A glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning.
The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142):
Aside from my gripes with the example metrics (see below), the remainder of the presentation has a lot of useful information, lots of details, plenty of busy, thought-provoking diagrams and, as I said, an uncommon polish for free slide decks.
Here's a nice, fairly simple example slide that I could happily present and discuss in some depth as part of a workshop or training course:
Naturally, the slide deck emphasises Microsoft's own 'security posture', such as:
- IT, cyber and data-centric, virtually ignoring the wider field of information risk and security management (e.g. protecting and exploiting workers' knowledge and other intangible forms of intellectual property) with limited, almost incidental reference to information risk and security management being truly driven by business objectives;
- Hacking
and malware i.e. deliberate, malicious and often targeted attacks, downplaying accidental
threats (e.g. floods and fires) and other incidents such as human
error, theft, sabotage and fraud, plus enterprise risk management as a whole (e.g. financial risk, market risk, compliance risk, strategic risk ....);
- Zero-trust - whatever that means to the presenter and audience;
- Cloud - meaning Azure, specifically;
- DevOps and DevSecOps - whatever those terms mean ;
- MS threat intelligence including artificial intelligence/machine learning rapid responses to novel malware (a cool idea, provided it works reliably).
I'm intrigued by their choice of example Security Scorecard Metrics (slide 63):