0% found this document useful (0 votes)
174 views18 pages

The CISO View

This module introduces systems thinking and its application to analyzing cybersecurity challenges across different sectors. Systems thinking encourages a holistic approach that considers how all parts of a system interconnect and impact one another, rather than focusing on individual components in isolation. This allows for a more comprehensive understanding of threats that cut across sectors. The course will examine the sectors of industry, government, and military to understand their unique missions and cultures as well as how cybersecurity is operationalized in each. Students will learn from interviews with four CISOs representing these sectors in order to compare approaches and determine which sector they may be best suited for based on their skills and interests. The overall assessment involves building a decision-making matrix to compare key aspects of each sector.

Uploaded by

Pradeep Joshi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
174 views18 pages

The CISO View

This module introduces systems thinking and its application to analyzing cybersecurity challenges across different sectors. Systems thinking encourages a holistic approach that considers how all parts of a system interconnect and impact one another, rather than focusing on individual components in isolation. This allows for a more comprehensive understanding of threats that cut across sectors. The course will examine the sectors of industry, government, and military to understand their unique missions and cultures as well as how cybersecurity is operationalized in each. Students will learn from interviews with four CISOs representing these sectors in order to compare approaches and determine which sector they may be best suited for based on their skills and interests. The overall assessment involves building a decision-making matrix to compare key aspects of each sector.

Uploaded by

Pradeep Joshi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 18

Module 1 Introduction and Learning Objectives

 Bookmark this page


Introduction

Module 1 introduces the concept of systems thinking and why it is useful in analyzing
cybersecurity operational challenges across the four sectors we will explore in this
course.

We talk a lot about dissolving boundaries in cybersecurity, as the Internet continues to


erode the concept of nation-state boundaries. Boundaries DO still exist between sectors
of society and this complicates the mission of cybersecurity professionals. Increasingly,
cross-sector collaboration becomes critical.

Systems-thinking encourages a less linear and more synthesis-seeking, "collective


intelligence"  approach that is conducive to detecting and tracking motivations and
possible actions of threat actors across a spectrum who are seeking to attack many
different sectors. As threat actors continue to become more sophisticated, the thinking
in cybersecurity in all sectors needs to keep up.

This course aims to show you important sectors impacted by cybersecurity issues - 
Industry, Government, Military - and help you to begin to compare and contrast their
cultures, missions, operational challenges, and unique aspects of working in information
security within them.

Dr. Endicott-Popovsky has interviewed four very successful CISOs representing those
sectors. She will ask them the same questions about their career trajectories, their tool
kits, and their challenges. The intent is to present these "mentors" side-by-side so you
can draw some conclusions about how compatible you might be with a certain sector
approach. 

Your job is to listen carefully, take notes using the provided template, and build a
takeaway document for yourself with valuable insights gained from these leaders. 

Module Learning Objectives

 Describe "systems thinking" in a practical way.

 Apply the core concepts of systems thinking to analyzing cybersecurity threats.

 Describe the sectors - Industry, Government, Military

 At a high level, explain what might be some differences in operationalizing


cybersecurity in these sectors based on their missions.
Your Incoming Knowledge - A Brief Check
 Bookmark this page

Multiple Choice with Hints and Feedback


1 point possible (graded)

True or False? Operationalizing cybersecurity involves all of the same measures, across the
sectors.

TRUE

FALSE

unanswered

Submit

Some problems have options such as save, reset, hints, or show answer. These options follow the Submit
button.

Multiple Choice with Hints and Feedback


1 point possible (graded)

True or False? The military sector involves an almost purely technical approach to
cybersecurity.

True

False

unanswered

Submit

Some problems have options such as save, reset, hints, or show answer. These options follow the Submit
button.

Multiple Choice with Hints and Feedback


1 point possible (graded)

Systems thinking is rooted in computer science.

TRUE
FALSE

unanswered

Explore and Discuss - What is Systems Thinking and


How Does it Apply Here?
 Bookmark this page

What is systems thinking?  It's evolution began several decades ago, but today's
accepted definition is, a cognitive approach that attempts to look at the whole of a
system by better understanding its components and how they interact and impact each
other.

Peter Senge, a major thinker in the area, uses the analogy of a family when describing
systems thinking - emphasizing that inter-relatedness and shared impacts are at the
core of systems. One core concept of systems theory is that the whole is greater than
the sum of its parts. This could not be more true when it comes to conceptualizing the
whole of cybersecurity threat.

In cybersecurity, an organizational learning approach like systems thinking can help


leaders operationalize strategies in a very complex, sometimes silo-ed system of the
interconnected sectors, or parts, of society all equally impacted by cybersecurity threat.

In this course, we will look at the interconnected yet disparate missions of Industry,
Government, Military and Academic sectors through this lens. This is an introduction, so
please consider there are many things to learn beyond this course, which is designed to
whet your appetite for thinking!

NEXT: Do the following readings to get a grounding. Then proceed to the


Discussion.

Introductory Resource - Peter Senge video and overview of the core concepts of systems
thinking

Applied Resource: A higher-level* MIT working paper - "Cyber Safety: A Systems Thinking


and Systems Theory Approach to Managing Cyber Security Risks" (2014)

* Focus on this paper's Introduction, but if you are interested, continue to read the whole
paper.

After viewing and reading the resources on systems thinking, please describe why


and how a holistic, systems approach could be effective in combating cyber threats.
Why and how should cybersecurity strategic thinking reach beyond technical
solutions?

If you disagree, please outline why, with support from research.

Respond to at least two peers.

HINT: Take a look at the Introduction to the MIT working paper by Hamid Salim. Consider
the writer's thesis in thinking about how a systems approach operates in this
context: [The] limitations of technical approaches are not because of inherent problems
with those approaches, but because technical approaches address only a subset of
cyber security risks.

Overview of Core Assessment for this Course:


Building your Decision-Making Matrix
 Bookmark this page

For this course, you will benefit from the perspectives of four CISOs from very different sectors
(starting next, in Module 2): Industry, Academia, Military, and Government. The goal of this
course is to help you build your own decision-making matrix based on information about the
sectors’ tool kits – showing what the sectors demand in their tool kits, their missions, and how
they relate to job requirements.

You can then begin to compare the sectors’ requirements with  your own talents and existing expertise,
and start to think about your “swim lane”.

Where do you see yourself in cybersecurity? Getting to the answer is a process…

As you watch each video, use this template to capture valuable insights toward an end goal to
build a matrix comparing and contrasting the sectors, at-a-glance.

Step 1: Take notes from the videos, tracking on the keywords and parallel structure of the interviews.

After each video, I suggest you take time to look at your notes and begin to gauge your comfort
level with the key distinguishing features of each sector. Try to align your talents, strengths,
passions and goals to the sector, and find areas where you might be challenged

However, don’t be hasty! Take notes on all sectors before drawing deeper conclusions!

Step 2: Finalize your matrix for the sector , following the questions in the columns.
Step 3: Participate in the Peer and Self-Assessment exercises linked to each Module. The
assessments will guide you, and a rubric will be provided.

Reminder: Your final assessment for this course consists of the Knowledge Checks interspersed
throughout the course, and five of these peer and self-assessment. Remember to follow the guidelines in
providing your peers valuable input, and to review two peers.

Key area 1: Key Area 2: Key Area 3: Takeaway

What was the CISO’s Features of this Sector (Culture, What did I find most My early thoughts on
career path? practices, history, rule and compelling, surprising this sector and my
tools) that make it unique, as about this sector and compatibility with it 
pointed out by the CISO. this CISO's advice?

Also, what was pointed out as


most important?

       English degree Driven by policy  

       Military Police officer Practices:

       Communicationsofficer Tech: Technology specialists in


(many were converted high demand to support
to cybersecurity) leadership. Leadership does not
necessarily require technical

expertise.

 
 

 
Thinking Exercise 1
 Bookmark this page

Critical Thinking and Cyber Strategy

Systems thinking involves critical thinking in its need for openness, flexibility, and rigor.

In preparation for a brief peer-review exercise, please review this presentation, Be Like
Water: Applying Analytical Adaptability to Cyber Intelligence by Jay McAllister at a
2017 RSA conference.

Focus on the main elements and particularly on slide 29's organization around three
steps. Then, proceed to the Thinking Exercise.

OPEN RESPONSE ASSESSMENT

This assignment has several steps. In the first step, you'll provide a response to the prompt. The
other steps appear below the Your Response field.

1. Your Response
due Jan 1, 2029 05:45 +0545 (in 10 years, 8 months)IN PROGRESS

Enter your response to the prompt. You can save your progress and return to complete
your response at any time before the due date (Monday, Jan 1, 2029 05:45 +0545). After
you submit your response, you cannot edit it.
1. The prompt for this section
In the presentation you just reviewed, Be Like Water, the author lays out the core traits
of successful, effective cybersecurity thinkers. He ties these traits to the analytic
framework (slides 22-25), and the three-step process to holistically assessing threats
(slide 29).

Here, in an essay of 100 words or so (no more than a page, typed), describe what you
think the overlapping features of critical and systems thinking are in relationship to this
presentation's assertions. Consider a recent news story about a cyber attack or a
scenario with which you are professionally familiar, and apply 1-3 of the core features to
this scenario. How could a professional armed with a strong thinking style mitigate a
threat?
You will be asked to review two peers, and you will be reviewed by two peers. 20 points
possible.

Knowledge Checks for Industry CISO Point-of-View


 Bookmark this page

Multiple Choice with Hints and Feedback


1 point possible (graded)

Bill Boni calls business acumen, communications skills, and technical know-how


_______________________ that enable professionals to address a wide range of issues.

areas of dominant expertise

domains of competency

unanswered

Submit

Some problems have options such as save, reset, hints, or show answer. These options follow the Submit
button.

Multiple Choice with Hints and Feedback


1 point possible (graded)

True or False. Everyone in a corporate security organization reports directly to the CISO.

TRUE

FALSE

unanswered

Submit

Some problems have options such as save, reset, hints, or show answer. These options follow the Submit
button.

Multiple Choice with Hints and Feedback


1 point possible (graded)
An example of a key domain of functional accountability related to cyber security is
____________________.

the entire engineering department

the governance risk and compliance team

a dedicated corporate lawyer

unanswered

Submit

Some problems have options such as save, reset, hints, or show answer. These options follow the Submit
button.

Multiple Choice
1 point possible (graded)

Boni notes that the TMobile cybersecurity technology office addresses emerging
technologies'_______________

basic structures

risks and rewards

possible threats

potential for profit

unanswered

Submit

Some problems have options such as save, reset, hints, or show answer. These options follow the Submit
button.

Multiple Choice with Hints and Feedback


1 point possible (graded)

What is unique to industry among the cybersecurity sectors, as related to mission focus? Check
all that apply.

public security
shareholder interest and brand protection

productivity in balance with protection

unanswered

A Cyber Attack on the Grocery Industry


 Bookmark this page

Consider this article about threats to the cyber security of the grocery industry from Forbes,
June 2017. The angle of the article is more from the business perspective, but what can
you pick out about how a cybersecurity plan should be operationalized given the threats
this industry faces?

Discussion Prompt: 

Apply some systems thinking. What are the interconnected parts of this system? How is
the grocery industry related to society? What are its drivers that could impede a strong
cyber security strategy?

What did TMobile CISO Bill Boni point out in his interview that resonates here? 

Respond to at least two peers.

 Bookmark this page

Here is a template you can use to build your matrix. You can continually add to one, or
you might prefer to create a separate chart for each sector. Regardless, at the end, you
should be able to see a high-level overview of your impressions as this course presents
the views from the top of four sector CISOs. This module, we begin with the Industry
perspective.

Be prepared for peer review of this document as you proceed to the


Open Assessment. 
Key Area 2:

Features of this Sector


(Culture, practices, history, Key Area 3:
rule and tools) that make it
unique, as pointed out by the What did I find Takeaway
Key area 1: CISO. most compelling,
surprising about My early thoughts on
What was the CISO’s Also, what was pointed out this sector and this this sector and my
career path? as most important? CISO's advice? compatibility with it 

       English degree
       Military Police officer
       Communications
officer (many were
converted to
cybersecurity)

 
Driven by policy
 
Practices:

  Tech: Technology specialists
in high demand to support
  leadership. Leadership does
not necessarily require
  technical expertise.

     

PEER AND SELF-EVALUATION OF MATRIX - INDUSTRY


This assignment has several steps. In the first step, you'll provide a response to the prompt. The
other steps appear below the Your Response field.

1. Your Response
due Jan 1, 2029 05:45 +0545 (in 10 years, 8 months)IN PROGRESS
Enter your response to the prompt. You can save your progress and return to complete
your response at any time before the due date (Monday, Jan 1, 2029 05:45 +0545). After
you submit your response, you cannot edit it.
1. The prompt for this section
This Module, you begin the core assessment of the course - your peer and self-evaluation
of your building matrix of observations about the sector interviews. We start with
Industry. In this open response assignment, follow the steps carefully. Either upload a
PDF version of your matrix, or a summary of the category responses for peer and self-
evaluation. Use the provided Rubric to assess two peers.
Your response (required)

Knowledge Checks for Government CISO Point-of-


View
 Bookmark this page

Multiple Choice with Hints and Feedback


1 point possible (graded)

While at the NASA Jet Propulsion Lab, Mike Hamilton was told he needed to work to secure
networks because the internet was starting to become ________________.

infiltrated

commodified

unanswered

Submit

Some problems have options such as save, reset, hints, or show answer. These options follow the Submit
button.

Multiple Choice with Hints and Feedback


1 point possible (graded)

According to Hamilton, early security of networks was attempted mainly through


_____________.

dedicated cybersecurity monitoring teams

firewalls
unanswered

Submit

Some problems have options such as save, reset, hints, or show answer. These options follow the Submit
button.

Multiple Choice with Hints and Feedback


1 point possible (graded)

Early in his career, Hamilton did a lot of ________________ that led to expertise.

hacking

experimentation

unanswered

Submit

Some problems have options such as save, reset, hints, or show answer. These options follow the Submit
button.

Multiple Choice with Hints and Feedback


1 point possible (graded)

True or False. Hamilton has found policy to be a non-integral part of his work. It was the
technology experimentation and entrepreneurial spirit that led to his success.

TRUE

FALSE (Listen closely to Hamilton. He repeatedly emphasizes the importance of becoming


very familiar with policy in building a well-rounded cybersecurity career.

unanswered

Submit

Some problems have options such as save, reset, hints, or show answer. These options follow the Submit
button.

Multiple Choice with Hints and Feedback


1 point possible (graded)

In operationalizing cybersecurity for a local government, it's important to adhere to the same
rules and regulations that govern at the federal level.
Somewhat true

Not true

Very true

unanswered

Submit

Some problems have options such as save, reset, hints, or show answer. These options follow the Submit
button.

Hint

Multiple Choice with Hints and Feedback


1 point possible (graded)

Hamilton faced a crisis in his time with Seattle when attackers wanted to target
________________ who brokered purchases of power from other states when snow melt was
insufficient to feed the Seattle grid.

inside Seattle Light employees

power marketers

unanswered

Submit

Some problems have options such as save, reset, hints, or show answer. These options follow the Submit
button.

Hint

Multiple Choice with Hints and Feedback


1 point possible (graded)

Social media use is troubling to Hamilton because users ____________________________.


(All that apply.)

are susceptible to fake news

give up too much information about themselves


build up jealousy toward one another that might someday result in neighbor-neighbor
attacks

Explore and Discuss: Government Cybersecurity News


 Bookmark this page

Explore this site dedicated to government cybersecurity news. What are your impressions


about what seems important, the categories of information, and the tone? Pick one
article to discuss with peers. Point out why you chose this and if it is tied to the interview
with Gent Walsh this Module. Were there any things you noticed about this site more
after viewing the video?

Respond to two peers.

Sector Overview Matrix - Adding Government


 Bookmark this page

Using the template provided earlier, either add to or create a fresh Government matrix
overview of your impressions after viewing the interview with Mike Hamilton. Then,
participate in the peer and self-assessment exercise.

PEER AND SELF-EVALUATION OF MATRIX - GOVERNMENT

This assignment has several steps. In the first step, you'll provide a response to the prompt. The
other steps appear below the Your Response field.

1. Your Response
due Jan 1, 2029 05:45 +0545 (in 10 years, 8 months)IN PROGRESS

Enter your response to the prompt. You can save your progress and return to complete
your response at any time before the due date (Monday, Jan 1, 2029 05:45 +0545). After
you submit your response, you cannot edit it.
1. The prompt for this section
This Module, you continue the core assessment of the course - your peer and self-
evaluation of your building matrix of observations about the sector interviews. We
continue with Government. In this open response assignment, follow the steps carefully.
Either upload a PDF version of your matrix, or a summary of the category responses for
peer and self-evaluation. Use the provided Rubric to assess two peers.
Your response (required)

Knowledge Checks for Military CISO Point-of-View


 Bookmark this page

Multiple Choice with Hints and Feedback


1 point possible (graded)

Colonel Gent Walsh got his start in his career as a(n) ________________.

computer science engineer

military police officer

English instructor

unanswered

Submit

Some problems have options such as save, reset, hints, or show answer. These options follow the Submit
button.

Multiple Choice with Hints and Feedback


1 point possible (graded)

Walsh thinks of cyber as a narrow term that only encompasses warfare.

True

False

unanswered

Submit

Some problems have options such as save, reset, hints, or show answer. These options follow the Submit
button.

Multiple Choice with Hints and Feedback


1 point possible (graded)

Walsh says military cybersecurity is organized around the OODA loop, which stands for
__________ _____________ ___________ ____________.
Observe, Orient, Decide, Act

Orientation, Observation, Duty, Assessment

unanswered

Submit

Some problems have options such as save, reset, hints, or show answer. These options follow the Submit
button.

Multiple Choice with Hints and Feedback


1 point possible (graded)

Due to the way Department of Defense networks are configured, in the National Guard, the
approach is focused on ________________________.

enterprise management

firewall management

departmental specialization

unanswered

Submit

Some problems have options such as save, reset, hints, or show answer. These options follow the Submit
button.

Multiple Choice with Hints and Feedback


1 point possible (graded)

When he says, "Our battlefield is at the front line of every corporate network," Walsh means
_______________________________.

the military focus should be only on protecting industry, because that is where the main
threat lies.

the sectors of our country are inescapably connected by cyber threat.

unanswered

Explore and Discuss: U.S. Military Strategy


 Bookmark this page

This course employs a U.S.-centric approach. Here is a chance to look at the United


States' Department of Defense's public strategy (2015) at a high level, integrating some of
Col. Walsh's insights into your examination.

We can also, here in Discussion, ask for international perspectives. If you are a student
from a country other than the U.S., how does this strategy's core components and tone
compare to that of your home country (if a similar strategy is made public)?

Discuss: After viewing the interview with Col. Walsh, then reading this DoD strategy at a
high level, what is noticeable? To start, examine what the document and Col. Walsh say
about the military's core mission.

Respond to at least two peers.

Sector Overview Matrix - Adding Military


 Bookmark this page

1. Using the template provided earlier, either add to or create a fresh Government matrix
overview of your impressions after viewing the interview with Mike Hamilton. Then, participate
in the peer and self-assessment exercise.
2.
PEER AND SELF-EVALUATION OF MATRIX - MILITARY

This assignment has several steps. In the first step, you'll provide a response to the prompt. The
other steps appear below the Your Response field.

1. Your Response
due Jan 1, 2029 05:45 +0545 (in 10 years, 8 months)IN PROGRESS

Enter your response to the prompt. You can save your progress and return to complete
your response at any time before the due date (Monday, Jan 1, 2029 05:45 +0545). After
you submit your response, you cannot edit it.
1. The prompt for this section
This Module, you continue the core assessment of the course - your peer and self-
evaluation of your building matrix of observations about the sector interviews. We
continue with Military. In this open response assignment, follow the steps carefully.
Either upload a PDF version of your matrix, or a summary of the category responses for
peer and self-evaluation. Use the provided Rubric to assess two peers.
Your response (required)

Your Takeaway Matrix


 Bookmark this page

After viewing ALL videos, compare and contrast the commonalities and differences in the tool kits
needed for each sector.

Synthesize your own takeaways from each sector (you can use the template below or create your own),
then participate in a final course discussion.

In the Discussion, tell your peers: My takeaway from the course videos and resources has led me to think
I might be most compatible with _______________(sector). Or, explain why you have not been able to
narrow to any particular sector. Where do you see yourself going?

Respond to at least two peers.

SECTOR Entrance requirements as I Core mission and Highlights and


perceive them/compare to my how I could see Challenges of this
own preparedness and interest myself operating Sector
within it
 

Private      
industry

Government      

Military      

You might also like