Okay, let's go ahead and begin with Module one and Module one really looks at the problem. Why is it that we need a sizzle? What are the problems that we're trying to solve? And this is just gonna be an overview and will delve into this more, of course, throughout the course. So we have to look at the problem that we're trying to solve. And if you've been
anywhere in any way conscious for the last 10 years,
you have noticed just an an explosion in the realm of cyber crime, identity theft, fraud, cyber warfare, and we could go on and on and on. Now, generally, when we talk about being the chief information security officer of a business of an organization,
we're really generally gonna be primarily concerned with protecting our company's data. In our information, that's what this class is gonna focus on as we're information security officers.
So what? We're concerned with this data loss and theft of information, and you can see that I have some statistics here. Ah, 15 million victims of identity theft and that number just continues and continues to grow $50 billion in losses for identity theft
credit card fraud. $16 billion there,
21 record 1,000,000 records. You're familiar with the breach of the Office of Personnel Management? They're certainly not the only government agency that was compromised as well. Losses and finds due to non compliance. And, of course, as a senior executive, those losses, those fines being found liable,
possibly being sued by the board of directors or stakeholders shareholders
these air all big, big, big concerns of mine. So basically, what we've got to do is we gotta figure out how to at least mitigate some of these risks that are associating with our information.
So what is our response? Well, we're gonna look at bringing security into the executive level of an organization. What that really means. Is there a couple of different strategies or a couple of different ways that security gets implemented with an organization top down or bottom up?
And when we talk about top down management, that means that the senior managers are directly involved. They're active participants. They have buy in on security, and they support and provide resource is and funding for the security function.
Long story short, they get it right.
Senior management's backing security they understand the losses they're on board. That's top down. And that's really the way an organization runs best. Now the alternative to that is bottom up. And what that means is senior management looks at I t is a necessary evil.
And then, ultimately, it's the I T department in the Security Department coming to senior management,
trying to convince them that they need resource is and that they need support. And obviously that's not going to work as well. So if we can get senior management on board, we get better support. We can align security with the business needs of the organization. As in, we're just not applying security for the sake of security.
But we truly understand what the organization needs,
and we're going to help implement security in such a manner that the organization can get their okay. We're going to make sure that, um, security policies air implemented that they're enforced, that they're supported. So really, if you look at it, security is such an essential function.
It has to be provided at the executive level.
All right, now, if we do that, if we incorporate security governance into senior management, so basically we have seen your management involved.
Then ultimately, what we're going to get is we're gonna get a long list of benefits, and I'm not gonna read every one of these. But certainly we're going to get compliance because ifs because senior management sets the tone for the organization. If senior management is on board that trickle down,
Ah, we'll be able hopefully to avoid being liable of any sort of loss,
we're gonna illustrate due care and due diligence, Ideally, that will provide us with trust with our customers. It will help us avoid fines and violations of regulations. They're just many, many different benefits
and down at the bottom, effectively managing information security resource is making sure that we implement security is necessary
again as driven by the needs of the organization.
Um, so six outcomes, ultimately, what we're marching towards, I've already mentioned this idea of strategic alignment. The security function has to support the business, and sometimes you can actually have too much security.
When I implement more security than is warranted by the functions of the operation and the value of what we're protecting,
that's too much security. I want to provide enough to effectively support the business. Okay, risk management. Really? If you think about it, risk management is just security management. Security management is just risk management really is the better way to say that. So when we think about protecting our assets and we think about
you know, all the things that we have to go through,
we're gonna go through those steps that are sort of universal to risk management. Figure out what you're protecting and what it's worth. A look at the threats. Look at the vulnerabilities and try to find a coughed, cost effective solution. If security governance is in place again, coming from senior management down,
then we'll be able to have a better risk. It men at miss risk management.
All right. Resource. Awful optimization. Um, I have never had senior management Give me a blank check and and have them say just spend all you need but protect Our resource is if you're waiting for that data happen, it will likely not come.
So I have a limited budget, and when I have to be able to do is choose to mitigate those risks that provide, or that could could
there's risk that could materialize and have the greatest impact on my organization. I gotta spend my money well, So resource ops optimization. That's going to sum up our first chapter, which is basically just an overview of why we need a chief information security officer.
Let's go on and move into, not Module two.