Speaker John Kupcinski,
Designation: Director of Information Security Transformation – Freddie Mac
Topic: A new path for better managing information security
Date of Webinar: 18th Nov, 2020
Time and Location: 10:00 am EDT/ 8:30 pm IST/ 3:00 pm GMT
Mr. Kupcinski leads Freddie Mac’s Information Security Transformation team to help execute the firm’s cyber agenda and realizes corporate cyber goals by building and improving internal processes and technology environments. Over the last two decades, Mr. Kupcinski has built and improved information security organizations and aligned the cyber agenda towards evolving business and technology programs by providing greater visibility and understanding of changing risks. Additionally, he has helped a wide range of firms understand how to align their cyber agenda with dynamic business and compliance priorities.
InfoSec portfolios are often constrained by waterfall methods for delivery and are heavily cyber tools and technology-centric. In this model, business cases are largely used for larger investments. However, they prioritize a feature roadmap that allows for limited flexibility on the scope. This leads to situations where security is unable to adjust to business demands with long lead times associated with delivery. This often leads to superficial attempts to patch the undesirable nature of the infosec capability with the technical debt continuing to accumulate. Ultimately the organization is left with inefficient, home-grown infosec processes, with an over-reliance on spreadsheets and PowerPoints and highly customized tools that are difficult to maintain.
Efforts to address delivery of new capabilities fall flat because of a lack of empowerment for those who are responsible for delivering and relegated to the role of the “project manager mercenaries”. For all of these reasons and more, infosec organizations are slow to adapt and often spend too much time fixing what is broken versus innovating.
Inherently, information security will continue to experience disruption and commoditization across all areas. As such, the future of the information security portfolio requires us to identify ways to more closely link business and delivery teams; increase velocity of feature releases; minimize & simplify dependencies; and evaluate “horizon” capabilities.
This discussion will explore the concept of productization and how it might be applied to the information security portfolio. Additionally, what kinds of preconditions would need to exist in order to begin the transition to a product-centric approach. Finally, we would discuss information security frameworks that can be leveraged in order to link compliance requirements to target state maturity and facilitate this transition.
- Understand the role of information security frameworks in organizing work
- Understand the linkage between maturity targets and risk remediation.
- What agile principals can be leveraged by organizations within their information security programs?
*Examples, analysis, views and opinion shared by the speakers are personal and not endorsed by EC-Council or their respective employer(s)