The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Andy Ellis - Duha

Students: Spring 2024, unless noted otherwise, sessions will be virtual on Zoom.

How to Build and Measure a Corporate Security Program

Nov 15, 2023

Download: Video Icon MP4 Video Size: 246.9MB  
Watch on Youtube Watch on YouTube


The challenge of building a security program is that there are too many things you could be doing, and that creates a challenge for security leaders to decide on which things they should do next.

All too often companies pivot from fighting one fire to another fire. They end up cobbling together a security program with duct tape, bailing wire, and a handful of solutions implemented as a reaction to our own incidents and major headlines about other companies' breaches.  How should a CISO evaluate building their security program?

In this talk, I will be exploring a mental model that CISOs can use - that I used in my 20 years as a CISO - to evaluate the state of their security program, and to identify where there are gaps in coverage.  At a high level, the framework is four dimensional, covering width (asset coverage), height (control comprehensiveness), depth (risk context), and time (maturity continuity).  I will use case studies to highlight ways the security programs often fail on one of these axes, as a means for participants to connect the programs they work on to the shortcomings others have already experienced.

Most ways to evaluate a security program become frameworks with an overly strong focus on detail, but which lose the holistic view of the health of a security program, and even the "known unknowns" (we're pretty sure there is a risk, but don't have specifics) become forgotten as the focus narrows to the "known knowns" (we've documented the risk).  The "unknown unknowns," of course, almost never get visibility.

Combining a mental model for assessing the overall maturity of the program, with a high level risk comparison system (the "Pyramid of Pain") allows a CISO to identify areas for improvement to mitigate risk in the future.

Case studies from my time at Akamai will be shared (demonstrating not only how to quickly assess risk, but how to understand risk areas that may take years to mitigate), including the risk areas whose mitigation helped propel Akamai into the security leviathan it is today.

About the Speaker

Andy Ellis
Andy Ellis is a seasoned technology and business executive with deep expertise in cybersecurity, managing risk, and leading an inclusive culture. He is the founder and CEO of Duha, a boutique advisory firm focused on providing strategic consulting in the areas of Leadership, Management, Cybersecurity, Technology Risk, and Enterprise Risk Management. He is the author of 1% Leadership, Operating Partner at YL Ventures, Advisory CISO at Orca Security, and is an advisor to cyber security startups. 

Widely respected across the cybersecurity industry for his pragmatic approach to aligning security and business needs, Andy regularly speaks and writes on cybersecurity, leadership, diversity & inclusion, and decision-making. Ellis previously served as the Chief Security Officer of Akamai Technologies, where he was responsible for the company's cybersecurity strategy, including leading its initial forays into the cybersecurity market. In his twenty-year tenure at Akamai, Andy led the information security organization from a single individual to a 90+ person team, over 40% of whom were women.  

Andy has received a wide variety of accolades, including the CSO Compass Award, Air Force Commendation Medal, Spirit of Disneyland Award, Wine Spectator Award of Excellence (for The Arlington Inn), the SANS DMA Podcast of the Year (for Cloud Security Reinvented), and was the winner of the Sherman Oaks Galleria Spelling Bee. He was inducted into the CSO Hall of Fame in 2021.

After receiving a degree in computer science from MIT, Andy served as an officer in the United States Air Force with the 609th Information Warfare Squadron and the Electronic Systems Center.

Ways to Watch


Watch Now!

Over 500 videos of our weekly seminar and symposia keynotes are available on our YouTube Channel. Also check out Spaf's YouTube Channel. Subscribe today!