Operations

11/10/2016
10:00 AM
Vincent Liu
Vincent Liu
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

How Security Scorecards Advance Security, Reduce Risk

CISO Josh Koplik offers practical advice about bridging the gap between security and business goals in a consumer-facing media and Internet company.

JK: Absolutely. You can put a lot of effort in and not move your grade. I have a few different ways that I acknowledge those bits of progress. I give brownie points on the scorecard like, “investments have been made in this area,” etc. We’ve had to stay regularly involved with the people who are responsible for implementation. We need to keep them honest because it’s not that they are being maliciously deceptive; they are putting a positive spin on things. The other thing people do is that they give you their optimistic six-months-from-now answer. People need to answer in the present tense.

VL:  How do you handle the situation where you have trouble communicating to people who are not primed to worry about security?

JK: I don’t think those people exist in 2016. What people do exist are those who feign that they are absolutely committed to security and they tell you everything you want to hear … and then they don’t do anything. I don’t think this is malicious. Security just falls on that long list of things that they want to do and then they have to make business decisions. Your conversation with them was reduced to three line items on their budget.

VL: So how do you get that crucial buy-in from executives? Is security ever an asset to them?

JK: I frame it as there is a minimum level of security necessary to run a consumer-facing web company in 2016, and we need to make sure our security practices are up to that level. I explained this to our CEO and the CEO of one of our subsidiaries as well and asked if they see security as a marketable feature. They both said there’s no way to use security strategically from a business or marketing standpoint.

Their reasoning was best explained as: “It’s a slippery slope, and dangerous road to go down to say we’re secure because you are creating liability for yourself. If you ever do have an incident, then you have the problem that you claimed you were secure and you were not.”

Personality Bytes

Josh Koplik, Chief Information Security Officer, IAC
Josh Koplik, Chief Information Security Officer, IAC

Start in security: I grew up in the Midwest, and in 1994, all I wanted was to access the Internet. As I grew older, I landed jobs in tech, and the Internet became more accessible. I did some help desk stuff in college, and I worked as a C developer at a startup in the late ‘90s. I preferred doing more infrastructure-type things. I eventually moved to Fidelity as a security engineer.

Networks versus application experience? Applications because they are harder to learn if you don’t have the background. To understand application security, you have to understand what’s happening everywhere else.

Best career advice to security engineers: As a technician, you are bound to hit a ceiling so at some point, you have to step up and take on leadership roles, learn the ways to navigate an organization, work with constituents, and build support for initiatives.

Advice for a CISO or CSO moving into a newly created role: Don’t build relationships only with the C-level people. Build them with the people who are responsible for implementation, too. When they come to me, I always urge them to help me understand where they are having issues [because] we have to tell the security story together. With the C-level, ask them what they want to see. Keep things simple. Only measure something that you can accurately measure. Only tell a story if you can tell it to the end. 

Biography: Joshua J. Koplik joined IAC/InterActive Corp. in September of 2014 as its chief information security officer. In this capacity, Koplik oversees information security across IAC and its broad portfolio of subsidiary businesses, which include Match, OKCupid, HomeAdvisor, and Tinder. Koplik previously served as director, global information security for Home Box Office, Inc. from 2009 to 2014, where he was responsible for information security & compliance for HBO’s global enterprise. Prior to joining HBO at its New York headquarters, Koplik served as director of technology risk management for Fidelity Investments in Boston. Mr. Koplik completed his bachelor’s degree in computer science from the University of Massachusetts, Boston, and has held a CISSP certification since 2005.

Related Content:

Dark Reading's all-day virtual event Nov. 15 offers an in-depth look at myths surrounding data defense and how to put business on a more effective security path. 

Vincent Liu (CISSP) is a Partner at Bishop Fox, a cyber security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he oversees firm management, client matters, and strategy consulting. Vincent is a ... View Full Bio
Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mervyn Chapman
50%
50%
Mervyn Chapman,
User Rank: Apprentice
12/26/2016 | 10:59:07 PM
Good article!
The Security field has always suffered from a shortage of effective ways to measure progress.  This is by no means perfect (as they both state), but it's a good defensible start for an organizational measurement effort.

 
Benefiter
50%
50%
Benefiter,
User Rank: Apprentice
11/12/2016 | 10:05:35 AM
Re:
Nice article, thanks a lot for your kind sharing!
Lily652
50%
50%
Lily652,
User Rank: Moderator
11/12/2016 | 5:18:04 AM
prayer times

Fine post. Thanks, I ll follow the next one. Useful and interesting information.  

New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: In Russia, application hangs YOU!
Current Issue
Flash Poll
How Data Breaches Affect the Enterprise
How Data Breaches Affect the Enterprise
This report, offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future. Read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-3912
PUBLISHED: 2018-09-18
Bypassing password security vulnerability in McAfee Application and Change Control (MACC) 7.0.1 and 6.2.0 allows authenticated users to perform arbitrary command execution via a command-line utility.
CVE-2018-6690
PUBLISHED: 2018-09-18
Accessing, modifying, or executing executable files vulnerability in Microsoft Windows client in McAfee Application and Change Control (MACC) 8.0.0 Hotfix 4 and earlier allows authenticated users to execute arbitrary code via file transfer from external system.
CVE-2018-6693
PUBLISHED: 2018-09-18
An unprivileged user can delete arbitrary files on a Linux system running ENSLTP 10.5.1, 10.5.0, and 10.2.3 Hotfix 1246778 and earlier. By exploiting a time of check to time of use (TOCTOU) race condition during a specific scanning sequence, the unprivileged user is able to perform a privilege escal...
CVE-2018-16515
PUBLISHED: 2018-09-18
Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation.
CVE-2018-16794
PUBLISHED: 2018-09-18
Microsoft ADFS 4.0 Windows Server 2016 and previous (Active Directory Federation Services) has an SSRF vulnerability via the txtBoxEmail parameter in /adfs/ls.