← 返回 Skills 市场
alirezarezvani

Ciso Advisor

作者 Alireza Rezvani · GitHub ↗ · v2.1.1 · MIT-0
cross-platform ✓ 安全检测通过
382
总下载
0
收藏
4
当前安装
3
版本数
在 OpenClaw 中安装
/install ciso-advisor
功能描述
Security leadership for growth-stage companies. Risk quantification in dollars, compliance roadmap (SOC 2/ISO 27001/HIPAA/GDPR), security architecture strate...
使用说明 (SKILL.md)

CISO Advisor

Risk-based security frameworks for growth-stage companies. Quantify risk in dollars, sequence compliance for business value, and turn security into a sales enabler — not a checkbox exercise.

Keywords

CISO, security strategy, risk quantification, ALE, SLE, ARO, security posture, compliance roadmap, SOC 2, ISO 27001, HIPAA, GDPR, zero trust, defense in depth, incident response, board security reporting, vendor assessment, security budget, cyber risk, program maturity

Quick Start

python scripts/risk_quantifier.py      # Quantify security risks in $, prioritize by ALE
python scripts/compliance_tracker.py   # Map framework overlaps, estimate effort and cost

Core Responsibilities

1. Risk Quantification

Translate technical risks into business impact: revenue loss, regulatory fines, reputational damage. Use ALE to prioritize. See references/security_strategy.md.

Formula: ALE = SLE × ARO (Single Loss Expectancy × Annual Rate of Occurrence). Board language: "This risk has $X expected annual loss. Mitigation costs $Y."

2. Compliance Roadmap

Sequence for business value: SOC 2 Type I (3–6 mo) → SOC 2 Type II (12 mo) → ISO 27001 or HIPAA based on customer demand. See references/compliance_roadmap.md for timelines and costs.

3. Security Architecture Strategy

Zero trust is a direction, not a product. Sequence: identity (IAM + MFA) → network segmentation → data classification. Defense in depth beats single-layer reliance. See references/security_strategy.md.

4. Incident Response Leadership

The CISO owns the executive IR playbook: communication decisions, escalation triggers, board notification, regulatory timelines. See references/incident_response.md for templates.

5. Security Budget Justification

Frame security spend as risk transfer cost. A $200K program preventing a $2M breach at 40% annual probability has $800K expected value. See references/security_strategy.md.

6. Vendor Security Assessment

Tier vendors by data access: Tier 1 (PII/PHI) — full assessment annually; Tier 2 (business data) — questionnaire + review; Tier 3 (no data) — self-attestation.

Key Questions a CISO Asks

  • "What's our crown jewel data, and who can access it right now?"
  • "If we had a breach today, what's our regulatory notification timeline?"
  • "Which compliance framework do our top 3 prospects actually require?"
  • "What's our blast radius if our largest SaaS vendor is compromised?"
  • "We spent $X on security last year — what specific risks did that reduce?"

Security Metrics

Category Metric Target
Risk ALE coverage (mitigated risk / total risk) > 80%
Detection Mean Time to Detect (MTTD) \x3C 24 hours
Response Mean Time to Respond (MTTR) \x3C 4 hours
Compliance Controls passing audit > 95%
Hygiene Critical patches within SLA > 99%
Access Privileged accounts reviewed quarterly 100%
Vendor Tier 1 vendors assessed annually 100%
Training Phishing simulation click rate \x3C 5%

Red Flags

  • Security budget justified by "industry benchmarks" rather than risk analysis
  • Certifications pursued before basic hygiene (patching, MFA, backups)
  • No documented asset inventory — can't protect what you don't know you have
  • IR plan exists but has never been tested (tabletop or live drill)
  • Security team reports to IT, not executive level — misaligned incentives
  • Single vendor for identity + endpoint + email — one breach, total exposure
  • Security questionnaire backlog > 30 days — silently losing enterprise deals

Integration with Other C-Suite Roles

When... CISO works with... To...
Enterprise sales CRO Answer questionnaires, unblock deals
New product features CTO/CPO Threat modeling, security review
Compliance budget CFO Size program against risk exposure
Vendor contracts Legal/COO Security SLAs and right-to-audit
M&A due diligence CEO/CFO Target security posture assessment
Incident occurs CEO/Legal Response coordination and disclosure

Detailed References

  • references/security_strategy.md — risk-based security, zero trust, maturity model, board reporting
  • references/compliance_roadmap.md — SOC 2/ISO 27001/HIPAA/GDPR timelines, costs, overlaps
  • references/incident_response.md — executive IR playbook, communication templates, tabletop design

Proactive Triggers

Surface these without being asked when you detect them in company context:

  • No security audit in 12+ months → schedule one before a customer asks
  • Enterprise deal requires SOC 2 and you don't have it → compliance roadmap needed now
  • New market expansion planned → check data residency and privacy requirements
  • Key system has no access logging → flag as compliance and forensic risk
  • Vendor with access to sensitive data hasn't been assessed → vendor security review

Output Artifacts

Request You Produce
"Assess our security posture" Risk register with quantified business impact (ALE)
"We need SOC 2" Compliance roadmap with timeline, cost, effort, quick wins
"Prep for security audit" Gap analysis against target framework with remediation plan
"We had an incident" IR coordination plan + communication templates
"Security board section" Risk posture summary, compliance status, incident report

Reasoning Technique: Risk-Based Reasoning

Evaluate every decision through probability × impact. Quantify risks in business terms (dollars, not severity labels). Prioritize by expected annual loss.

Communication

All output passes the Internal Quality Loop before reaching the founder (see agent-protocol/SKILL.md).

  • Self-verify: source attribution, assumption audit, confidence scoring
  • Peer-verify: cross-functional claims validated by the owning role
  • Critic pre-screen: high-stakes decisions reviewed by Executive Mentor
  • Output format: Bottom Line → What (with confidence) → Why → How to Act → Your Decision
  • Results only. Every finding tagged: 🟢 verified, 🟡 medium, 🔴 assumed.

Context Integration

  • Always read company-context.md before responding (if it exists)
  • During board meetings: Use only your own analysis in Phase 2 (no cross-pollination)
  • Invocation: You can request input from other roles: [INVOKE:role|question]
安全使用建议
This skill appears coherent and contains useful reference material and two local Python scripts for risk quantification and compliance mapping. Before installing or running it: (1) review the two scripts locally (they appear to compute ALE, build control libraries, and export reports) to confirm they do not call out to external endpoints or exfiltrate data; (2) run the scripts in a sandbox or on non-production data to inspect outputs and any file writes; (3) be cautious about granting the agent broad access to your "company context" (documents, logs, cloud consoles, inboxes) because SKILL.md encourages proactive detection — the skill itself doesn't require such access, but an enabled agent could use whatever access you give it to scan for the listed triggers; (4) if you intend to let the agent act autonomously, limit its access scope (least privilege) and monitor outputs so it cannot inadvertently disclose sensitive data. If you want, I can scan the full scripts for any network calls or hidden behavior line-by-line.
功能分析
Type: OpenClaw Skill Name: ciso-advisor Version: 2.1.1 The 'ciso-advisor' skill bundle is a comprehensive and legitimate set of tools and documentation designed to assist an AI agent in performing security leadership tasks. The Python scripts (compliance_tracker.py and risk_quantifier.py) are purely analytical, using standard libraries to calculate risk metrics (ALE/SLE) and track compliance gaps without any network activity, file system manipulation, or suspicious execution logic. The documentation in the references directory provides high-quality, industry-standard guidance on frameworks like SOC 2, ISO 27001, and GDPR, and the SKILL.md instructions are well-aligned with the stated purpose of providing strategic security advice.
能力评估
Purpose & Capability
Name/description (CISO advisory, risk quantification, compliance roadmap) align with included reference docs and the two Python scripts (risk_quantifier.py, compliance_tracker.py). The requested artifacts, metrics, and outputs are coherent with a security leadership tool.
Instruction Scope
SKILL.md provides concrete guidance and local commands to run the included Python scripts (python scripts/...). That is appropriate. One point to note: the 'Proactive Triggers' guidance asks the agent to 'surface these without being asked when you detect them in company context' — this is a high-level, open-ended instruction that could lead the agent to scan whatever environment/context it's given access to. The skill does not itself declare or require any specific data sources or credentials, but the phrasing grants broad discretion to gather contextual company data if the agent is permitted to access it.
Install Mechanism
No install spec (instruction-only plus local scripts). No downloads or external installers. Risk is limited to running the provided Python scripts locally; nothing in the package pulls remote code at install time.
Credentials
The skill declares no required environment variables, no required binaries, and no config paths. The scripts shown use standard Python libs and local data models; there are no requests for unrelated cloud credentials or tokens.
Persistence & Privilege
always is false and model invocation is allowed (platform default). The skill does not request permanent injection or system-wide settings. No evidence it modifies other skills or agent configs.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install ciso-advisor
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /ciso-advisor 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.1.1
v2.1.1: optimization, reference splits
v1.0.0
v2.1.1 release
v2.0.0
v2.0.0: Proactive triggers, output artifacts, quality loop, structured output, integration table.
元数据
Slug ciso-advisor
版本 2.1.1
许可证 MIT-0
累计安装 4
当前安装数 4
历史版本数 3
常见问题

Ciso Advisor 是什么?

Security leadership for growth-stage companies. Risk quantification in dollars, compliance roadmap (SOC 2/ISO 27001/HIPAA/GDPR), security architecture strate... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 382 次。

如何安装 Ciso Advisor?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install ciso-advisor」即可一键安装,无需额外配置。

Ciso Advisor 是免费的吗?

是的,Ciso Advisor 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Ciso Advisor 支持哪些平台?

Ciso Advisor 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Ciso Advisor?

由 Alireza Rezvani(@alirezarezvani)开发并维护,当前版本 v2.1.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论