Recently, when chatting with friends in the circle, they are often asked several similar questions: "why do we rarely hear about the positions and personnel of real CSO and CISO in China", "how to be a security director of an enterprise", "what kind of ability should an enterprise security director have?" and so on. In addition, several media reporters are more interested in the topic of network security in the past two weeks and want to collect Some materials, a few security aspects of the manuscript, some basic concepts do not understand me to discuss, such as "security is to dig holes, right?" "Does the enterprise security team work every day to catch hackers?" I feel it's necessary to write something and make some voice as much as I can. It doesn't matter whether it's right or not. Right should be a reference for gossiping.

First of all, CSO and CISO haven't been promoted to a formal position in many enterprises. What we see now is actually "the first person in charge of information security of the company", which is easy to understand. The concept of "how to be a good chief security officer" here is also the concept. In addition, the scope of discussion is limited to Party A's company, that is, the field of "enterprise security". After a lot of preparation, I got to the point. The twelve basic ability elements of the chief security officer.

Article 1: business understanding and empowerment

Business, business, business, important things say three times! As a high-level security personnel, they should have sufficient knowledge and understanding of their own businesses and industries. What is the business model? What makes money? How is the money spent? What is the architecture of the business? What are the core business capabilities? What are the core business processes that support these businesses? What are the supporting business processes and functions? Division of business responsibilities? Key business personnel, teams? What are the systems supporting the core business? Key personnel of technical team? And so on. Ask yourself more why. It's not difficult to get information and understand clearly. Even in large Internet companies and large groups, taking core business as the starting point, it's completely feasible and the time is acceptable. With the accumulation of these information, information security work can be done more realistically and more in line with the business, and the value of information security can be more easily reflected. When the business has confidence and trust in the information security team, the days of working together, endorsing and empowering each other will not be far away. Seeing too many examples, the security personnel shut themselves in the office, pondered over the plans and codes, what departments and teams of the business were involved in and what they were doing, and expected them to escort the business, do you believe?

Article 2: Security Governance and strategic planning

When it comes to security governance, the first response of many system making friends is to "set up a company level information security committee". How can we say that, of course, there are channels and discourse power to senior leaders, but if there is no information security work, we will not do it? Can't do it? Obviously not. In addition to the organizational guarantee and resource input generally mentioned, the security governance here is more considered in the following five aspects:

1) Strategic consistency. The strategy and focus of information security should always be consistent with the business strategy, layout, expansion and other capabilities. This sounds simple, and it is not easy to do. Especially in organizations with rapid development and change, it tests the security leader's business understanding, large team management ability, and resource delivery ability. If not, the common consequences are that the safety team becomes fire fighters, the business "runs naked", and the leaders gradually lose confidence in safety, etc., what does it mean? Don't waste words.

2) Value realization, information security is valuable! People who are not safe will not object to it, but how can it be reflected? That is how to achieve it? Enterprise information security should not only be security products and security technology, but also be afraid of the deep lane. The security technology that can not be recognized by business and ultimately produce application effect is the self entertainment of the information security department in the "hooligan" style. Whether it is prospective research or practical landing technology and products, how the cost input of the information security department is transformed into productivity, product technical barriers, commercial competitive advantage and business support ability are all tests of CSOs' ability.

3) Risk optimization, "the uncertain factors affecting the realization of objectives" (the definition comes from Nicholas Simon Wu, very simplified understanding for reference only). Information security work has never been aimless, let alone a touchstone of ability preference and preference. What is the focus of work? In places that may affect the survival and development of current and future businesses, and in areas that may lead to the company's return to zero, optimizing risk management capabilities, optimizing information security battlefield situation, and changing from passive to active capabilities are key optimization requirements for information security risks. Guided by business and risk, driven by threat, from the depth of management, technology, and people; from the depth of business capabilities, security risk management and control capabilities, security supervision and audit capabilities; from the depth of business extension areas, virtual boundary areas, and core competence areas, comprehensive security risk integration and optimization are carried out to improve the ability of perception, control, disposal, and iteration.

4) The efficiency of resource delivery: if the mountain is not high, the immortal will be famous, and if the people are not many, they can use it. In security governance, we need to solve the problem of security resource delivery efficiency. The total number of security personnel is limited, the recruitment is difficult, the internal team size is limited, and the financial support is within a certain budget range. We need to manage whether we can reasonably use resources and maximize the value, whether we use ROI (return on investment) measurement or ale (annual expected loss) and control cost difference and other methods The management skills put resources in a reasonable way, "good steel is used on the blade", but in this respect, the management maturity of the safety team and the ability to fully understand and control safety are facing great challenges.

5) Measurement and evaluation, measurement and evaluation of security effect, and measurement and evaluation of resource use are the core of result presentation in security governance. The value that cannot be measured can be used as a beautiful PR statement. However, if you try to use this statement to find senior managers to ask for resources and talk about performance, the result may not be beautiful. There are not many contents that can be referred to in the security index system and evaluation method, but the risk management and index measurement method in the financial industry and the information security measurement method in iso27004 can be referred to, but the basic thing that can be implemented in practice is that the targeted evaluation index constructed according to the actual business situation of the enterprise combined with the security system is easier to play a role, such as the specific capacity of the construction type The coverage rate, accuracy rate, recall rate and stability of the points, the average event response time and average vulnerability repair time of the operation class, etc.

These five aspects are the key issues in security governance, and also the key success factors to test the management ability, global vision ability and control ability. In addition, for the security strategic planning mentioned above, it is suggested that those who need to look at the EA (Enterprise Architecture) method, if you need to have a strong security capability background.

Article 3: safety risk management

Many people have heard of the concept of risk-based information security, but there are not many in the industry. The traditional security risk assessment starts from assets, threats and vulnerabilities, with iso13335 as the main reference method. Most of Party B's security companies are in this routine. The advantage is that the methodology is mature, the reference basis is sufficient and the universality is strong, but there are also some obvious shortcomings, such as assets are mainly traditional assets, such as servers, equipment, information systems, starting from the asset list Point, in the case of large-scale enterprises, fast-growing enterprises and heavy data assets, there will be problems such as excessive methods, unclear earnings, difficult changes, and not prominent priorities, which will lead to a large discrepancy between the risk assessment results and the actual situation. In addition, the consistency with business scenarios is low, as if the risk assessment team is talking to itself.

In the traditional enterprise risk management method, business is the core perspective, through the core business value chain > business process > business risk > risk management and control measures > risk assessment audit and other links, the enterprise risk management is gradually implemented, at the same time, through risk management, risk tolerance preference, etc., the risk management and control behavior and resource investment are restrained and modified. The reference methods include enterprise comprehensive risk management, coso-erm, iso31000 and other domestic and foreign best practice requirements. The advantages of these methods are that they are universal, especially the compliance requirements of capital market and corporate governance requirements of listed companies are well followed, the risk system framework is comprehensive, and the decomposition levels are linked. The short board is that after introducing the requirements of security risk management, the analysis process of security perspective, the corresponding solution implementation ability and the security technology are lacked in the system structure Whether the docking of mainstream safety control requirements such as safety management can achieve the expected effect depends on whether the implementation team has comprehensive risk management and solid safety ability.

Therefore, the method of security risk management can learn from each other in two schools. After the business risk, we are not eager to connect the control measures, but identify the information security related scenarios in the business risk and decompose the technical scheme and management measures.

Enterprise core business value chain =, business process =, business risk =, security risk =, security management and control =, security scheme =, enterprise security implementation practice

Business risk and security risk are linked through security threats, technical architecture and security scenarios to ensure the fit between security and business. At the same time, based on the current security technology implementation capability, continuous adaptive risk and trust assessment (Carta) is fully possible.

Based on the goal of beginning with the end in mind, this paper summarizes the classification of five common safety risk objectives for reference only.

• Core assets
• Continuous business capability
• Capital related
• Compliance, zeroing
• Reputation, goodwill, brand

Article 4: security technology and architecture

Security technology is not a loophole, security system is not 27001, security architecture is not a cluster deployment, very simple concepts and differences, but security personnel often confuse themselves. Safety technology and structure are the basic work of enterprise safety. The implementation of technical scheme is actually the extension and landing of safety management concept. The problems that can be solved by technology should not be controlled completely by human and system requirements, which is simple and does not waste words. Security technology and architecture emphasize the deep protection ability of enterprise security, the analysis and perception ability aiming at shortening the free attack time window, and the security technology operation ability aiming at reducing the average detection time and response time. The concept of in-depth protection has a history of more than ten years, but it is still not out of date in the field of enterprise security. From the business extension environment, logical boundary and security domain to the layer by layer perception, management and control capabilities of core component areas, the construction and operation of dynamic defense and detection mechanism, offline analysis capability, etc., the in-depth technical mechanism before, during and after the event has been constructed, so as to attack Anti confrontation provides more abundant means and scenes. When it comes to the technical architecture of enterprise security, we can see it from the horizontal and vertical perspectives. The horizontal direction can be simply listed as product area, production area, intranet area and cooperation area,

• Product area refers to the uncontrollable environment after the company's products are launched, such as app, IOT products, etc. the characteristics of this area are that the attacker can make various attempts without interference from the defense party, such as cracking, debugging, reverse, disassembling, refitting, etc. The defenders can take many ways, such as product side reinforcement, cracking debugging confrontation, code confusion, heartbeat survival, digital signature and so on. This area can be laissez faire or strong confrontation, depending on the company's resources and defense boundary selection.
• Production area refers to the deployment area of the company's core production network, equipment, system and data. Boundary security, flow analysis, WAF, host protection, network security, area isolation, horizontal guidance and control, log analysis, application system security, vulnerability management, bastion machine and authority control are some key technologies and products in this area.
• Intranet area refers to the security scene in the company's office and workplace environment, including office network security, border defense, flow analysis and control, office service host security, application security (such as OA, ERP, financial and other internal management systems), WAF, security area, terminal management, DLP, byod, Iam, VPN, etc., which are the common technologies and products in this area, and the intelligent photography of physical security Such as head, access control, closed-circuit monitoring, infrared detection, strong and weak electricity control are also the areas of concern. Because the environment of the intranet area is complex and involves a wide range, it is possible to manage it more complex and diverse than the production area. At present, the penetration of Intranet area and apt (advanced persistent threat) have a lower entry threshold in terms of technology, a higher probability of success and a greater possibility of business value. The technology penetration of commercial espionage is often concentrated in this area. Of course, there are also some companies claiming "no Intranet", which is based on the support of perfect perception ability, monitoring ability and control system. In the case of most domestic companies, it is difficult to break through in the short term. The unified service gateway may be more applicable.
• Cooperation area refers to a general designation of areas that have relations, connections and interactive interfaces with the company, including outsourcing centralized office area, partner system connection area, supplier system connection area, business upstream and downstream organization connection area, etc., which are not within the strong control scope of the company but also have the deployment and docking of system, data, equipment and other components. The security of such areas should not only consider the company's own security capabilities and protection realization, but also pay attention to the capacity and protection boundary expansion of partners after business extension. In addition to the security technologies and products mentioned in the production and Intranet, it is often extended and ranked in the cooperation area by setting security buffer zone, virtual boundary, external continuous monitoring platform and other technical products Take part in protection, and provide timely and effective detection and response disposal through continuous operation capability.

The vertical technical architecture can be divided into physical layer, network layer, host layer, data layer, application layer and management layer according to the way of technical stack. Corresponding capabilities are deployed at different levels, and information linkage and cooperative defense are implemented at different levels.

Article 5: Safety Management

There have been rumors in the Jianghu that there are various schools of safety. One of them is the management standard school, and its unique secret collection is "BS7799, ISO17799, ISO27001" (special note: some of the students who talk about management put these numbers on their lips may not be clear about the concepts of BS and ISO). Party A's safety management, consulting company and Party B's safety service team often appear. Because of the deep-rooted impression of the industry in this direction, it is thought that safety management is the splicing of some "system" and "standards" or even the rote (in fact, many people do, so it can't blame others for such impression).

Security management is a very important part of enterprise security. It provides management, system basis and process guarantee for information security. The legal society often mentions that "there are laws to abide by, there are laws to abide by, law enforcement must be strict, and violations must be punished". Safety management is the most important ability to realize the "legal environment" in the company. What can be done, what can not be done, how to do it, if there are any consequences, power and responsibility distribution, the tone of cultural environment, etc. are all contracted through various systems, norms, processes, documents, etc In a sense, the application of safety technology is also the extension and Realization of management concept. Back to the specific work, security management is not simply equivalent to system standards. According to the company's situation and management style, a company's security management specification may cover most of the common scenarios, so there is no need to get a document system immediately. Even if it is necessary to build a management system, there are different starting points in all directions. You can start from several most urgent and painful management demands, such as company account, authority management requirements, data confidentiality system, etc., to build a proper balance system between business operation and security control, which is a very test of the management wisdom of the security director. "There is no normality in the army, and the water is impermanent." there is no invisibility, but it doesn't mean that it can be "disorderly". It's the tragedy of management to make safety management a normal fire fighting. Safety management is a combination of art and technology. As a CSO in the field of safety management, a relatively high level pattern needs to be systematic and traceless.

Article 6: business safety and risk control

At present, business security has been done in-depth in Internet companies and financial industries, and the team size and technical ability have accumulated to a certain extent. Cheating, collecting wool, brushing single and roll, blacklist and black equipment, seal number, external hook and so on are common keywords in this field, especially those belonging to Internet business. However, if we put our perspective on a larger point, the industry scope is wider, and the content and keywords of business security and risk control will be more accurate and reasonable.

Business security and risk control often involve the following areas:

• Business security, including anti cheating, anti swiping, black production confrontation, account system security, capital transaction security, etc., is based on the real-time and off-line mode of business scenarios to kill the ability and confrontation system. This is also our common business security in a narrow sense.
• Business risk control is the response and control of various risks caused by the activities and environment of the business itself. Including the construction and application of credit system of enterprises and individuals; the requirements of capital adequacy ratio in Basel I & II & III of banking industry and the measurement and management of credit risk, market risk and operational risk; the solvency standard of insurance industry I & II) and so on. The business essence of the financial industry is operating risk. Therefore, the business is carried out around the reasonable operation of risk and the maximization of risk income. The main body of safety risk control is also carried out around these concepts.
• The concept of internal control appeared earlier in the financial field. The capital regulatory market raised the requirements of strengthening internal control and improving the accuracy of financial statements triggered by various financial fraud scandals. Listed companies have carried out the construction of internal control in succession. The corresponding framework of theory and best practice is also jointly promoted by external auditors, internal control personnel of enterprises and capital market regulators Gradually mature under movement and organization. Representative ones include COSO, coso-erm, Sarbanes Oxley Act (especially 302, 404, 906, 409 and other articles, the most famous 404 of which is our common sox-404 requirements on internal control), the basic norms of enterprise internal control jointly issued by China's five ministries and commissions, etc. With the deepening of risk management, internal control has also expanded from the initial financial field to the business field. From the latest COSO and ERM, we can see the change of the whole perspective.

Article 7: safe operation

Several directions mentioned above more introduce methods, frameworks, commonly used technologies and theories. It can be understood that the perspective focuses on construction. Of course, whether it is the acquisition of perception ability, analysis ability, protection ability, etc. (no matter it is self-development, external procurement, cooperation and sharing, etc.) can be generally summed up in the dimension of construction, that is, all kinds of abilities are not From nowhere, it needs to be obtained through necessary ways, and the cost of obtaining is not only capital and human resources, but also time cost is likely to be greater than other costs for the safety of enterprises, so reasonable ways and means also test the governance philosophy of CSOs. Back to the topic of operation, focusing on construction rather than operation is a common problem of many companies. There are not many companies at home and abroad that can be admired by people even if they listen to their names. In the career of consulting companies, we are lucky to be able to provide services around the world and go deep into these companies to "see, hear, treat and save people", which is far more wonderful than we think. It's not difficult to stack safety equipment, systems and products. What's difficult is to use them. Some people are in charge of them. Only when they can use them can they bring their value into play. How can the value of safety be reflected? The value of the safe operation field can be very real and grounded. To deploy appropriate capabilities in the right place, we should focus on coverage, accuracy and recall. In the construction period, we should focus on such indicators and capabilities. Then in the operation period, mttd (average detection time) and MTTR (average response time) are more important. These two indicators reflect the ability of perceived discovery and management. Indicators and priorities are different in different periods. This is a place where detours are easy to take. In addition, in the operation state, the use of online and offline capabilities, the reasonable layout of series and parallel mode, and the use of "check" and "kill" means are also very important. Defensive disposal through online capability, defect detection and verification through offline capability, and optimization of online scene rule requirements; more complex business environment requirements can be met through synchronous intervention disposal capability in serial mode and asynchronous full-scale verification capability in parallel mode; ability to "check" and "kill" from God's perspective and judge's perspective It can meet the selection requirements of real-time confrontation and systematic overall layout confrontation.

Article 8: local government, regulatory understanding and compliance with laws and regulations

In many cases, information security can be regarded as the closest to the concept of "Jianghu" in martial arts novels, but "Jianghu" is never a place outside the law, and knowledge, understanding, respect and usage are the most basic requirements. With the deepening of internationalization, both Chinese enterprises going out and foreign enterprises coming in are inseparable from the compliance and rational application of laws and regulations. Furthermore, some industry best practices, international standards and industry guidelines should not only meet the requirements, but also become the unity of fair description of basic capabilities, attitude expression of emphasis and communication and cooperation of enterprises Speech interface ".

To carry out information security related work in China, some basic requirements need to be effectively concerned and implemented, such as the implementation of the network security law on June 1, 2017 and the supporting requirements of a series of laws and regulations; the 285 and 286 provisions of the criminal law to support judicial interpretation; the information system level protection related series; the personal information security protection specification; and the relevant requirements of the competent authorities of various industries. In global business, data and privacy protection will be the main challenges, such as gdpr (European Union general data protection program), HIPAA (Health Insurance Portability and account capability act), etc. In addition, in the Internet, finance, energy, resource-based industries, the protection laws and requirements for infrastructure in various countries are also facing increasingly stringent norms.

In addition, international standards organization (ISO) information security related standards, NIST sp-800 best practices, industrial practice requirements such as isae3402, cloud computing related security certification such as csa-star, PCI-DSS and ADSS of payment card organization are also indispensable requirements for business development.

From this aspect, the difficulty and complexity of implementation is not only a technical solution, but also a content related to human strength (although a lot of information security work is related to human strength, it's easy for compliance aspects to become big and passive due to poor communication, inaccurate understanding and other reasons). Actively communicate with the regulatory authorities, do not try to dissociate from the regulatory boundary, actively participate in influencing the rule-making process instead of passively waiting for or even concealing fraud, treat security compliance with a more open mind, embrace change with more active behaviors, and security compliance can also become the multiplier and driving force of the enterprise's security capability.

Article 9: safety audit

Security audit can be understood as two key words of "security" + "audit. The goal is technology, management, personnel related to security and the environment and ability generated by these elements. The means is audit. How to do? It can be divided into two dimensions:

• Methods, that is to say, how to do it, can be divided into two stages of "audit preparation" and "audit execution" in combination with the traditional "it audit" concept, among which audit preparation includes environmental understanding, that is, the full understanding of audit objectives and objectives, as well as the research and analysis process of the involved environment, technology, system, process, business, etc.; determine the audit focus, that is, the root According to the audit purpose and risk understanding, determine the key content; prepare the audit plan, and complete the work plan preparation and necessary tools, templates, and technical environment preparation according to the time, resources, and key elements. Audit implementation includes the implementation of audit plan, that is, the actual audit, including notification (or not, such as classified audit, spot check and assault audit, etc.) audit plan, audit means application (some common means of safety assessment can be used in this link basically, and some audit specific tools and methods, such as sampling data test, walkthrough test, supervision, etc.) Process replay under the environment) finally get the audit results; communicate the audit results. Due to time constraints and resource constraints, the audit results may have doubts. At the same time, in addition to confidentiality needs, the implementation team should meet with the audited department and team to confirm and eliminate the false results; continuous optimization and improvement, the audit purpose is not only to find problems, but also more important It is to realize the improvement of the problem, so audit result follow-up, solution follow-up and even result retest are generally carried out to verify the effect of audit and subsequent optimization.
• Content, information security has its own characteristics and laws, technology, management, personnel, culture and so on may have risks and threats. Therefore, in a sense, the security technology, products and concepts that can be seen at present can be used as audit content, as well as audit tools. In this respect, it can be recognized that there are not many people at this level in the industry. Many security start-ups are struggling in the red sea of security products and technologies. In fact, a little change of perspective is a blue sea.

In the enterprise, safety audit can be used as the last link of the three lines of Defense (the concept of three lines of defense for self searching risk management, which was put forward earlier in China and highly recognized abroad). At the same time, it can also be used as a bottom-up means to ensure the implementation of the safety plan, and the power of reasonable use is infinite.

Article 10: crisis management, security incident investigation and evidence collection

No matter how good the enterprise's security is, how perfect the construction is, how strong the ability is, and how conscientious the team is, there is no 100% security, let alone such a high demand. Therefore, we must be prepared for possible external attacks, internal leaks, commercial spies, employees' unintentional and other situations, especially in extreme cases, in case of not being in a hurry or dealing with unreasonable and timely, leading to the expansion of the situation. The crisis management plan needs to be prepared in advance. The information flow mechanism, crisis management team, necessary technology and tools, plan disposal process and other contents need to be clear, fast and accurate. At the same time, drills need to be carried out to make the contents deeply rooted in the hearts of the people. Once there is an extreme situation, the disposal of each department can form a joint force. In addition, it needs to be emphasized that crisis management is to deal with extreme situations, not general security events. Therefore, the plan emphasizes the response ability under limited scenarios (determined in combination with business scenarios), and the start of crisis response also needs strict control. General security incidents can be handled through incident investigation and emergency response. Of course, this aspect also needs to be prepared in advance, such as incident classification, response process, recovery process, investigation mechanism, coordination organization, post event recovery mechanism, etc. if the response is not good, security incidents may also rise to crisis, so whether it is an entity or a virtual security incident response and investigation team The basic requirements are organization, enough investigation technology and data reserve of event response, necessary drill and replay mechanism. The internal security incident investigation needs to accumulate, clean and correlate massive data, and finally restore the attack path and the timeline of the incident, so the data is a very important basic work, and the data integrity, stability and quality requirements are very high. The common problem is that the data seems to be all there, but the data may not be collected and connected due to different formats, different record fields or even subtle type differences, and eventually become pieces of data, leading to the fracture and loss of the whole evidence chain, so as to not outline the true nature of the event, so it is impossible to talk about effective disposal and root cause problem restoration Enter.

When it comes to the concept of evidence chain, when it comes to the level of judicial investigation, the methods of internal investigation can still be used, but the process control and specification requirements are much stricter. There are restrictions on the rules of court acceptance for the fixation, credibility requirements and electronic evidence collection of evidence chain. For example, in the investigation, we can actually go to the hard disk, storage space and various systems to analyze and find out the spider silk Ma Ji, however, can't destroy the original state and property in any investigation and analysis action when it needs to provide evidence in the court. In this case, professional tools such as encase, FK, etc. are needed to operate in a read-only environment. There are many identification centers and investigation institutions in China that can complete the above work, and the supporting technical capabilities are relatively sound, such as forensics workboxes, forensics systems and platforms for mobile phones and smart devices, which are not introduced due to the content sensitivity. In a word, judicial investigation and forensics need strict evidence chain, forensics environment, methods and actions, etc. to be used as evidence Accept the question, eliminate the false and save the true.

Article 11: organizational structure, safety awareness and internal safety brand building

Most of the content discussed above is about the construction of various management and technical capabilities. Whether it can be implemented depends on the team and people to a large extent. A reasonable organizational structure can maximize the value of people, which in turn may greatly weaken and limit. Most leaders understand this truth, but it can not be achieved in practice, or it is another matter, environmental constraints, timing Even personal decision-making is an easy factor to discount.

The setting of organizational structure can be considered from several aspects:

• The layout of the battlefield is "the main battle in the theater, the main construction of the services, and the CMC in charge of the general manager". The main battle in the war zone, the security team and ability should be integrated into the front line of the business and technology environment, not the self entertainment and self entertainment. Whether the security ability can come forward here, the test is the proportion of the comprehensive ability personnel in the team, who can talk about technology, understand business and be able to do security. Such people can be deployed in the war zone, that is, the actual business and technology environment, and integrated into the business and technology environment Technology battlefield, fast linkage, close to the body melee. It can send the development planning, demands, docking capability requirements and other battlefield situations of business lines and technology lines back to the subsequent support lines in real time, and put the security capability and control requirements into the business practice. For the main construction of military services and various security business directions, such as information security, data security, business security, etc., we should do a good job in their own tools, systems, platforms, build various methods, frameworks, systems, comprehensively improve the operational strength of their respective directions, provide ammunition, equipment, information reports for the front line, coordinate resources, and complete command, comprehensive support and cross arms coordination at the campaign level, Provide integrated combat capability of large, medium and back office. The Military Commission manages the general manager, tests the pattern and "big country" strategic perspective, such as strategic planning ability, resource delivery coordination ability, risk optimization ability, and so on. Whether a company's information security can play a value and reflect the sense of business security often needs to play a role from the overall perspective, "not angry but powerful, hard and soft".

• Not all companies need a large and clear division of labor security organization. According to the actual situation of the company, it is also a reasonable way to choose the appropriate technology stack capacity for layout. The relationships from simple to complex levels can be roughly listed as follows: basic protection capability, detection and discovery capability, comparative analysis capability, SLA supported automation capability, and productization output capability. The team is small and the investment is small. The priority of work is to realize basic protection, such as Firewall deployment, IDS / IPS, network access, terminal security, etc., which can resist general internal and external attacks. Large scale and abundant funds can be considered to focus on the construction and use of detection capabilities. Log collection and analysis, SOC and Siem of different levels can integrate the original protection capabilities. Common viruses and accidental attacks can be effectively found and responded to. If the scale is larger and the emphasis is higher, the support of single link and product technology is not enough. Each product and technology has its own advantages and disadvantages and is good at the field. There are always ways to bypass and behaviors of network leakage. By improving the accuracy and recall rate of single product technology, the ROI will gradually decrease. Then we can consider the construction of comparison ability, which can not be The comparison of products of the same type can be online or offline, or deployment methods such as terminal side and network side. In a word, strategic depth begins to form (corresponding to the tactical depth if multiple product technologies are deployed in different areas). The automation capability supported by SLA is to achieve linkage through system and platform automation on the premise of meeting the functional and timeliness requirements of business and security, such as automatic trigger rules of attacks and vulnerabilities, automatic handling mechanism of account rights based on user behavior, etc. The output capability of productization does not mean that large companies must make the safety team a profit center. Although many companies have this idea, they are actually doing so, and more emphasis is placed on the rapid delivery capability under the condition of achieving stable expectations. There are two key words: "stable expectation" refers to the requirement and degree of realization of safety that everyone has reached an implicit agreement; "fast delivery" means to maximize the cost-effectiveness of time, "the world's martial arts are only fast", dare not mention safety leading business, or at least can't delay business, otherwise it can only be "hanged". When the security team has created the "big kill" perfectly, and later found that the business has been everywhere, then the best way for the security team is to sacrifice the "big kill" by themselves.

Suddenly, I found that if I didn't control the character code well, I wrote a little more, so I didn't say much about the safety awareness. People are the weakest link, and I have been shouting for many years. It really needs to be grasped. No matter how good the technology can play its role, it depends on people. When I meet people in the ideal design, I may be bypassed by all kinds of ways, "fearless opponents like gods, fearless teammates like pigs", Human flesh penetration is much faster than apt. we all know the truth. Let's see the effect of action.

Safety cannot be built behind closed doors. It's not too much to emphasize it several times. Whether the company can trust, whether the business can coordinate with the safety, and whether everyone is willing to pay for the safety cost (not only the direct cost, but also the indirect cost such as some convenience given up due to the safety), depends on whether it can establish a "sense of safety" and correctly recognize the safety value Card effect. When the business is going to fight, security is to pat the business brother on the shoulder and tell him "don't worry about everything, I'll work with you", or to use the technique of "thousands of miles of voice transmission" to hide far away and say "we have the most advanced technology and the best products, you can rest assured". Of course, sometimes even the matter of voice transmission is saved. What's the security and value? It's hard to build a brand, trust collapses quickly, and you can cherish it.

Article 12: resource management and efficiency control

In the last chapter, there are still many things to be written. Let's talk about resource management and utilization efficiency first. Some people with management experience know that teams should have levels. Why? Not only the echelon needs of team development, but also the actual needs of resource limitation. For example, for a team of 50 people, all the high-level recruiters seem to be very powerful, but this is not realistic. They may not have such high-level recruiters, and the capital budget is not allowed. Therefore, CSOs should plan the team level reasonably, which can be based on the distribution of work skill sets, or based on many methods such as rank calculation after considering the capital limit. Therefore, it is recommended that CSOs understand some financial knowledge, which can be seen Understand the basic financial statements and budget planning, unlimited resources that are in the game of life after opening. It is the most basic requirement to concentrate our superior forces, achieve quick results and prioritize our work. At the same time, the concurrency of multiple projects is inevitable. To control the quality and quantity, do a good job in resource pool management, PMO multi project management is still worth reference and reference. It's still a team of 50 people, doing 60 projects and products at the same time. What's the consequence. If it's you, how to lead the team of 50 people, how to plan resources reasonably, how to prioritize and how to control risks without obvious shortcomings? One is good steel envoy on the blade, the other is "let the bullets fly for a while". Don't be in a hurry. It's the leader's responsibility and responsibility that the team can't become a fire brigade.

Maybe some people will think "is there such a person?" The answer must be yes, but everyone has some focus, it is unlikely that all areas are full marks. In addition, this kind of "all-round talent" (not enough to describe the whole plank style) people are not or at least are not the top-notch in the field of technology research, nor are they likely to be the famous people in the field of attack and defense or white hat. Therefore, in the current information security environment, few people can enter the spotlight of the media and gain the popularity of fans, but they do exist 。

If you are interested, you can use the radar chart to check your knowledge system and see what you are good at.

 

Radar map of CSO capability elements

These twelve elements, which can be said to be the capability set of CSO, are also very likely to be a mapping set of enterprise security capability. Often, the capability of CSO determines the capability ceiling of enterprise security, just like the style of an enterprise founder will become the style of an enterprise.

Having said the ability set, how to implement these ability building in the enterprise? This topic is too big to be fully discussed, but we can say a few ideas.

1) The entry point of enterprise security

In enterprise security, the most important and basic part can be divided into two parts: iam and data. That is to say, if you want to do something right quickly in an enterprise, you don't need to start a comprehensive security risk assessment. If you don't have enough time, the effect and value are not easy to reflect. You can start from Iam and data security in advance. Iam includes It includes account number, authority, supporting access, control analysis system, etc. data security includes data use scenarios, high-risk situations, perception and control requirements. If these works are not done well, other safety work and safety products will have problems. From another point of view, the interface that a company's non security personnel can perceive security capability is also basically in three places: account, authority and data. A large number of people come together, and the survival and development space of enterprise security is also dynamic.

2) Basic capacity building

The security that can go deep into the business and bring value to the business is not necessarily the latest and the most cool technology and product. Build up the basic capacity conscientiously, so that the company has confidence, business security and employees have a sense of security. Practical, adequate and good use are the basic goals and requirements. In fact, the perception ability, protection ability and disposal ability can be put into practice, which can be divided into stages, key points and scenarios with selective layout, combination of self-study and outsourcing, and comprehensive consideration of risk exposure and time cost. It's hard to do the right thing at the right time, but it's necessary!

3) High quality business scenario application

In addition to escorting the actual business carried out by the enterprise, the method and strategic consistency requirements based on value chain analysis can make the security more active layout and preparation, which is not mentioned here. In some specific scenarios, preparing well can also play the value of security and contribute security energy for the company to achieve business goals.

• M & A, acquisition and reorganization of enterprises are often stages with high security risks and frequent security threats. How to do a good job in security due diligence, how to connect systems, how to integrate data, how to control personnel and other issues are much more complex than in the period of business stability. Can information security be prepared?
• Business flexibility and business continuity management requirements, in many industries and business scenarios such as Internet, finance and government, put forward high requirements for business continuity and stability. Business interruption, data leakage and other consequences caused by information security problems are very serious. Based on risk oriented security management, BCM and DRP should be included in the scope of control to prevent zero At the same time, the information security mechanism in each link of BCM and DRP is also the focus.
• SMP, Security Management in Processes, Enterprise security is not immutable. With the change of business, information system, infrastructure and even organizational structure, information security is also changing. Where there is no problem or low risk before, it may be suddenly squeezed and distorted by business. Areas where there are protection products and security technology deployment before may be bypassed or even completely failed by new business and technology architecture, Therefore, whether security can be integrated into the business and technology life cycle in enterprise security is particularly important. SDL (security development life cycle) is the most common form of SMP, of course, there are all kinds of content unrelated to product development, such as data exchange, business process change, etc. whether security can be pre analyzed, accompanied by supervision, defect detection and leakage compensation disposal will be Dynamic security is the best embodiment.
• Information security in legal affairs and human resources management involves personnel management. Simple security technology and management requirements are difficult to close the loop. It should be linked with legal affairs and human resources, get through personnel turnover, contract terms, confidentiality agreements and other links, and realize personnel's security awareness and management demands through security technology advantages and overall ability.

• Outsourcing, supplier, supply chain security, outsourcing management has always been a weak area of information security. It is necessary to sign necessary security agreements, confidentiality terms, SLA commitments, as well as regular evaluation and event tracking mechanisms for outsourcing personnel and suppliers. Due to the deployment of technical products and control efforts, it is impossible to cover all aspects of outsourcing and suppliers. Outsourcing and suppliers are human beings One of the main battlefields of attack and defense is the outsourcing and supplier with high authority. In addition, with the deepening of industrial division and cooperation, the supply chain is no longer completely self built or controlled by a company (unnecessary in terms of cost and low marginal benefit in terms of refined operation), but is integrated by a complete industrial supply cluster connected by division, supporting and cooperation mechanisms to achieve the requirements of revenue maximization. In this case, how to ensure the supply chain Chain security has become a very challenging thing. When the attack area is magnified to the degree of exaggeration, the level of security capability can produce age level differences, and the degree of attention can also be described by generation gap. Companies in the leading position of the supply chain need to have a new understanding and construction layout of information security.
• Security in the new technology environment, such as cloud computing using lower end management, IOT device system and hardware level security, industrial control system security, etc., will not be expanded this time due to space limitations, but the essential differences between these technologies may subvert the original security system, framework and technology.

4) To realize the safety value, the word "he" is used. Business integration, sense control integration and in-depth integration are the basic summary of enterprise security. Business integration, the basic way for security to realize value; sense control combination, the basic way for security to realize value; in-depth integration, the basic way for security to realize value.

Safety is the extension of manager's will, and technology is the extension of management concept.

In the end, this warm-up article "how to do a good job of chief security officer - enterprise security system and architecture practice" is basically a one-off, so there are actually some flaws in the internal logic. I feel that I haven't retouched it too much, and I don't plan to modify and improve it this time, but I really welcome friends who are interested to exchange more valuable opinions. Due to the space limitation and time pressure, all the contents are not expanded, there is no graphic summary, no detailed discussion of any technical aspects, and even many places put forward problems without giving solutions. If you have this kind of confusion, it is normal. Warm up and understand more. To expand these contents, more experience and solution sharing should be kept in the future, or the content of each chapter should be presented completely through the continuous updating of the article through sec UN, or the one-time publishing of the book is in preparation. I believe that there will be an explanation in the near future.

In addition, all the contents of this article only represent personal views and do not involve the previous work experience and content, which is more general situation. Do not sit in the right seat, and there is no need to understand the voice of the company and the team. I am myself.