8 Tough Questions Every CISO Should Be Ready to Answer

8 Tough Questions Every CISO Should Be Ready to Answer

When a major security incident, such as the recent massive Equifax data breach, grabs headlines, CEOs start asking more questions about data security.

See Also: Addressing the Identity Risk Factor in the Age of ‘Need It Now’

CISOs need to be thinking about their answers to critical questions the CEO is likely to pose.

Information Security Media Group asked seven security experts what questions they believe CEOs should be asking CISOs, and what information CISOs should arm themselves with to be prepared to provide answers. Following are eight questions and the experts’ suggested responses.

We have been investing in cybersecurity for a few years now. Would you say our organization is secure?

Israel Bryski, vice president, technology risk, Goldman Sachs: To pre-empt this question, the CISO should have a conversation early on with the CEO to determine the organization’s risk appetite. This will allow the CISO to align and prioritize security initiatives accordingly.

We are in the business of information and technology risk management, so the “Are we secure?” question is somewhat misguided. The question should be: “Are we managing risk according to our risk profile?” To answer this, the CISO should be able to easily demonstrate, based on a recent risk assessment, how the various cybersecurity initiatives and projects are in fact reducing risk, shrinking the attack surface of the organization and aligning the security program with the firm’s overall risk profile.

We have a board meeting next week. Can you talk about cybersecurity in a way they will understand?

Mischel Kwon, former director of US-CERT and deputy CISO for the Department of Justice; currently CEO of MKACyber: CISOs should be able to confidently say “absolutely” to this question. They should be able to speak with the board in a very businesslike way and articulate what they are doing with the company’s money and how they are protecting the company and its assets.

The key to being able to speak to the board is to base their program on a business-focused model. That business model shows their capability founded on their maturity, and that maturity is based on the probability of detecting specific types of attacks. These are the type of attacks that are most likely to happen to them, and this is the risk to the business, its goals and its reputation that these attacks bring.

Do you have enough money to do what you need to do?

Tim Youngblood, CISO, McDonald’s: Depending on where CISO sits, this can be a hairy topic. That can be a difficult conversation to say “I’m not getting enough.” It’s not easy if the CIO is in the room.

The best way to answer that is, “We may have current risks we are really well-funded to address, but there may be future risks we’ll need to fund and we still have some work to figure that piece out.”

A CEO is not going to write you a blank check. The CEO is going to look at the CFO and CIO and say, “The CISO needs money. You take it out of your budget and make it happen.” There is not an extra pot of money waiting for anyone, so making the clear case for why it is needed is key.

Is this really worth the investment?

Heath Renfrow, CISO at U.S. Army Medicine: The best thing a CISO can do when asked this question is have multiple options they can present to the CEO. Explain to them: Here’s the full issue. This is the total cost to fix this issue. This is what we believe the cost will be if this issue doesn’t go away and how much it will be should the vulnerability be exploited.

As an example, we didn’t know not know where our protected health Information and personal identifying information resided across all systems when I first got to Army Medicine. It would be a huge HIPAA concern if we got hit on that, or if there was a leak or a violation. It could have cost millions of dollars and many jobs. I tied in the overall cost and broke it down to how much it would be per end-user device to address it and it came out to be an about $3.43 per end-user device. Then I tied in all the results of HIPAA violations in the past few years and the fines associated with them. You get your senior leaders attention real quick with that approach.

Rick Howard, CSO, Palo Alto Networks, adds: Questions like this are sure to arise as corporate leadership attempts to understand the business risk associated with a cyberattack. As a result, CIO/CISOs should be prepared to explain the total cost of a potential breach. Everything from business disruption and loss of customers to consequential legal fees and remediation can rack up the bill more quickly than leadership may realize.

Read More: http://snip.ly/q0zie#https://www.bankinfosecurity.com/8-tough-questions-every-ciso-should-be-ready-to-answer-a-10357

It is important and necessary to document Software for FDA Submissions

It is important and necessary to document Software for FDA Submissions2Software project management has an important tool in the Agile methodology. The Agile methodology developed as a product of the gradual efforts at arriving at a team based methodology of iterative software development. Because of its close association with software, in terms of suitability; Agile is to software development what Lean is to manufacturing. Among the many areas in which the Agile methodology is very well suitable and adaptable; healthcare is one, since it uses software heavily.

The Agile methodology is effective in helping software project managers anticipate and address major logjams of software project management, such as vulnerability and unpredictability. By preventing project delays; Agile helps to cut costs. Since flexibility is an important characteristic of Agile; it has the ability to accommodate and take in many new changes that take place as the project develops.

Another major benefit of Agile is that it prevents piling of work at later stages of the project by reviewing project progress at every stage by validating roles, steps and processes functions. This is absolutely useful in the backdrop of severe constraints of time and money, because of which it is highly preferred and rated by Project Managers.

Is Agile perfect?

Judge_Phone

All these terrific advantages notwithstanding; Agile is not perfect. It is not suited in every setting and in every situation. If Agile has to be efficient and deliver its results optimally; it has to work in conditions where there is complete, tightly knit team coordination. In the absence of very active and strong participation from the team leaders, subject matter experts and stakeholders; Agile can prove less than suitable or successful.

Agile’s suitability for the healthcare industry is well-established. However, Agile, being a highly teamwork-dependent initiative can fail to deliver in the absence of one or more situations in which it thrives. In the absence of complete confidence by those using it in the healthcare industry of its role in saving money, time and other resources; the Agile methodology can be less than useful

Get to learn the applicability of Agile methodology to healthcare

Business.

The ways by which the healthcare industry can adapt and optimize Agile methodology for its use and overcome the deficiencies and shortfalls of this methodology for enhanced performance will be the topic of a very interesting two-day seminar that is being organized by GlobalCompliancePanel, a leading provider of professional trainings for all the areas of regulatory compliance.

The Director of this seminar is Brian Shoemaker, who consults for healthcare products companies on computer system validation, software quality assurance, and electronic records and signatures, and has worked with companies in Germany and Switzerland as well as the U.S. Please register for this session by logging on to It is important and necessary to document Software for FDA Submissions. This seminar has been pre-approved by RAPS as eligible for up to 12 credits towards a participant’s RAC recertification upon full completion.

Clarity on the suitability of Agile to IEC 62304

It is important and necessary to document Software for FDA Submissions3

A criticism that does the rounds in healthcare software industry circles is that Agile, because of its lack of documentation, runs counter to the lifecycle standards mandated in IEC 62304. Brian will clarify on this area and explain how clear processes for quality management system, risk management process, software maintenance, configuration management, and problem resolution, which go into the IEC 62304 principles actually reinforce, rather than undermine the Agile methodology. The proof of this fact is that the AAMI Agile report (TIR 45) has stated that the proper application of Agile, with its emphasis on nimbleness and ongoing learning, into a quality system and safety risk management can blend with and expedite the fulfilment of regulatory expectations of well-documented development.

Contrary for popular belief, documentation in Agile actually helps in taking advantage of iterative development. How? Since the IEC 62304 does not specify any lifecycle model; documentation can grow out of the required iterative activities. Agile, by developing incrementally and preventing last minute anxieties and worries; is highly useful in many disciplines of healthcare such as hazard analysis. When risk management is included in iteration tasks; it becomes more robust and solid.

It is because of all these reasons that this is a session that professionals across a wide spectrum of positions such as Regulatory Specialists, Quality Assurance Specialists, Documentation Specialists, Test Managers, Software Team Leaders and Lead Developers, and Project and Program Managers ought not to miss out on.

They will get thoroughly familiarized on the applicability of the Agile methodology to software documentation for FDA submissions. Over these two days of this seminar, Brian will cover the following areas:

  • Agile vs IEC 62304: an apparent contradiction?
  • The role and value of documentation
  • The REAL regulatory requirements
  • Specific documents required for an FDA submission
  • Areas where most development processes bog down
  • Iteration – well suited for risk, usability, and design reviews
  • Key practices to bridge the Agile and regulated worlds
  • Agile is not only acceptable for medical device software, but can be clearly superior.

 

 

Documenting Software for FDA Submissions

Files

The Agile methodology is an important tool for software project management. It emerged out of the gradual efforts at arriving at a team based methodology of iterative software development. Its close association with software makes it as suitable to this field as Lean is to manufacturing. Healthcare is one of the many areas in which the Agile methodology is very well suitable and adaptable.

The Agile methodology can be used to help software project managers forestall and address major bottlenecks of software project management, such as vulnerability and mercuriality. It helps to prevent project delays and thus cuts costs. An important feature of Agile is its flexible nature, which gives it the ability to accommodate and ingest many new changes that take place as the project develops.

In reviewing project progress at every stage by validating roles, steps and processes functions; Agile prevents piling of work at later stages of the project. Protect managers have reiterated time and again the ability Agile has in the background of severe constraints of time and money.

Agile has its drawbacks

Agile has its drawbacks

However, this is not to suggest that all is well with Agile, and that it works in every setting and in every situation. For Agile to work efficiently and to deliver the results it sets out to; the most essential precondition is thorough and complete, tightly knit team coordination. It requires very active and strong participation from the team leaders, subject matter experts and stakeholders.

The suitability that Agile has for the healthcare industry is well-established. But, being a highly teamwork-dependent initiative; Agile also has the potential to fail in situations in which all the factors that make it work fail to gel or synchronize. Unless those in the healthcare industry who want to use Agile methodology as a means for saving money, time and other resources are confident that they can bring together all that is needed for making Agile methodology useful and effective; it is not going to be of much use.

A learning session on the applicability of Agile methodology to healthcare

So, how does the healthcare industry adapt Agile methodology for its use? How does it overcome the deficiencies and shortfalls of this methodology to optimize its use and leverage it for better results?

An in-depth exploration how Agile methodology can help in documenting software for FDA submissions will be the core learning a two-day seminar from GlobalCompliancePanel, a leading provider of professional trainings for all the areas of regulatory compliance, will be offering.

Brian Shoemaker, who consults for healthcare products companies on computer system validation, software quality assurance, and electronic records and signatures, and has worked with companies in Germany and Switzerland as well as the U.S., will be the Director of this seminar. Please visit Documenting Software for FDA Submissions to enroll for this seminar. This seminar has been pre-approved by RAPS as eligible for up to 12 credits towards a participant’s RAC recertification upon full completion.

Clarification of doubts about the suitability of Agile to IEC 62304

At this seminar, Brian will clarify the criticism in healthcare software industry circles that Agile, because of its lack of documentation runs counter to the lifecycle standards mandated in IEC 62304. He will explain how clear processes for quality management system, risk management process, software maintenance, configuration management, and problem resolution, which go into the IEC 62304 principles actually strengthen, rather than weaken or controvert the Agile methodology. In fact, as the AAMI Agile report (TIR 45) has stated, the proper application of Agile, with its emphasis on nimbleness and ongoing learning, into a quality system and safety risk management can meld with and facilitate in fulfilling regulatory expectations of well-documented development.

In fact, documentation in Agile actually helps in taking advantage of iterative development. This is because since the IEC 62304 does not specify any lifecycle model; documentation can grow out of the required iterative activities. By developing incrementally and helping prevent last minute anxieties and worries; Agile is highly useful in many disciplines of healthcare. Its use for hazard analysis is extremely well suited. This makes risk management more robust by being included in iteration tasks.

In all, this will be a highly educative session at which all the aspects relating to the applicability of the Agile methodology to software documentation for FDA submissions will be explained. Brian will cover the following areas at this seminar:

  • Agile vs IEC 62304: an apparent contradiction?
  • The role and value of documentation
  • The REAL regulatory requirements
  • Specific documents required for an FDA submission
  • Areas where most development processes bog down
  • Iteration – well suited for risk, usability, and design reviews
  • Key practices to bridge the Agile and regulated worlds
  • Agile is not only acceptable for medical device software, but can be clearly superior.