CISO 2.0 training and S-ISME exam

Formation intra-entreprise

À qui s'adresse la formation?

Typical participants include but are not limited to CISO’s, information security officers, (cyber-) security managers, security consultants, security operations managers, information technology risk managers, information technology governance managers and risk advisories that integrate this course in their talent programmes for high potentials.

Niveau atteint

Avancé

Durée

5,00 jour(s)

4-month program with 5 training days

Langues(s) de prestation

EN

Prochaine session

Prérequis

Participants are expected to have 2 years of experience at the tactical level with a solid understanding of governance, risk and be familiar with maturity models and frameworks. Previous trainings could include CISSP, CISM, S-ISP, C|CISO.

Equally important, the setup of the programme requires a general level of seniority, an open personality and mindset, and the willingness to continuously challenge and improve yourself.

Objectifs

The CISO 2.0 programme facilitates the growth path towards a cybersecurity leader that acts as a partner for business, adding the roles of leader, strategist and change manager to the expert role. Developed by a group of renowned security leaders and reviewed by an industry veteran that advises board members, this programme offers a unique blend of the security, leadership, change management- and business skills required from the modern Chief Information Security Officer (CISO).

Certification from SECO-Institute: Information Security Management Expert Title (S-ISME)

The CISO 2.0 programme prepares for the highest certification within SECO-Institute's information security track. The certification is granted based on the successful completion of an assignment that participants will be working on during the course of the programme. The case or strategy should ideally bring value to the company where the student is employed. The programme has been set up in such a way that students can integrate their homework assignments for each day immediately in their final paper that they must submit.

Contenu

By the end of this programme, the participants will be able to:

  • align security with business: the different ways security can be structured in an organisation, the impact on the CISO role, mandate and stakeholder influencing strategies;
  • identify major flaws in security organisation design;
  • understand the crucial role of security operating models as the bridge between strategy and execution;
  • practice alignment with value driven strategies and operating models from business and IT;
  • govern, align and lead cyber security into an organisation;
  • create strong allies with compliance and assurance to have everything in line with regulatory and legal requirements;
  • position the CISO as a trusted strategic advisor;
  • build a strong information security team and organisation with appropriate funding and executive support;
  • lead cyber security vs being lead (as mostly done today): communication ways, reverse psychology vs direct communication;
  • create a compelling story instead of denying projects because of security concerns;
  • create an inventory of your business and IT strategy;
  • describe key elements of existing IT-governance processes;
  • practice effective risk management;
  • countervailing powers in an organisation, successful implementation of risk management and responsibilities in a 3 lines of defense model;
  • challenge the 3 lines of defense model with dynamic risk governance principles;
  • practice the impact of agile way of working on the security organisation and controls;
  • practice cybersecurity strategy development as a change management process to develop an implementable information security plan with realistic targets and goals;
  • define resource planning and budgets;
  • create a business case;
  • manage information security in operations, programmes, projects, supply chains, geographical locations, business units and in an agile organisation;
  • practice C-level involvement: report to the board and external stakeholders;
  • obtain a seat in the board, at least once or twice a year;
  • define relational mechanism’s, how to discuss with board members/CEO in an unformal manner;
  • evaluate the cyber function in the context of risk appetite, the role of digital transformation and maturity levels in different types of organisations;
  • evaluate typical CISO leadership competences and opportunities to grow;
  • identify your leadership style and create your personal development plan;
  • define a problem to solve for your organisation;
  • walk away from the course with a strategic plan and a personal development plan.

Points abordés

During the introduction you will meet your fellow students and trainers. You will be asked to prepare a PowerPoint slide to introduce yourself, your background and expectations. The session includes a short overview and examples of do’s, don’ts and pitfalls while creating your problem statement. The problem statement is the starting point of the assignment that you will be working on during the course of the programme.

Day 1: security organisation, CISO role and maturity

Security organisation design
Introduction

  • Most common pitfalls and issues
  • The 4 design building blocks and how they interact

Operating models: the DNA of your security organisation

  • Connecting strategy with execution
  • What can you use them for?
  • Components and capabilities of the security operating model

Security governance models

  • Integrating security capabilities in governance models
  • Different models and factors influencing the model
  • Common challenges and how to address them

Building your team

  • Aligning your security team with business objectives using target operating models, the concept of change agents and change leaders, and stages of group development

Business alignment exercise putting it all together:

  • Different strategies and value driven operating models from business and their impact on the security organisation

CISO role, mandate and stakeholders
The need for executive support and aligning stakeholders

  • CISO roles: leader, strategist, change manager, expert
  • Group discussion: CISO role vs actual position and mandate
  • Challenges in executive support and stakeholder alignment

Stakeholder analysis

  • CISO interfaces and interactions
  • Scoping based on your problem to solve
  • Identifying stakeholders based on power, involvement, attitude towards cyber and relationships between stakeholders
  • Exercise: set the stage for your influencing strategy covered on day 2

CISO maturity in leadership

  • CIRO model: CISO leadership in the context of risk appetite and maturity in different types of organisations.
  • CISO leadership competencies and opportunities to grow
  • CISO maturity assessment: identify your leadership style, create your personal development plan.
Day 2: Leadership

CISO leadership theories

  • Trait theories
  • Behavorial theories
  • Contingency theories
  • Power and influence theories
  • Ethical leadership
  • Transformational leadership
  • Agile leadership

Personal competencies and leadership, KYS

  • Personal competencies and leadership, KYS
  • Know yourself
  • Leadership assessment
  • Authenticity, trust and Integrity
  • Courage
  • Story telling

CISO Interfaces

  • Important CISO interfaces
  • Driving change building successful teams
  • Driving change through building successful relationships with CISO interfaces
  • Stakeholder models and influencing strategies
Day 3: Govern, align and organise security

Business aligned security

  • Introduction on business value and business strategy
  • Business value strategies
  • Business aligned IT and security
  • Alignment with IT maturity and existing IT governance

Effective risk management

  • Need for countervailing power in an organisation
  • 3 lines of defence model
  • Cooperation with the first and second line
  • Effective risk management processes and risk mitigation

Security in an agile organisation

  • Introduction agile way of working
  • Agile manifesto
  • Lead by example: agile security teams
  • Impact agile way of working on security
Day 4: Strategy: cybersecurity as a change management process

Cybersecurity as organisational change

  • Foundational practice of organisational change for an implementable strategy

Tactics for creating urgency

  • Know the why
  • Never waste a good crisis
  • SWOT 2.0 applied to organisation-stakeholder relationship

Tactics for identifying and tackling roadblocks
Identifying and tackling roadblocks

  • Sources of influence
  • CISO addressing friction?
  • Personal circles of influence

Tactics for short-term goals and achievable steps
Articulate your management plan

  • Using cybersecurity maturity models
  • Classic Fit-Gap analysis of a standard
  • Communication and KPIs: what is your dashboard?

Breaking the whole down into achievable steps

  • Leveraging Agile and LEAN methods for cyber security projects and processes
  • Leverage your professionals
  • Management by objectives / goal setting theory

Balancing incidents and structural change for impact
Tactics for keeping up the momentum

  • Organisational learning and learning maturity
  • Using the 3 lines of defence
  • Integrate different work styles for a unified view of cybersecurity via a control framework
Day 5: Managing security, security finance and C-Level engagement

Managing security in operations
Security operations vs. security in operations

  • SIEM, SOC, SOAR
  • SECOPS and IT
  • InfoSec in business Ops, InfoSec in IoT, InfoSec in industrial environments (ISO62443)
  • Challenges of InfoSec (multi-locations, cloud, etc.)
  • 3 lines of defence versus dynamic risk governance

Security finance
Finance for non-financial people

  • Public versus private organisations
  • Run cost versus change costs
  • Capex vs. Opex
  • EBIT vs. EBITDA
  • Financial statement vs. P&L
  • Financial management and KPIs

Creating a financial plan

  • Key elements
  • Common pitfalls
  • Aligning stakeholder expectations

Reporting to the board

What’s on the board’s mind?
Presenting information security:

  • Sources of the report
  • Ways of bringing information to the board
  • When to report and to whom
  • How to align with their expectations

Who are your allies within the board?

Exam

The CISO 2.0 Programme prepares for the Information Security Management Expert Title (S-ISME) from SECO-Institute. The certification is granted based on the successful completion of an assignment that participants will be working on during the course of the program. The case or strategy should ideally bring value to the company where the student is employed.

Informations supplémentaires

This training will be coordinated by Koen Maris, Partner and Simon Petitjean, Director at PwC Luxembourg.

Koen, Partner, leads the Cyber Security practice with more than 20 years of experience in information/cyber security in cross industry environments.
Koen is specialised in Secure Operations Centers, incident response and awareness raising at all levels of an organisation. He has experience with Distributed Ledger Technology, IoT, OT/IT security, threat intelligence and forensics.
Koen has a strong technical background and operational experience in cyber security as well as strong competencies in security architecture, solution design, programme management, business development.

Simon is a cybersecurity director specialised in ethical hacking. He worked on multiple cybersecurity projects in various industries and environments (banking sector, governmental agencies, European institutions, industrial companies). As a technical specialist, he fully takes part in the activities undertaken by the Ethical Hacking team, including penetration tests, vulnerability assessments, and on-demand hacking scenarios.
Simon also works as a Subject Matter Expert on incident response assignments and digital forensics investigations. He is a sworn judicial expert in the field of cybersecurity, cybercrime and digital investigation, appointed by the Luxembourg Ministry of Justice.

Ces formations pourraient vous intéresser

EN
Journée
Sur demande
Informatique et systèmes d'information - Système information - Architecture système information - Cloud Computing