Presentation Topics: Gideon Rasmussen

Gideon is available to present at conferences, chapter meetings, universities and corporate/government events.

Each session provides practical advice in the areas of cybersecurity and operational risk management. The goal is to provide attendees with information they can use upon return to work.

Gideon creates slide decks in USAF crash course format. The presentation style is fast paced, covering many slides. That keeps the audience's attention and conveys a significant amount of information within the allotted time. Each deck includes resource links at the end which make the PDF a great take-away.

Here are links to strong positive feedback when Gideon presented to large audiences: LinkedIn Post # 1 / LinkedIn Post # 2 / LinkedIn Post # 3

Cybersecurity Assessments

Adaptive Cybersecurity Risk Assessments
This session provides practical cybersecurity assessment advice. It details the end-to-end process including: scoping, 9 steps to develop work papers, scheduling, on-site assessment, report preparation and presentation.

The first assessment example leverages the NIST Cybersecurity Framework to ensure coverage across security domains. Sample scoping questions will be provided, along with tips and examples to add controls based on business processes, insider threat, privacy and fraud.

This session also addresses follow-on assessments. Attendees are encouraged to evaluate lines of business and to take deep dives into critical functions. Tips and examples are provided to leverage best practices, creating specific testing procedures.

Rather than repeating the same assessment year-over-year, the scoping methodology is risk opportunistic. There is focus on areas that have not been evaluated recently and areas that may require enhanced controls due to presence of valuable data. Albert Einstein’s quote applies here “the definition of insanity is doing something over and over again and expecting different results”.

The session will briefly walk through the assessment report framework, providing tips along the way.

The assessment presentation phase includes a slide deck framework covering: the threat landscape, assessment methodology, high and moderate-high findings, a Strengths, Weaknesses, Opportunities and Threats (SWOT) slide and next steps.

"A lot of added value. Major takeaways. Tools we can use immediately. I appreciate how Gideon got granular for us instead of staying only high level within only 60 minutes. Excellent work Gideon."

"This was an excellent start to the ISC2 conference. I have been trying to put together a risk assessment and Gideon showed the audience how to streamline the process. If he is presenting next year I will be attending again! Thanks Gideon for all the pointers."

"Excellent presentation - I loved the work papers the most. Very valuable to me. Hope to host your other topics in the future!"

"I just attended a session on assessments that Gideon presented. He has a good presentation, and included a lot of good info for you, if you're considering someone to give your company an assessment, or you're a security practitioner."

"I attended Gideon's presentation to the CERIAS of Purdue University. I appreciated him sharing his expertise in how he conducts risk assessments as a vCISO. He was gracious with tips he utilizes when interviewing companies to evaluate security controls. It was a great hour, and hopefully someday our paths will cross again."

"Had an opportunity to listen to Gideon present recently and was impressed with the grasp of solid foundation materials and knowledge and able to articulate to C-speak without much of the jargon. Gideon can help organizations to start or continue an IT Security process with an in-depth look with ease."

"Great to hear from someone with hands on experience. Thank you for sharing with the ISACA Kentuckiana chapter today! Your communication style and presentation was outstanding."

"Determining your tools to drive your cybersecurity risk methodologies will be a challenge. Gideon has some great direction in building a solid and cost-effective approach we all can apply. Thanks for the great detail guiding folks on measuring their environment in confidentiality, integrity, and availability of your assets."

"Very interesting. Very well presented. Very thorough and detailed. Speaker was very good. Liked work paper segment. Liked how he fleshed out his audit evidence decision tree. Liked how he called out response confusion, contract language issues, etc. He validated our processes which was nice too."

"Thanks for the great presentation, very valuable and timely information for me. I am always looking for practical advice that I can take back and that is exactly what you provided."

"Fantastic! What an efficient use of time! I learned a lot and have take-aways I can implement right away. Thank you very much!"

"Great presentation by Gideon for the Central Pennsylvania Institute of Internal Auditors on Cybersecurity Risk Assessments. Valuable information and tools that our regional members could use in their professional roles. Thank you Gideon!"

Third Party Risk Management

Designing a Third Party Risk Management Program
Provides practical advice to design a TPRM program. Details the end-to-end process: identify, risk rank, assess, risk treatment, monitor and oversight & escalations. Includes options based on risk tolerance and available funding.

Provides security requirements for vendor contract templates.

Describes how to identify new and existing vendors through existing Supply Chain Management processes and in organizations where it is necessary to leverage financial systems. Includes examples where vendors may slip through the cracks.

Addresses a risk-based approach to tier vendors for assessment when confidentiality and business criticality information is available. Otherwise, includes alternatives such as risky vendor categories and tiering questions.

Assessment options include on-site assessment, questionnaires, artifact reviews, vulnerability scans and acceptance of independent assessments & certifications.

Describes risk treatment: tracking remediation to closure, policy exceptions and risk register entries.

Provides recommendations to reduce residual risk when vendor service is discontinued.

Addresses program architecture: welcome packet, process diagram, procedures manual, message templates, system of record, reporting, metrics, etc. Includes tips to develop a roadmap to mature the program over three years.

Provides examples that can be leveraged in small, medium and large organizations. Includes real world challenges with recommendations for processes.

"Great presentation, Gideon! Our business team was able to get a lot of questions answered related to our TPRM Program. This session was very insightful!"

"That was a fantastic crash course and appreciate the military like delivery. 😂 Personally, my biggest takeaway from that was the use of a Welcome Packet to vendors to aid in expectation management. Brilliant and thank you so much for making the time to do this!"

"This was a VERY insightful presentation! Gideon really provided valuable information."

"This is a great presentation, and a great parallel with manufacturing Supplier Quality. I’m really glad I attended!"

"Very insightful presentation at Bsides today. Thank you very much for adding to my TPRM knowledge."

"Very informative. Great material and well presented. We enjoyed having you present. Looking forward to future talks. Thank you. 👍"

Metrics, KPIs and KRIs

Cybersecurity Metrics, KPIs and KRIs
This session provides practical advice to establish cybersecurity metrics, Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs). We begin with an explanation of the differences between them and why each are needed.

Examples of how to design metrics, KPIs and KRIs are provided. Areas of focus include cybersecurity measurements for all organizations, for processes & functions and in alignment with a control framework. The end game is to measure if processes and controls are functioning as designed.

We walk through tips for communicating new metrics and go-to-green updates for metrics in red or yellow status.

The session includes 22 metrics and seven resources for many more. All of this saves time and can assist with enhancing your program.

"Attended Gideon's session today at B-Sides Tampa and it was extremely insightful in not only the implementation of Cybersecurity metrics but how they can be used as well!"

"Gideon T. Rasmussen thanks for sharing such valuable content today during your presentation. I walked away with many great take aways!"

"I just attended Gideon's presentation on Cybersecurity Metrics, KPIs, and KRIs. It was very informative and I walked away with some great ideas to implement in the monitoring of my programs. Thanks again Gideon!"

"Thanks for the great presentation, defiantly gave me some solid inspiration to implement new metrics for my team."

Program Maturity

Program Maturity - Cybersecurity and Operational Risk Management
Business executives leverage cybersecurity programs to understand residual risk. That helps them make informed decisions to mitigate risk to an acceptable level. This session provides guidance to improve program maturity in stages.

Maturity Level 1.
Minimal Compliance Development of an information security program should begin with a reputable baseline such as the NIST Cybersecurity Framework.

A framework communicates the minimum controls required to protect an organization. It is also necessary to include control requirements from applicable laws, regulations and contractual obligations. Compliance with external requirements is also a minimalistic approach when designing a program.

Maturity Level 2.
Common Controls Control frameworks provide mid-level guidance and are not intended to be prescriptive. That is by design. This level of maturity addresses common security safeguards that are not specified in the control framework. It is necessary to identify and implement them. Gap analysis: Deploy controls based on proven methodologies such as the 20 CIS Controls.

◾ Patching
◾ Penetration testing
◾ Web application firewall

Establish a risk-based approach for implementing controls.

Maturity Level 3.
Risk Management It is necessary to tailor controls to the organization and to adapt to changes in the threat landscape. We discuss 'Threat Landscape and Controls Analysis' and a Risk Register process.

Maturity Level 4.
Strong Risk management At this level the organization begins to demonstrate ownership of the cybersecurity program from an operational risk perspective. When management communicates low risk tolerance, that is synonymous with a commitment to strong risk management.

◾ The cybersecurity program maintains controls specific to line of business products, services and assets
◾ An operational risk management function maintains a risk scenarios inventory and conducts quantitative risk analysis
◾ Incident response and business continuity exercises are conducted annually to include senior executives, lines of business leaders, information technology, legal, public relations and critical suppliers

A multi-generational plan can be used to improve program maturity. Strong risk management pays dividends over time with low occurrence of harsh negative events. When incidents do occur, controls are in place to limit business impact.

"Attended a local ISC2 Chapter meeting last evening where we had the pleasure of hearing Gideon's Program Maturity presentation. Great stuff! Gideon made easy work of covering some very dense and 'wonky' material with a ton of real world advice on how we as security practitioners can engage our business counterparts constructively. Well done!"

"Thank you so much Gideon T. Rasmussen for your time on behalf of the IIA Central Penn Chapter. Outstanding presentation with great insights!!"

Career Advice: Cybersecurity Professionals

Prove Yourself Ready Now for Promotion - Cybersecurity
This session provides practical advice to prove yourself 'ready now' for a cybersecurity management role. There are 10 takeaways attendees can leverage upon returning to work.

The session begins with ways to align and partner with executives. It includes details of their perspectives and motivations. There are tips for communicating program statuses in ways that resonate with leadership. Program architecture and planning are addressed at a mid-level. Professional development and C-Level presentation round out the session.

Here is the framework of the presentation:

◾ Understand Executives' Perspective
◾ Speak in Terms of Risk
◾ Have Communications Routines
◾ Communicate Program Statuses
◾ Have a Focus on the Program
◾ Plan to Drive the Program Forward
◾ Use Executive Tools
◾ Focus on Professional Development
◾ Be Known
◾ Prepare for C-Level Presentation

"One of the best presentations I’ve attended focusing on career growth. Gideon presented clear, concise ideas and why they’re important to both the individual as well as the company they work for. I highly recommend attending his presentations."

"It was a really strong session for anyone looking how to frame the necessary conversations in their career. How to say the words execs will hear, is a learned skill. Thanks for such great advice!"

Career Advice: Cybersecurity Leaders

Cybersecurity Team Development and Retention
This session provides InfoSec leaders with practical advice for developing employees in their current role, with tips to help them move laterally or to pursue promotion to management.

Management routines will be discussed to help attendees with efficiency. Time management tips and a communications plan template will be provided.

The session also addresses tough questions such as "Are we secure" and "What is the value-add of the cybersecurity program".

Annual program goals and performance & development plans are addressed at a mid-level.

The session closes with performance calibration, succession planning, promotions and retention risk.

"Incredibly timely and actionable presentation by Gideon. We are all feeling the global challenge of finding cyber defenders which makes retaining and developing our current teams an imperative!"

"Had the chance to meet Gideon in person this week and soak up some of his experience in building and growing teams. Great presentation, great presenter!"

"This was a great presentation by a well spoken leader. Gideon has a breadth of experience in Cybersecurity and more importantly, building and growing effective teams."

"Great session today @ ISACA Conference. Thank you Gideon, you provide such great examples of Team Development and retention. Here is a great take away: Succession Planning: Who is "ready now" on the team, Who is a good candidate elsewhere, Grooming for the next role."

"Excellent and inspiring presentation. Thanks so much for sharing your expertise and experience."

"Thanks so much for the session! I really valued your insights on applying the principles in a practical way!"

Application Security

DevSecOps Program Architecture
Provides practical advice to design a DevSecOps program. Begins with foundational practices and controls such as security-by-design, code scanning, penetration testing, web application firewall and incident response. Details ways to increase program maturity including developer's security toolkit, developers belt program, attack-aware applications, SIEM/SOC integration, vulnerability trend and root cause analysis, risk register and metrics. Provides tips to develop a roadmap and mature the program over three years. An aggressive ride through DevSecOps...

Cybersecurity Risk Management

Cybersecurity Risks and Mitigation Strategies
This session provides practical advice to identify, analyze and classify cybersecurity risks. It begins with an inventory of risk scenarios, resources to identify new scenarios and an example of how to establish a risk scenario.

We walk through three risk analysis methodologies. Techniques to classify risk are provided, including a risk scoring visualization used to gain funding for new controls. Maturity models are discussed, along with a methodology for quantifying and managing risk.

We discuss attack centric controls and a tiered approach to influence risk mitigation based on real world experiences. Two examples of risk summary slides are discussed, with executives as the intended audience. We also cover how a risk register can be used to influence mitigation of cybersecurity issues.

The session concludes with a call to action and 10 takeaways attendees can leverage upon returning to work.

Business Risk Assessments

Lines of Business (LOBs) manage data within their span of control and may work directly with vendors. This presentation addresses LOB Risk Assessment, Business Process Risk Assessment and FMEA Process Risk Evaluation.

A LOB Risk Assessment begins with service offerings, following the data flow. LOB processes, technology and administrative controls are assessed to identify areas for improvement:

◾ Data Management
◾ Application Governance
◾ Third parties
◾ Call Centers
◾ Access Control
◾ Process Design
- Insider Threat
- Fraud

Business Process Risk Assessment focuses on cybersecurity, insider threat and fraud. The process is evaluated to include data flow, application governance, Third Party Risk Management and spreadsheet risk. We also validate cybersecurity controls such as access control and business continuity.

Failure Mode and Effects Analysis (FMEA) evaluates process issues by Severity x Occurrence x Detection. The resulting Risk Priority Number is used to address issues with the greatest risk exposure.

Risk Register Process

Influence Remediation Through a Risk Register Process
This session provides practical advice to implement a Risk Register. Related processes influence security issue remediation by requiring leaders to sign-off on risk acceptance. That reduces skeletons in the closet and helps to provide visibility at the appropriate leadership tier. This session addresses processes, risk register form, log, tollgates and an executive risk forum.

The session begins with an overview of risk management concepts. Risk categories and a sample risk tolerance slide will be discussed. A roles and responsibilities slide will address how employees and contractors support risk management. Reference to information security standards and regulations include requirements for strong risk management and documented risk acceptance.

A process diagram is used to establish a basic understanding of Risk Registers. This will provide context before addressing meeting routines such as Risk Tollgates and an Executive Risk Forum.

The session transitions into a detailed review of a Risk Register Form. The example provided helps to ensure risk is clearly articulated. A structured format addresses which control should be in place, the current state, root cause, consequence, corrective actions and more. Risk mitigate entries include a framework for milestones and artifacts. Remaining sections include risk ratings and required approvals.

The executive risk forum section addresses risk decisioning. Executives have the option to approve risk mitigation plans, provide resources, sign-off on risk acceptance or to request revision of the risk register entry. A sample meeting agenda and risk register reporting are provided. The session concludes with a summary of Risk Register benefits and a call to action.