CISO Tabletop Scenario Intro

I thought it would be fun to explore what people do with regards to Cyber Securityleadeship, budgets, contraints and realities of business change. So here’s a blog post to supliment my thread on twitter:

MrR3b00t | #StandWithUkraine #DefendAsOne on Twitter: “Tabletop: you have 400 servers, 800 users and your cyber security budget is 100K…. what do you do? https://t.co/Nw0Pd7rH8L” / Twitter

please note: the list below is based on experiance, it’s also a list I made whilst drinking about half a cup of tea so it’s not complete or “the answer” it’s just some observations about an approach I advocate.

What would Dan do?

I created a thread on twitter with this scenario to see what people may or may not do, the responses were varied and interesting. There was lots of solution occurring with EDRs and Firewalls and selling server hardware and lots of cool, fun and sometimes innovative ideas. Some people started with risk, some started with going to the pub, there was lots of fun (for me and hopefully the lovely people who took part!) however I wanted to show people what I would do, this isn’t based completely on fiction, I’ve run a number of change programs in my career with various sizes of company. So in the tabletop as newly apointed CISO what would you do? Well here’s what I would start with (given the high level abstraction of the scenario and limited context), what do you think?

Phase 1

  1. Conduct an analysis of scenario (what did the last person do? how did they get here? What do I want to get out of it? Do I want to try and improve this? Is the culture right for change?
  2. Set expectations of plan with senior exec team (100K is NOT enough for a business of this size no matter how “smart” someone is)
  3. Learn the business context
  4. Build relationships with key stakeholders
    1. Get org chart
    2. Create stakeholder map
  5. Understand the business marketplace, customers, competitors etc.
  6. Do OSINT
  7. Read the annual report
  8. Read the financial history and summary (OSINT + Internal Documents)
  9. Understand legal, regulatory, and contractual obligations
  10. Engage board and understand business roadmap
  11. Conduct business portfolio analysis, understand marketplace, products and services, revenue splits and costs by LOB and functional area
  12. Collect business architecture artifacts
  13. Create 100k plan
    1. Keep 30k reserve for IR costs (unless the business agrees to reserve from other budgets)
    2. Recognise 100k can’t fix the technical challenges of an org this size
  14. Understand roles and responsibilities
  15. Map technology landscape
  16. Map data landscape
  17. Conduct high level maturity assessment (do not share this one)
  18. Run a project to understand current state: discovery, vulnerabilities, risks (maro and micro, business and technical), capability maturity, test controls, test detections
    1. Option A: use a third party (impartial) – gets round any political issues
    2. Option B: do it yourself, might create friction (what’s your own game plan?)
    3. Option C: make sweeping assumptions and run the risk of blowing cash on toxic investments but appear to be “saving money”
  19. Develop a realistic and pragmatic budget with the CFO and exec team as a collaborative effort
  20. Engage with the teams in the business, find out where they are strong and where they are struggling, loo at ways you might be able to help them.
  21. Develop a portfolio view
  22. Develop a business aligned cyber security strategy
  23. Create a security budget that is:
    1. Aligned with Business change roadmap
    2. Aligned with the CIO/IT Budget
    3. Looks at operational efficiency alongside risk reduction/management
    4. Fold security costs into customer contracts/future deal scenarios
      1. Either transparently or opaque (subject the market and business appetite)
  24. Secure funding or leave

Phase 2

  • Execute against roadmap

Rationale

An organisation with 800 staff (regardless of sourcing mix) and 400 servers (regardless of physical or virtual) will need to be generating ~ £64,000,000 revenue to be viable/exist.

  • 100K is a 0.16% of projected revenue.
  • The fine for a PECR violation could be up to 250K for the organisation or the directors.
  • A GDPR violation could incur is €20 million or 4% of revenue (£2,560,000)

To even understand an organisation of this size will take a significant period. It’s highly likely the maturity level is low (given the budget of 100K) and based on 90% of organisations that the technical debt level high and security maturity capability level to be low and posture to be significantly weak.

To generate £64,000,000 revenue, you would need to be selling either B2C at significant volume or B2B with some sizable contracts. If we look at contractual risk the risk range will fall between > revenue and down to the size of a small incident.

A single security incident may cause the loss of a customer, this could be a significant portion of revenue (would require contractual and portfolio analysis).

What is clear is that before decisions are made on the current state that an analysis would need to be conducted. The scope of this should be enterprise wide, the depth is obviously subject to the organisations risk appetite. If it was less than 3 months activity I would probably refuse to partake in the venture (but that depends on the landscape somewhat).

Technical Analysis

  • 800 Staff likely = > 1000 PC Devices
  • 400 Servers (they are probably VMs) would require hosts, networking, links, storage etc. So, there’s a ton of cost and complexity. Whilst these could be physical it’s not probably in 2022 given the adoption of virtualisation since the mid-2000s.

Broad Recommendation

Invest funds in creating an integrated and aligned cyber security strategy. Where tactical “wins” can be applied with the existing teams, enable them. Recognise the landscape is vast, change is complex and silver bullets are in werewolf films not in business.

Whoever takes this on is going to have a hard time, it’s a marathon not a sprint and no change initiative goes exactly as planned. Slow is smooth and smooth is fast.

Competition

I ran a small competition to give away something small for the response most like mine but also there’s a few responses that I want to mention too:

Most like my response (joint winners)

@loki
https://twitter.com/1ofthemanyloki/status/1517016499118313473?s=20&t=MuFiUzwC08BU8nA2koSkFg

@Blackf3ll
https://twitter.com/Blackf3ll/status/1516887630989963266?s=20&t=MuFiUzwC08BU8nA2koSkFg

most realistic financial response
@AirmanNL
https://twitter.com/AirmanNL/status/1517018758983868417?s=20&t=MuFiUzwC08BU8nA2koSkFg

most comprehensive technical response:
@shotgunner101
https://twitter.com/shotgunner101/status/1517023763270885376?s=20&t=MuFiUzwC08BU8nA2koSkFg

Response that made me lulz hard
@DCuplink
https://twitter.com/DCuplink/status/1516871588515389441?s=20&t=MuFiUzwC08BU8nA2koSkFg