Gideon is available to present at conferences, chapter meetings, universities and corporate/government events.
Each session provides practical advice in the areas of cybersecurity and operational risk management. The goal is to provide attendees with information they can use upon return to work.
Gideon creates slide decks in USAF crash course format. The presentation style is fast paced, covering many slides. That keeps the audience's attention and conveys a significant amount of information within the allotted time. Each deck includes resource links at the end which make the PDF a great take-away.
Abstracts Menu
Use these links to access the abstracts below:Adaptive Cybersecurity Risk Assessments
Designing a Third Party Risk Management Program
Cybersecurity Metrics, KPIs and KRIs
Program Maturity - Cybersecurity and Operational Risk Management
DevSecOps Program Architecture
Prove Yourself Ready Now for Promotion - Cybersecurity
Cybersecurity Team Development and Retention
The Intersection of Fraud Prevention and Cybersecurity
Crisis Communications - In the Gravest Extreme
Insider Risk Monitoring and Response
Assert Influence to Gain Support and Funding
Cybersecurity Assessments
This session provides practical cybersecurity assessment advice. It details the end-to-end process including: scoping, 9 steps to develop work papers, scheduling, on-site assessment, report preparation and presentation.
The first assessment example leverages the NIST Cybersecurity Framework to ensure coverage across security domains. Sample scoping questions will be provided, along with tips and examples to add controls based on business processes, insider threat, privacy and fraud.
This session also addresses follow-on assessments. Attendees are encouraged to evaluate lines of business and to take deep dives into critical functions. Tips and examples are provided to leverage best practices, creating specific testing procedures.
Rather than repeating the same assessment year-over-year, the scoping methodology is risk opportunistic. There is focus on areas that have not been evaluated recently and areas that may require enhanced controls due to presence of valuable data. Albert Einstein’s quote applies here “the definition of insanity is doing something over and over again and expecting different results”.
The session will briefly walk through the assessment report framework, providing tips along the way.
The assessment presentation phase includes a slide deck framework covering: the threat landscape, assessment methodology, high and moderate-high findings, a Strengths, Weaknesses, Opportunities and Threats (SWOT) slide and next steps.
"A lot of added value. Major takeaways. Tools we can use immediately. I appreciate how Gideon got granular for us instead of staying only high level within only 60 minutes. Excellent work Gideon."
"This was an excellent start to the ISC2 conference. I have been trying to put together a risk assessment and Gideon showed the audience how to streamline the process. If he is presenting next year I will be attending again! Thanks Gideon for all the pointers."
"Excellent presentation - I loved the work papers the most. Very valuable to me. Hope to host your other topics in the future!"
"I just attended a session on assessments that Gideon presented. He has a good presentation, and included a lot of good info for you, if you're considering someone to give your company an assessment, or you're a security practitioner."
"I attended Gideon's presentation to the CERIAS of Purdue University. I appreciated him sharing his expertise in how he conducts risk assessments as a vCISO. He was gracious with tips he utilizes when interviewing companies to evaluate security controls. It was a great hour, and hopefully someday our paths will cross again."
"Had an opportunity to listen to Gideon present recently and was impressed with the grasp of solid foundation materials and knowledge and able to articulate to C-speak without much of the jargon. Gideon can help organizations to start or continue an IT Security process with an in-depth look with ease."
"Great to hear from someone with hands on experience. Thank you for sharing with the ISACA Kentuckiana chapter today! Your communication style and presentation was outstanding."
"Determining your tools to drive your cybersecurity risk methodologies will be a challenge. Gideon has some great direction in building a solid and cost-effective approach we all can apply. Thanks for the great detail guiding folks on measuring their environment in confidentiality, integrity, and availability of your assets."
"Very interesting. Very well presented. Very thorough and detailed. Speaker was very good. Liked work paper segment. Liked how he fleshed out his audit evidence decision tree. Liked how he called out response confusion, contract language issues, etc. He validated our processes which was nice too."
"Thanks for the great presentation, very valuable and timely information for me. I am always looking for practical advice that I can take back and that is exactly what you provided."
"Fantastic! What an efficient use of time! I learned a lot and have take-aways I can implement right away. Thank you very much!"
"Great presentation by Gideon for the Central Pennsylvania Institute of Internal Auditors on Cybersecurity Risk Assessments. Valuable information and tools that our regional members could use in their professional roles. Thank you Gideon!"
Third Party Risk Management
Provides practical advice to design a TPRM program. Details the end-to-end process: identify, risk rank, assess, risk treatment, monitor and oversight & escalations. Includes options based on risk tolerance and available funding.
Provides security requirements for vendor contract templates.
Describes how to identify new and existing vendors through existing Supply Chain Management processes and in organizations where it is necessary to leverage financial systems. Includes examples where vendors may slip through the cracks.
Addresses a risk-based approach to tier vendors for assessment when confidentiality and business criticality information is available. Otherwise, includes alternatives such as risky vendor categories and tiering questions.
Assessment options include on-site assessment, questionnaires, artifact reviews, vulnerability scans and acceptance of independent assessments & certifications.
Describes risk treatment: tracking remediation to closure, policy exceptions and risk register entries.
Provides recommendations to reduce residual risk when vendor service is discontinued.
Addresses program architecture: welcome packet, process diagram, procedures manual, vendor report analysis, shared responsibilities matrices, system of record, reporting, metrics, etc.
Includes tips to develop a roadmap to mature the program over three years.
Provides examples that can be leveraged in small, medium and large organizations. Includes real world challenges with recommendations for processes.
"Great presentation, Gideon! Our business team was able to get a lot of questions answered related to our TPRM Program. This session was very insightful!"
"That was a fantastic crash course and appreciate the military like delivery. 😂 Personally, my biggest takeaway from that was the use of a Welcome Packet to vendors to aid in expectation management. Brilliant and thank you so much for making the time to do this!"
"This was a VERY insightful presentation! Gideon really provided valuable information."
"This is a great presentation, and a great parallel with manufacturing Supplier Quality. I’m really glad I attended!"
"Very insightful presentation at Bsides today. Thank you very much for adding to my TPRM knowledge."
"Very informative. Great material and well presented. We enjoyed having you present. Looking forward to future talks. Thank you. 👍"
Metrics, KPIs and KRIs
This session provides practical advice to establish cybersecurity metrics, Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs). We begin with an explanation of the differences between them and why each are needed.
Examples of how to design metrics, KPIs and KRIs are provided. Areas of focus include cybersecurity measurements for all organizations, for processes & functions and in alignment with a control framework. The end game is to measure if processes and controls are functioning as designed.
We walk through tips for communicating new metrics and go-to-green updates for metrics in red or yellow status.
The session includes 22 metrics and seven resources for many more. All of this saves time and can assist with enhancing your program.
"I learned so much during this meeting. Some really good slides and clear explanations the value of metrics. I'm looking forward to chatting with my coworkers about this tomorrow to see what they think."
"This was an excellent presentation. Gideon talked about developing metrics and provided practical tips for how to effectively implement them. This was probably one of the most immediately useful presentations. I really wish I hadn't missed the first part of this session and will look for Gideon at future conferences."
"This crash course on Cybersecurity Metrics, KPI and KRI during the meeting is a must learn and apply for every Cybersecurity personnel out there. Great presentation. Thanks for sharing. #knowledgeispower #knowledgesharing"
"Attended Gideon's session today at B-Sides Tampa and it was extremely insightful in not only the implementation of Cybersecurity metrics but how they can be used as well!"
"Gideon T. Rasmussen thanks for sharing such valuable content today during your presentation. I walked away with many great take aways!"
"I just attended Gideon's presentation on Cybersecurity Metrics, KPIs, and KRIs. It was very informative and I walked away with some great ideas to implement in the monitoring of my programs. Thanks again Gideon!"
"Thanks for the great presentation, definitely gave me some solid inspiration to implement new metrics for my team."
"Your presentation at our Chapter today was a delight! The clear and concise articulation of key Cybersecurity metrics and the list of references are immediate takeaways. Thank you for sharing with us!"
"Thank you for giving such a well thought out and concise presentation. I'll certainly be taking the information into consideration as I track my own metrics."
"Cybersecurity metrics in a nutshell with excellent references for further learning. Exactly what I was looking for. Thank you. 👍👍"
Program Maturity
This session provides guidance to improve program maturity in four stages. This risk-prioritized approach can be used to obtain funding. At the conclusion of this session, attendees will be able to: (1) Gauge the maturity of your cybersecurity program, (2) Identify control gaps and opportunities for improvement and (3) Plan for the future and influence funding.
Business executives leverage cybersecurity programs to understand residual risk. That helps them make informed decisions to mitigate risk to an acceptable level. This session provides guidance to improve program maturity in stages.
Maturity Level 1.
Minimal Compliance Development of an information security program should begin with a reputable baseline such as the NIST Cybersecurity Framework.
A framework communicates the minimum controls required to protect an organization. It is also necessary to include control requirements from applicable laws, regulations and contractual obligations. Compliance with external requirements is also a minimalistic approach when designing a program.
Maturity Level 2.
Common Controls Control frameworks provide mid-level guidance and are not intended to be prescriptive. That is by design. This level of maturity addresses common security safeguards that are not specified in the control framework. It is necessary to identify and implement them. Gap analysis: Deploy controls based on proven methodologies such as the 20 CIS Controls.
• Patching
Establish a risk-based approach for implementing controls.
Maturity Level 3.
Risk Management It is necessary to tailor controls to the organization and to adapt to changes in the threat landscape. We discuss 'Threat Landscape and Controls Analysis' and a Risk Register process.
Maturity Level 4.
Strong Risk management At this level the organization begins to demonstrate ownership of the cybersecurity program from an operational risk perspective. When management communicates low risk tolerance, that is synonymous with a commitment to strong risk management.
A multi-generational plan can be used to improve program maturity. Strong risk management pays dividends over time with low occurrence of harsh negative events. When incidents do occur, controls are in place to limit business impact.
"Attended a local ISC2 Chapter meeting last evening where we had the pleasure of hearing Gideon's Program Maturity presentation. Great stuff! Gideon made easy work of covering some very dense and 'wonky' material with a ton of real world advice on how we as security practitioners can engage our business counterparts constructively. Well done!"
"Thank you so much Gideon T. Rasmussen for your time on behalf of the IIA Central Penn Chapter. Outstanding presentation with great insights!!"
Application Security
Provides practical advice to design a DevSecOps program. Begins with foundational practices and controls such as security-by-design, code scanning, penetration testing, web application firewall and incident response.
Details ways to increase program maturity including application risk profiles, developer's security toolkit, attack-aware applications, developer's belt program, metrics and more.
Provides tips to develop a roadmap and mature the program over three years. An aggressive ride through DevSecOps...
"Great Presenter!--Excellent presentation with real situations and have to improve relationship btw dev and secops. Also he articulated very well the risks not only for development, business but also for auditors. --Great presentation of using existing processes and controls to handle new technologies and methodologies such as DevSecOps.--This class was very fast paced. More in depth agile training and DevOps would be nice. --great content, great exposure to devsecops. thanks--great presentation"
"--Great session! My favorite so far. There were many takeaways that I can take back to my team. --This was by far the best session I attended!!! Speaker stated that he would not be able to go thru all the slides because of lack of time; however, he did in flying colors!!--Speaker was excellent and very knowledgeable"
"My favorite session today was Gideon Rasmussen. His discussion of Software development security operations (DevSecOps - that’s a Navy term) Program Architecture was on point. A refreshing viewpoint from a real security practitioner. www.virtualcso.com"
"Thank you for your fantastic presentation on application security fundamentals, best practices for developer security training, metrics, maturity roadmap for application development and ideas on how to continue moving forward once a mature process is reached. Your insights on managing application security are invaluable."
"Great presentation - practical, insightful information! Definitely can use with my team of developers! #continuouslearning #devsecops"
"Amazing presentation. In less than an hour Gideon was able to summarize an end-to-end cybersecurity strategy. Thank you for sharing your knowledge."
"At the beginning of the presentation, you mentioned each slide could be its own 1-hour talk. I didn't believe you, and I was wrong. Great content, really showed your knowledge and experience."
"Excellent presentation! Very insightful simplified guidance over complex security challenges within DevSecOps."
"Gideon, thank you for your practical and insightful DevSecOps presentation today and for carving time from your consulting engagements to advance the knowledge of others at a number of national and international conferences."
"Thank you for delivering such an enlightening presentation that was clearly backed by extensive experience and in-depth knowledge. Your insights were invaluable and provided me with comprehensive understanding of DevSecOps."
"DevSecOps is such a vital part of the GRC process and your presentation just helped to confirm that."
"Excellent presentation! Learned a lot and can't wait to implement! Looking forward to the next one."
"Great presentation. Looking forward to the opportunity to hear you speak again."
Career Advice: Cybersecurity Professionals
This session provides practical advice to prove yourself 'ready now' for a cybersecurity management role. There are 10 takeaways attendees can leverage upon returning to work.
The session begins with ways to align and partner with executives. It includes details of their perspectives and motivations. There are tips for communicating program statuses in ways that resonate with leadership. Program architecture and planning are addressed at a mid-level. Professional development and C-Level presentation round out the session.
Here is the framework of the presentation:
"One of the best presentations I’ve attended focusing on career growth. Gideon presented clear, concise ideas and why they’re important to both the individual as well as the company they work for. I highly recommend attending his presentations."
"It was a really strong session for anyone looking how to frame the necessary conversations in their career. How to say the words execs will hear, is a learned skill. Thanks for such great advice!"
Career Advice: Cybersecurity Leaders
This session provides InfoSec leaders with practical advice for developing employees in their current role, with tips to help them move laterally or to pursue promotion to management.
There are tips and examples to help a manager transition to leading a new team. That includes focus on each team member, their current state of professional development and their motivations.
The session shifts to a calendar year format. In January there are 1:1s to understand employees’ career goals and to begin developing their performance and development plans.
We discuss how to maintain connections with team members throughout the year, including weekly team meetings, 1:1s with each employee and meaningful conversations within a mid-year review.
The annual planning slides address a day-long brainstorming session with the team, including six strategic cybersecurity goals to frame the conversation. There are also tips for maturing annual goals by meeting with the program executive and partnering on goals with other teams.
The session closes with performance calibration, succession planning, promotions and retention risk.
"Incredibly timely and actionable presentation by Gideon. We are all feeling the global challenge of finding cyber defenders which makes retaining and developing our current teams an imperative!"
"Had the chance to meet Gideon in person this week and soak up some of his experience in building and growing teams. Great presentation, great presenter!"
"This was a great presentation by a well spoken leader. Gideon has a breadth of experience in Cybersecurity and more importantly, building and growing effective teams."
"Great session today @ ISACA Conference. Thank you Gideon, you provide such great examples of Team Development and retention. Here is a great take away: Succession Planning: Who is "ready now" on the team, Who is a good candidate elsewhere, Grooming for the next role."
"This session is full of useful information. I have seen some talented folks leave an organization because they felt they are just a number and receive little feedback."
"Excellent and inspiring presentation. Thanks so much for sharing your expertise and experience."
"Thanks so much for the session! I really valued your insights on applying the principles in a practical way!"
"Gideon joined us as a keynote speaker for a cybersecurity event based in Austin, Texas, sharing insights on the topic "Cybersecurity Team Development and Retention." He was excellent to work with throughout the whole process, from preparing talking points, to promoting the event actively with his network, to excellent delivery on stage. The audience enjoyed the talk and engaged with Gideon through an active Q&A -- one attendee even remarked to event organizers: "We rarely get content on how to become a manager in security, or how to best support your team and also advocate for yourself. This was just as helpful as the technical topics we typically get at conferences -- if not more." With feedback like that, we would recommend Gideon as a partner for any paid speaker engagement!"
Fraud Prevention
This session provides practical advice to bridge the gap between cybersecurity and fraud prevention practices.
Addresses fraud concepts, checks and balances and the roles of CFO and CISO.
15 fraud schemes are detailed, such as:
We discuss two financial process maps with threat actors engaged at critical process steps.
This session also addresses transaction data analysis and fraud response practices.
Tips and examples are provided including data sources and testing procedures.
A maturity model and a classification system of 39 fraud schemes close out the session.
"Attended Gideon’s session and as usual he did a great job framing up the topic with background info and then walked through several real world fraud scenarios. I definitely have a much better understanding of the fraud-cyber relationship! Thanks Gideon!"
"I appreciated the discussion on fraud events being captured by SIEM/SOC. This could be an entire topic on its own."
"I'm already starting our fraud tabletop exercise based on his list of 15 examples."
"The information provided on the types of fraud and the types of "fraudsters" was very interesting."
"Excellent information with some actionable takeaways. The fraud workflows provide a starting point for inclusion in our office."
"Thanks for a great presentation, Gideon. Reviewing your presentation again as it has helpful actionable steps to incorporate fraud prevention into risk assessment projects."
"I am also an expert in this area and can attest that Gideon’s presentation is well thought out and delivered."
"I attended "The Intersection of Fraud Prevention and Cybersecurity" presented by Gideon at the 35th ACFE Global Fraud Conference. It was a great presentation to connect both areas. For person like me working decades in financial industry, this is very helpful for me."
"Gideon provided a paid security speaking engagement for a business unit of our company and was very comprehensive. He provided all content and resources and was extremely well prepared. He even went so far as to arrange several calls ahead of the presentation with myself (security professional) and the group head to ensure that the content of the presentation was well tailored for our group. Gideon's presentation was very well received by the team to which he spoke. He got our business people thinking about security and kept them engaged for the duration of the talk."
Assert Influence to Gain Support and Funding
Crash course topics:
Includes seven examples to present risk to executives and risk governance practices that produce results.
This is a hard charging session. It concludes with emphasis on the need to be a change agent and to close on projects, initiatives and risk mitigation.
"This was an excellent presentation! Great angles on talking to executives and Boards in a non-technical risk-based format to help secure spend. Very informative and helpful in the world of overly technical presentations that bore executive management teams and boards!"
"#fistbump Gideon T. Rasmussen #VCISO extraordinary providing quality #CPE for our ISC2 Alamo Chapter meeting attendees today! "Selling Security to Senior Executives" is an Art and Science. If you want to become an alchemist of risk management, come to the #whisperer to #informationsecurity professionals like Gideon T. Rasmussen! We appreciate you and your comprehensive presentation today! 😎"
"At our ISC2 Silicon Valley Chapter meeting, Gideon gave an interesting presentation on selling security to executive, that outlined the importance in speaking about security in the terms of risk and value. These are the issues that resonate with senior executives. He also outlined various tools to help frame those conversations and drive consensus. I found the material relevant, not only for selling security internally but also arming our customers on how to promote security initiatives to their senior manage. Time well spent!"
"That was an excellent presentation, Gideon T. Rasmussen! I appreciate the practical tips on framing security investments in terms of business value. The "Hook" concept, emphasizing the importance of Always Be Closing, and thinking from the executives' shoes were incredibly insightful."
"Is your organization missing critical security controls? Facing challenges in securing funding to address risks and ensure compliance? Attending Gideon’s presentation provided actual scenarios and valuable insights into effectively communicating with executives, understanding the importance of financial acumen, and building a well-funded and staffed cybersecurity team to manage risks and maintain compliance."
"Thank you Gideon T. Rasmussen for your presentation on "Selling security to senior executives" at the ISC2 Alamo Chapter. I really appreciate you taking us step by step through the systems and techniques you use in the risk analysis/risk assessment process. You provided valuable wisdom and insight to everyone on the call. I'm grateful that I was able to attend."
"Gideon T. Rasmussen Thanks for generously sharing your knowledge at the meetup yesterday. Wish I had your framework early on in my career so that I didn't learn things the hard way. Highly recommend Gideon T. Rasmussen's talks."
"Thank you for the presentation Gideon. Valuable insight on best practices for security practitioners seeking budget."
"Great presentation! Gideon T. Rasmussen provided lots of excellent takeaway points about "Selling security to senior executives." I'm glad I was able to attend the event."
"Gideon T. Rasmussen put on an outstanding presentation!! Learned a lot and had some valuable interaction with the audience throughout. Well done!"
"Gideon T. Rasmussen it was an enjoyable session. Very good ideas on leading executives to a predictable plan and path in order to justify spend."
Insider Risk Monitoring and Response
Provides tips and examples to overcome reluctance to establish insider risk management controls due to corporate culture.
Includes resources attendees can leverage upon return to work, including 20+ insider risk management activities.
"Awesome session! I will definitely be taking your insights back to my team. Thank you for sharing you experience and expertise with the community."
"I really enjoyed this presentation and had actionable items to include in any Insider Threat and Incident Response plans."
"Thank you for a great session Gideon T. Rasmussen! Lots of great content and actionable takeaways on this very important topic."
"The session was incredibly insightful and engaging! Gideon T. Rasmussen’s expertise and comprehensive knowledge on the topic ‘Insider Risk Monitoring and Response’ surely made it an enriching experience for all attendees.
I'm grateful for the opportunity to have been a part of it. Was a truly remarkable experience!"
"The session was thoughtfully tailored to address practical needs. It was both an enjoyable and enlightening experience. Thank you Gideon T. Rasmussen."
Crisis Communications - In the Gravest Extreme
There are 31 content slides. This is a crisis communications crash-course. It's hard charging and there are resource links at the end of the deck.
"Your presentation on crisis communications was incredibly informative and engaging, offering valuable insights and practical tips for effectively managing and navigating this challenging situation. Great job Gideon!"
"Great presentation. It's obvious that you have lots of experience in crisis communications and I appreciate you sharing it!"
"Gideon T. Rasmussen, Thanks for presenting again for members of the ISACA New England chapter and for the guests who joined the webinar from around the world. Thank you as well for always sharing your expertise with fellow professionals. Look forward to your 'Adaptive Cybersecurity Risk Assessments' presentation on August 20th hosted by the ISACA San Antonio Chapter."
