practical Guide for CISOs, Bill Bonney, Gary Hayslip, Matt Stamper, 2018

High-Performance Teams

The New IQ: Leading Up, Down, and Across Using Innovative Questions, Chris Coffey and David Lam, 2015
The Five Dysfunctions of a Team: A Leadership Fable, Patrick Lencioni, 2002
The Ideal Team Player: How to Recognize and Cultivate the Three Essential Virtues, Patrick Lencioni, 2016