Gideon is available to present at conferences, chapter meetings, universities and corporate/government events.
Each session provides practical advice in the areas of cybersecurity and operational risk management. The goal is
to provide attendees with information they can use upon return to work.
Gideon creates slide decks in USAF crash course format. The presentation style is fast paced, covering many slides.
That keeps the audience's attention and conveys a significant amount of information within the allotted time.
Each deck includes resource links at the end which make the PDF a great take-away.
Use these links to access the abstracts below:
Adaptive Cybersecurity Risk Assessments
This session provides practical cybersecurity assessment advice. It details the end-to-end process including: scoping, 9 steps to develop work papers, scheduling, on-site assessment, report preparation and presentation.
The first assessment example leverages the NIST Cybersecurity Framework to ensure coverage across security domains. Sample scoping questions will be provided, along with tips and examples to add controls based on business processes, insider threat, privacy and fraud.
This session also addresses follow-on assessments. Attendees are encouraged to evaluate lines of business and to take deep dives into critical functions. Tips and examples are provided to leverage best practices, creating specific testing procedures.
Rather than repeating the same assessment year-over-year, the scoping methodology is risk opportunistic. There is focus on areas that have not been evaluated recently and areas that may require enhanced controls due to presence of valuable data. Albert Einstein’s quote applies here “the definition of insanity is doing something over and over again and expecting different results”.
The session will briefly walk through the assessment report framework, providing tips along the way.
The assessment presentation phase includes a slide deck framework covering: the threat landscape, assessment methodology, high and moderate-high findings, a Strengths, Weaknesses, Opportunities and Threats (SWOT) slide and next steps.
"A lot of added value. Major takeaways. Tools we can use immediately. I appreciate how Gideon got granular for us instead of staying only high level within only 60 minutes. Excellent work Gideon."
"This was an excellent start to the ISC2 conference. I have been trying to put together a risk assessment and Gideon showed the audience how to streamline the process. If he is presenting next year I will be attending again! Thanks Gideon for all the pointers."
"Excellent presentation - I loved the work papers the most. Very valuable to me. Hope to host your other topics in the future!"
"I just attended a session on assessments that Gideon presented. He has a good presentation, and included a lot of good info for you, if you're considering someone to give your company an assessment, or you're a security practitioner."
"I attended Gideon's presentation to the CERIAS of Purdue University. I appreciated him sharing his expertise in how he conducts risk assessments as a vCISO. He was gracious with tips he utilizes when interviewing companies to evaluate security controls. It was a great hour, and hopefully someday our paths will cross again."
"Had an opportunity to listen to Gideon present recently and was impressed with the grasp of solid foundation materials and knowledge and able to articulate to C-speak without much of the jargon. Gideon can help organizations to start or continue an IT Security process with an in-depth look with ease."
"Great to hear from someone with hands on experience. Thank you for sharing with the ISACA Kentuckiana chapter today! Your communication style and presentation was outstanding."
"Determining your tools to drive your cybersecurity risk methodologies will be a challenge. Gideon has some great direction in building a solid and cost-effective approach we all can apply. Thanks for the great detail guiding folks on measuring their environment in confidentiality, integrity, and availability of your assets."
"Very interesting. Very well presented. Very thorough and detailed. Speaker was very good. Liked work paper segment. Liked how he fleshed out his audit evidence decision tree. Liked how he called out response confusion, contract language issues, etc. He validated our processes which was nice too."
"Thanks for the great presentation, very valuable and timely information for me. I am always looking for practical advice that I can take back and that is exactly what you provided."
"Fantastic! What an efficient use of time! I learned a lot and have take-aways I can implement right away. Thank you very much!"
"Great presentation by Gideon for the Central Pennsylvania Institute of Internal Auditors on Cybersecurity Risk Assessments. Valuable information and tools that our regional members could use in their professional roles. Thank you Gideon!"
Third Party Risk Management
Designing a Third Party Risk Management Program
Provides practical advice to design a TPRM program. Details the end-to-end process: identify, risk rank, assess, risk treatment, monitor and oversight & escalations. Includes options based on risk tolerance and available funding.
Provides security requirements for vendor contract templates.
Describes how to identify new and existing vendors through existing Supply Chain Management processes and in organizations where it is necessary to leverage financial systems. Includes examples where vendors may slip through the cracks.
Addresses a risk-based approach to tier vendors for assessment when confidentiality and business criticality information is available. Otherwise, includes alternatives such as risky vendor categories and tiering questions.
Assessment options include on-site assessment, questionnaires, artifact reviews, vulnerability scans and acceptance of independent assessments & certifications.
Describes risk treatment: tracking remediation to closure, policy exceptions and risk register entries.
Provides recommendations to reduce residual risk when vendor service is discontinued.
Addresses program architecture: welcome packet, process diagram, procedures manual, message templates, system of record, reporting, metrics, etc.
Includes tips to develop a roadmap to mature the program over three years.
Provides examples that can be leveraged in small, medium and large organizations. Includes real world challenges with recommendations for processes.
"Great presentation, Gideon! Our business team was able to get a lot of questions answered related to our TPRM Program. This session was very insightful!"
Cybersecurity Metrics, KPIs and KRIs
"That was a fantastic crash course and appreciate the military like delivery. 😂 Personally, my biggest takeaway from that was the use of a Welcome Packet to vendors to aid in expectation management. Brilliant and thank you so much for making the time to do this!"
"This was a VERY insightful presentation! Gideon really provided valuable information."
"This is a great presentation, and a great parallel with manufacturing Supplier Quality. I’m really glad I attended!"
"Very insightful presentation at Bsides today. Thank you very much for adding to my TPRM knowledge."
"Very informative. Great material and well presented. We enjoyed having you present. Looking forward to future talks. Thank you. 👍"
This session provides practical advice to establish cybersecurity metrics, Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs). We begin with an explanation of the differences between them and why each are needed.
Examples of how to design metrics, KPIs and KRIs are provided. Areas of focus include cybersecurity measurements for all organizations, for processes & functions and in alignment with a control framework. The end game is to measure if processes and controls are functioning as designed.
We walk through tips for communicating new metrics and go-to-green updates for metrics in red or yellow status.
The session includes 22 metrics and seven resources for many more. All of this saves time and can assist with enhancing your program.
"I learned so much during this meeting. Some really good slides and clear explanations the value of metrics. I'm looking forward to chatting with my coworkers about this tomorrow to see what they think."
Program Maturity - Cybersecurity and Operational Risk Management
"This crash course on Cybersecurity Metrics, KPI and KRI during the meeting is a must learn and apply for every Cybersecurity personnel out there. Great presentation. Thanks for sharing. #knowledgeispower #knowledgesharing"
"Attended Gideon's session today at B-Sides Tampa and it was extremely insightful in not only the implementation of Cybersecurity metrics but how they can be used as well!"
"Gideon T. Rasmussen thanks for sharing such valuable content today during your presentation. I walked away with many great take aways!"
"I just attended Gideon's presentation on Cybersecurity Metrics, KPIs, and KRIs. It was very informative and I walked away with some great ideas to implement in the monitoring of my programs. Thanks again Gideon!"
"Thanks for the great presentation, definitely gave me some solid inspiration to implement new metrics for my team."
"Your presentation at our Chapter today was a delight! The clear and concise articulation of key Cybersecurity metrics and the list of references are immediate takeaways. Thank you for sharing with us!"
"Thank you for giving such a well thought out and concise presentation. I'll certainly be taking the information into consideration as I track my own metrics."
"Cybersecurity metrics in a nutshell with excellent references for further learning. Exactly what I was looking for. Thank you. 👍👍"
This session provides guidance to improve program maturity in four stages. This risk-prioritized approach can be used to obtain funding. At the conclusion of this session, attendees will be able to: (1) Gauge the maturity of your cybersecurity program, (2) Identify control gaps and opportunities for improvement and (3) Plan for the future and influence funding.
Business executives leverage cybersecurity programs to understand residual risk. That helps them make informed decisions to mitigate risk to an acceptable level. This session provides guidance to improve program maturity in stages.
Maturity Level 1.
Minimal Compliance Development of an information security program
should begin with a reputable baseline such as the NIST Cybersecurity Framework.
A framework communicates the minimum controls required to protect an organization. It is also necessary to include control requirements from applicable
laws, regulations and contractual obligations. Compliance with external requirements is also a minimalistic approach when designing a program.
Maturity Level 2.
Common Controls Control frameworks provide mid-level guidance and are not intended to be prescriptive. That is by design. This level of maturity addresses common security safeguards that are not specified in the control framework. It is necessary to identify and implement them. Gap analysis: Deploy controls based on proven methodologies such as the 20 CIS Controls.
◾ Penetration testing
◾ Web application firewall
Establish a risk-based approach for implementing controls.
Maturity Level 3.
Risk Management It is necessary to tailor controls to the organization and to adapt to changes in the threat landscape. We discuss 'Threat Landscape and Controls Analysis' and a Risk Register process.
Maturity Level 4.
Strong Risk management At this level the organization begins to demonstrate ownership of the cybersecurity program from an operational risk perspective. When management communicates low risk tolerance, that is synonymous with a commitment to strong risk management.
◾ The cybersecurity program maintains controls specific to line of business products, services and assets
◾ An operational risk management function maintains a risk scenarios inventory and conducts quantitative risk analysis
◾ Incident response and business continuity exercises are conducted annually to include senior executives, lines of business leaders, information technology, legal, public relations and critical suppliers
A multi-generational plan can be used to improve program maturity. Strong risk management pays dividends over time with low occurrence of harsh negative events. When incidents do occur, controls are in place to limit business impact.
"Attended a local ISC2 Chapter meeting last evening where we had the pleasure of hearing Gideon's Program Maturity presentation. Great stuff! Gideon made easy work of covering some very dense and 'wonky' material with a ton of real world advice on how we as security practitioners can engage our business counterparts constructively. Well done!"
DevSecOps Program Architecture
"Thank you so much Gideon T. Rasmussen for your time on behalf of the IIA Central Penn Chapter. Outstanding presentation with great insights!!"
Provides practical advice to design a DevSecOps program. Begins with foundational practices and controls such as security-by-design, code scanning, penetration testing, web application firewall and incident response.
Details ways to increase program maturity including application risk profiles, developer's security toolkit, attack-aware applications, developer's belt program, metrics and more.
Provides tips to develop a roadmap and mature the program over three years. An aggressive ride through DevSecOps...
"Great Presenter!--Excellent presentation with real situations and have to improve relationship btw dev and secops. Also he articulated very well the risks not only for development, business but also for auditors. --Great presentation of using existing processes and controls to handle new technologies and methodologies such as DevSecOps.--This class was very fast paced. More in depth agile training and DevOps would be nice. --great content, great exposure to devsecops. thanks--great presentation"
"--Great session! My favorite so far. There were many takeaways that I can take back to my team. --This was by far the best session I attended!!! Speaker stated that he would not be able to go thru all the slides because of lack of time; however, he did in flying colors!!--Speaker was excellent and very knowledgeable"
"My favorite session today was Gideon Rasmussen. His discussion of Software development security operations (DevSecOps - that’s a Navy term) Program Architecture was on point. A refreshing viewpoint from a real security practitioner. www.virtualcso.com"
"Great presentation - practical, insightful information! Definitely can use with my team of developers! #continuouslearning #devsecops"
"Excellent presentation! Very insightful simplified guidance over complex security challenges within DevSecOps."
"Excellent presentation from Gideon, and a very relevant topic: trying to get that mindset shift to create security by design. Definitely some good takeaways. Thanks Gideon!"
"Great presentation!!! Insightful and practical advice for sdlc 👍"
"DevSecOps is such a vital part of the GRC process and your presentation just helped to confirm that."
"Excellent presentation! Learned a lot and can't wait to implement! Looking forward to the next one."
"Great presentation. Looking forward to the opportunity to hear you speak again."
Career Advice: Cybersecurity Professionals
Prove Yourself Ready Now for Promotion - Cybersecurity
This session provides practical advice to prove yourself 'ready now' for a cybersecurity management role. There are 10 takeaways attendees can leverage upon returning to work.
The session begins with ways to align and partner with executives. It includes details of their perspectives and motivations. There are tips for communicating program statuses in ways that resonate with leadership. Program architecture and planning are addressed at a mid-level. Professional development and C-Level presentation round out the session.
Here is the framework of the presentation:
◾ Understand Executives' Perspective
◾ Speak in Terms of Risk
◾ Have Communications Routines
◾ Communicate Program Statuses
◾ Have a Focus on the Program
◾ Plan to Drive the Program Forward
◾ Use Executive Tools
◾ Focus on Professional Development
◾ Be Known
◾ Prepare for C-Level Presentation
"One of the best presentations I’ve attended focusing on career growth. Gideon presented clear, concise ideas and why they’re important to both the individual as well as the company they work for. I highly recommend attending his presentations."
"It was a really strong session for anyone looking how to frame the necessary conversations in their career. How to say the words execs will hear, is a learned skill. Thanks for such great advice!"
Career Advice: Cybersecurity Leaders
Cybersecurity Team Development and Retention
This session provides InfoSec leaders with practical advice for developing employees in their current role, with tips to help them move laterally or to pursue promotion to management.
There are tips and examples to help a manager transition to leading a new team. That includes focus on each team member, their current state of professional development and their motivations.
The session shifts to a calendar year format. In January there are 1:1s to understand employees’ career goals and to begin developing their performance and development plans.
We discuss how to maintain connections with team members throughout the year, including weekly team meetings, 1:1s with each employee and meaningful conversations within a mid-year review.
The annual planning slides address a day-long brainstorming session with the team, including six strategic cybersecurity goals to frame the conversation. There are also tips for maturing annual goals by meeting with the program executive and partnering on goals with other teams.
The session closes with performance calibration, succession planning, promotions and retention risk.
"Incredibly timely and actionable presentation by Gideon. We are all feeling the global challenge of finding cyber defenders which makes retaining and developing our current teams an imperative!"
The Intersection of Fraud Prevention and Cybersecurity
"Had the chance to meet Gideon in person this week and soak up some of his experience in building and growing teams. Great presentation, great presenter!"
"This was a great presentation by a well spoken leader. Gideon has a breadth of experience in Cybersecurity and more importantly, building and growing effective teams."
"Great session today @ ISACA Conference. Thank you Gideon, you provide such great examples of Team Development and retention. Here is a great take away: Succession Planning: Who is "ready now" on the team, Who is a good candidate elsewhere, Grooming for the next role."
"This session is full of useful information. I have seen some talented folks leave an organization because they felt they are just a number and receive little feedback."
"Excellent and inspiring presentation. Thanks so much for sharing your expertise and experience."
"Thanks so much for the session! I really valued your insights on applying the principles in a practical way!"
"Gideon joined us as a keynote speaker for a cybersecurity event based in Austin, Texas, sharing insights on the topic "Cybersecurity Team Development and Retention." He was excellent to work with throughout the whole process, from preparing talking points, to promoting the event actively with his network, to excellent delivery on stage. The audience enjoyed the talk and engaged with Gideon through an active Q&A -- one attendee even remarked to event organizers: "We rarely get content on how to become a manager in security, or how to best support your team and also advocate for yourself. This was just as helpful as the technical topics we typically get at conferences -- if not more." With feedback like that, we would recommend Gideon as a partner for any paid speaker engagement!"
This session provides practical advice to bridge the gap between cybersecurity and fraud prevention practices.
Addresses fraud concepts, checks and balances and the roles of CFO and CISO.
15 fraud schemes are detailed, such as:
◾ Employee creates account and makes a payment
◾ Shell companies and false billing used to commit fraud
◾ Largest subsets growth scenario
We discuss two financial process maps with threat actors engaged at critical process steps.
This session also addresses transaction data analysis and fraud response practices.
Tips and examples are provided including data sources and testing procedures.
A maturity model and a classification system of 39 fraud schemes close out the session.
"Attended Gideon’s session and as usual he did a great job framing up the topic with background info and then walked through several real world fraud scenarios. I definitely have a much better understanding of the fraud-cyber relationship! Thanks Gideon!"
"I appreciated the discussion on fraud events being captured by SIEM/SOC. This could be an entire topic on its own."
"I'm already starting our fraud tabletop exercise based on his list of 15 examples."
"The information provided on the types of fraud and the types of "fraudsters" was very interesting."
"Excellent information with some actionable takeaways. The fraud workflows provide a starting point for inclusion in our office."
"Thanks for a great presentation, Gideon. Reviewing your presentation again as it has helpful actionable steps to incorporate fraud prevention into risk assessment projects."
"I am also an expert in this area and can attest that Gideon’s presentation is well thought out and delivered."
"Gideon provided a paid security speaking engagement for a business unit of our company and was very comprehensive. He provided all content and resources and was extremely well prepared. He even went so far as to arrange several calls ahead of the presentation with myself (security professional) and the group head to ensure that the content of the presentation was well tailored for our group. Gideon's presentation was very well received by the team to which he spoke. He got our business people thinking about security and kept them engaged for the duration of the talk."
Cybersecurity Risk Management
Cybersecurity Risks and Mitigation Strategies
This session provides practical advice to identify, analyze and classify cybersecurity risks. It begins with an inventory of risk scenarios, resources to identify new scenarios and an example of how to establish a risk scenario.
We walk through three risk analysis methodologies. Techniques to classify risk are provided, including a risk scoring visualization used to gain funding for new controls. Maturity models are discussed, along with a methodology for quantifying and managing risk.
We discuss attack centric controls and a tiered approach to influence risk mitigation based on real world experiences. Two examples of risk summary slides are discussed, with executives as the intended audience. We also cover how a risk register can be used to influence mitigation of cybersecurity issues.
The session concludes with a call to action and 10 takeaways attendees can leverage upon returning to work.
Threat Landscape and Controls Analysis
Threat Landscape and Controls Analysis is organized to start from business management’s side of the table. We begin by considering the inherent risk of the organization. Provide an overview of potential adversaries, techniques for compromising data and the cybercrime ecosystem. Describe the potential for impact, while citing reliable sources. Reference the organization’s risk tolerance. Describe the organization’s assets. Pivot into cybersecurity with protection boundaries, control framework and risk assessments. Provide fair and balanced analysis by documenting risk mitigation and recent accomplishments in that domain. Detail residual risk with recommendations for new processes and controls. Conclude with a summary statement that praises the organization’s risk culture, with recognition for conducting risk analysis.
This session provides tips and techniques to communicate cyber exposures to executives in a way that is relevant to them. It also provides a fair and balanced view, detailing risk mitigation and residual risk.