1. Patrick Angel - Interim CISO / Enterprise IT Security - CISSP® CISM® CRISC® CISA®
www.RandomAccessTechnology.com
(214) 517-3086
Presenting Security Programs to
Senior Management (CxO’s)
2. What’s the History / driving‐factors… (provide perspective)
Is this Regulatory ? Or Market‐based ?
Due to Competition ? Is there New‐Technology / an Opportunity?
To Avoid (excessive) Risk / a Lawsuit ?
Be sure to Tie Project(s) / Program to (supporting) Bus. Objectives
For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
Proposal / Why are we doing this?
(what’s the Value Proposition..?)
3. What is the Risk? Is it Revenue or Financial Loss?
‐‐ (list it in specific dollars – 30% of $600MM ‐ $200MM)
Is there the Risk of a Lawsuit.. ? What’s the Probability..?
Is there the Risk of Loss of Business / Partners..?
Is there the Risk of Bad‐Press / Media Coverage.. ? (e.g. stock drop)
For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
What is the Risk to the Company?
(what’s the Value Proposition..?)
Use a Heat-Map / Risk-Cube
to reflect the overall Risk
4. What’s the Cost (both Short‐Term and Long‐Term)
Be sure to include Staff / FTE and misc‐Expenses (travel / training)
Is there Hardware or Software involved..?
Include Licenses and maintenance / upgrades cost
Issue RFP and get minimum 3 Vendor’s Quotes to compare,
Startup Purchase‐Costs / Investment goes against Capital Costs
(Cap‐Ex) for Proposal – then Depreciation, Taxes, etc.
Yearly ongoing (Operational – Op‐Ex) Costs go into Annual Budgets
Be sure to provide some measure of the Return (payback) / Internal
Value
If difficult to measure, compare against cost of Lawsuit or Fines to Project
costs
For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
Capital COSTS(s) and / or Expenses
(CAP-EX vs OP-EX)
5. Keep It Simple – Less is More once Project‐Reporting starts
Build the initial Work‐Breakdown‐Structure (WBS or ‘the Plan’) with
realistic dates, Resources, with some slack time for ‘unforseen’
events, but do not spend waste resources to ‘manage the plan’
Report Weekly – include: Budget‐to‐Date, any Change‐Orders and
most importantly – MILESTONES and Issues / Risks to ALL
Stakeholders
High‐Level Timeline w/major
Milestones and Key‐Dates
shows the Project is
being ‘Tracked’ and
inspires confidence
For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
Project(s) Execution and Reporting
(Provide enough info to show Management that project is well-run)
7‐Sep 14‐Sep 21‐Sep 28‐Sep 5‐Oct 12‐Oct 19‐Oct 26‐Oct 2‐Nov 9‐Nov 16‐Nov 23‐Nov 30‐Nov
Project 1 ‐ Main
(1 of 3 components done)
Network Upgrade
DESKTOP Configuration
E ‐ Commerce ReDeploy
Database Standards
CSIRT Program Procedures
GRC Software Implement
IdM / RBAC Project
MyMatrix
(incl CANADA modules)
RFP Issue
Review Results ‐
Select Vendor ‐
Start Roll‐out
PEN‐Testing ‐
Validate PCI Docs
SEPTEMBER OCTOBER NOVEMBER
6. Discuss / get Feedback from the ‘Business’ and other Mgmt
member, then update your presentation / numbers
‐‐ In‐effect, you are gaining ‘buy‐in’ from your peers, making them ‘Partners’ in
your Project
Be sure to ‘sell the Benefits’ of your Project / Results to help Change
/ challenge old Mindsets / ‘Paradigms’
Bring in an ‘Outside Expert’ consultant for the Project / Change and
help to guarantee success…
Publish ongoing Progress, celebrate Milestones and Announce the
Project / Program’s End & Final Results, give thanks to Stakeholders
For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
Recommendations for Success
(Don’t forget that PEOPLE make Process and Technology work…)
7. Get Started Now…
‘…Chance favors the prepared Mind’
www.RandomAccessTechnology.com
(214) 517-3086
For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® CRISC® CISA®
8. About the Author
Copyright® 2018 - For customers of Random Access Technologies, Inc. only.
Patrick Angel
• Roles: Interim CISO / Director PMO / Enterprise I‐T
Security‐Architect / Risk‐Management and Compliance Manager
• Areas: PCI, SOX, GLBA Privacy, Project‐Auditing, Application‐Security
Testing and Secure Development (SDLC)
• Education
– Bachelors in Information Systems (MIS)
• Dean’s List and Honor’s List
– Masters Business Administration (MBA)
• Years of Experience
• 20+ years in Information Systems
• 15+ years of P/M, SDLC and Governance, Risk and Compliance
• Hands‐on Software Developer, Application‐Testing, I‐T Auditing
• Certifications and Associations include ‐