CISO 2.0 training and S-ISME exam
The CISO 2.0 programme facilitates the growth path towards a cybersecurity leader that acts as a partner for business, adding the roles of leader, strategist and change manager to the expert role. Developed by a group of renowned security leaders and reviewed by an industry veteran that advises board members, this programme offers a unique blend of the security-, leadership-, change management- and business skills required from the modern CISO.
Certification from SECO-Institute: Information Security Management Expert Title (S-ISME)
The CISO 2.0 programme prepares for the highest certification within SECO-Institute's information security track. The certification is granted based on the successful completion of an assignment that participants will be working on during the course of the programme. The case or strategy should ideally bring value to the company where the student is employed. The programme has been set up in such a way that students can integrate their homework assignments for each day immediately in their final paper that they must submit.
By the end of this programme, the participants will be able to:
- align security with business.: the different ways security can be structured in an organization, the impact on the CISO role, mandate and stakeholder influencing strategies;
- identify major flaws in security organization design.;
- understand the crucial role of security operating models as the bridge between strategy and execution; practice alignment with value driven strategies and operating models from business and IT;
- govern, align and lead cyber security into an organization; create strong allies with compliance and assurance to have everything in line with regulatory and legal requirements;
- position the CISO as a trusted strategic advisor; build a strong information security team and organisation with appropriate funding and executive support;
- lead cyber security vs being lead (as mostly done today): Communication ways, reverse psychology vs direct communication; create a compelling story instead of denying projects because of security concerns;
- create an inventory of your business and IT strategy; describe key elements of existing IT-governance processes;
- practice effective risk management; countervailing powers in an organization, successful implementation of risk management and responsibilities in a 3 lines of defense model. Challenge the 3 lines of defense model with Dynamic Risk Governance Principles;
- practice the impact of agile way of working on the security organisation and controls;
- practice cybersecurity strategy development as a change management process to develop an implementable information security plan with realistic targets and goals; define resource planning and budgets; create a business case;
- manage information security in operations, programs, projects, supply chains, geographical locations, business units and in an agile organisation;
- practice C-Level involvement: report to the board and external stakeholders; obtain a seat in the board, at least once or twice a year; define relational mechanism’s, how to discuss with board members / CEO in an unformal manner;
- evaluate the cyber function in the context of risk appetite, the role of digital transformation and maturity levels in different types of organisations; evaluate typical CISO Leadership competences and opportunities to grow; identify your leadership style and create your personal development plan;
- define a problem to solve for your organisation; walk away from the course with a strategic plan and a personal development plan.
Day 1: security organisation, CISO role and maturity
Security organisation design
- Most common pitfalls and issues
- The 4 design building blocks and how they interact
Operating models: the DNA of your security organisation
- Connecting strategy with execution
- What can you use them for?
- Components and capabilities of the security operating model
Security governance models
- Integrating security capabilities in governance models
- Different models and factors influencing the model
- Common challenges and how to address them
Building your team
- Aligning your security team with business objectives using target operating models, the concept of change agents and change leaders, and stages of group development
Business alignment exercise putting it all together:
- Different strategies and value driven operating models from business and their impact on the security organization
CISO role, mandate & stakeholders
The need for executive support and aligning stakeholders
- CISO roles: leader, strategist, change manager, expert
- Group discussion: CISO role vs actual position & mandate
- Challenges in executive support and stakeholder alignment
- CISO interfaces and interactions
- Scoping based on your problem to solve
- Identifying stakeholders based on power, involvement, attitude towards cyber and relationships between stakeholders
- Exercise: set the stage for your influencing strategy covered on Day 2
CISO maturity in leadership
- CIRO model: CISO leadership in the context of risk appetite and maturity in different types of organisations.
- CISO leadership competencies and opportunities to grow
- CISO maturity assessment: identify your leadership style, create your personal development plan.
Day 2: Leadership
CISO leadership theories
- Trait theories
- Behavorial theories
- Contingency theories
- Power and influence theories
- Ethical leadership
- Transformational leadership
- Agile leadership
Personal competencies and leadership, KYS
- Personal competencies and leadership, KYS
- Know yourself
- Leadership assessment
- Authenticity, trust and Integrity
- Story telling
- Important CISO interfaces
- Driving change building successful teams
- Driving change through building successful relationships with CISO interfaces
- Stakeholder models and influencing strategies
Day 3: govern, align and organise security
Business aligned security
- Introduction on business value and business strategy
- Business value strategies
- Business aligned IT and security
- Alignment with IT maturity and existing IT governance
Effective risk management
- Need for countervailing power in an organisation
- 3 Lines of defense model
- Cooperation with the first and second line
- Effective risk management processes and risk mitigation
Security in an agile organisation
- Introduction agile way of working
- Agile manifesto
- Lead by example: agile security teams
- Impact agile way of working on security
Day 4: strategy: cybersecurity as a change management process
Cybersecurity as organisational change
- Foundational practice of organisational change for an implementable strategy
Tactics for creating urgency
- Know the why
- Never waste a good crisis
- SWOT 2.0 applied to organisation-stakeholder relationship
Tactics for identifying and tackling roadblocks
Identifying and tackling roadblocks
- Sources of influence
- CISO addressing friction?
- Personal circles of influence
Tactics for short-term goals and achievable steps
Articulate your management plan
- Using cyber security maturity models
- Classic fit-gap analysis of a standard
- Communication and KPIs: what is your dashboard?
Breaking the whole down into achievable steps
- Leveraging Agile and LEAN methods for cyber security projects and processes
- Leverage your professionals
- Management by objectives / goal setting theory
Balancing incidents and structural change for impact
Tactics for keeping up the momentum
- Organisational learning and learning maturity
- Using the 3 lines of defense
- Integrate different work styles for a unified view of cybersecurity via a control framework
Day 5: managing security, security finance & C-Level engagement
Managing security in operations
Security operations vs. security in operations
- SIEM, SOC, SOAR
- SECOPS & IT
- InfoSec in business Ops, InfoSec in IoT, InfoSec in Industrial environments (ISO62443)
- Challenges of InfoSec (multi-locations, cloud, etc.)
- 3 lines of defense versus dynamic risk governance
Finance for non-financial people
- Public versus private organisations
- Run cost versus change costs
- Capex vs. Opex
- EBIT vs. EBITDA
- Financial statement vs. P&L
- Financial management & KPIs
Creating a financial plan
- Key elements
- Common pitfalls
- Aligning stakeholder expectations
Reporting to the Board
What’s on the Board’s mind?
Presenting information security:
- Sources of the report
- Ways of bringing information to the Board
- When to report and to whom
- How to align with their expectations
Who are your allies within the Board?
The CISO 2.0 Program prepares for the Information Security Management Expert Title (S-ISME) from SECO-Institute. The certification is granted based on the successful completion of an assignment that participants will be working on during the course of the program. The case or strategy should ideally bring value to the company where the student is employed.
A qui s'adresse la formation?
Typical participants include but are not limited to CISO’s, information security officers, (cyber-) security managers, security consultants, security operations managers, information technology risk managers, information technology governance managers and
risk advisories that integrate this course in their talent programmes for high potentials.
Participants are expected to have 2 years of experience at the tactical level with a solid understanding of governance, risk and be familiar with maturity models and frameworks. Previous trainings could include CISSP, CISM, S-ISP, C|CISO.
Equally important, the setup of the programme requires a general level of seniority, an open personality and mindset, and the willingness to continuously challenge and improve yourself.
Koen Maris is partner at PwC Luxembourg, leading the Cyber Security practice with more than 20 years of experience in information/cyber security in cross industry environments. Koen is specialised in Secure Operations Centers, incident response and awareness raising at all levels of an organisation. He has experience with Distributed Ledger Technology, IoT, OT/IT security, threat intelligence and forensics. Koen has a strong technical background and operational experience in cyber security as well as strong competencies in security architecture, solution design, program management, business development.
Simon Petitjean is a cybersecurity senior manager specialised in ethical hacking. He worked on multiple cybersecurity projects in various industries and environments (banking sector, governmental agencies, European institutions, industrial companies). As a technical specialist, he fully takes part in the activities undertaken by the Ethical Hacking team, including penetration tests, vulnerability assessments, and on-demand hacking scenarios.
Simon also works as a Subject Matter Expert on incident response assignments and digital forensics investigations. He is a sworn judicial expert in the field of cybersecurity, cybercrime and digital investigation, appointed by the Luxembourg Ministry of Justice.
Matthieu Devallée is manager at PwC Luxembourg. He has joined the Cybersecurity team at PwC Luxembourg in 2017 with the objective to assist clients dealing with information security matters. He leverages his more than 13 years of technical and operational expertise to act as a subject matter expert on consultancy assignments. Since the creation of the PwC CSIRT Luxembourg, Matthieu has had the opportunity to support clients in major incident response from ransomware on a compromise infrastructure till insider investigation. His broad scale of skills allow him to manage operational teams, drive technical investigation and ease crisis communication.