Operations

11/10/2016
10:00 AM
Vincent Liu
Vincent Liu
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

How Security Scorecards Advance Security, Reduce Risk

CISO Josh Koplik offers practical advice about bridging the gap between security and business goals in a consumer-facing media and Internet company.

JK: Absolutely. You can put a lot of effort in and not move your grade. I have a few different ways that I acknowledge those bits of progress. I give brownie points on the scorecard like, “investments have been made in this area,” etc. We’ve had to stay regularly involved with the people who are responsible for implementation. We need to keep them honest because it’s not that they are being maliciously deceptive; they are putting a positive spin on things. The other thing people do is that they give you their optimistic six-months-from-now answer. People need to answer in the present tense.

VL:  How do you handle the situation where you have trouble communicating to people who are not primed to worry about security?

JK: I don’t think those people exist in 2016. What people do exist are those who feign that they are absolutely committed to security and they tell you everything you want to hear … and then they don’t do anything. I don’t think this is malicious. Security just falls on that long list of things that they want to do and then they have to make business decisions. Your conversation with them was reduced to three line items on their budget.

VL: So how do you get that crucial buy-in from executives? Is security ever an asset to them?

JK: I frame it as there is a minimum level of security necessary to run a consumer-facing web company in 2016, and we need to make sure our security practices are up to that level. I explained this to our CEO and the CEO of one of our subsidiaries as well and asked if they see security as a marketable feature. They both said there’s no way to use security strategically from a business or marketing standpoint.

Their reasoning was best explained as: “It’s a slippery slope, and dangerous road to go down to say we’re secure because you are creating liability for yourself. If you ever do have an incident, then you have the problem that you claimed you were secure and you were not.”

Personality Bytes

Josh Koplik, Chief Information Security Officer, IAC
Josh Koplik, Chief Information Security Officer, IAC

Start in security: I grew up in the Midwest, and in 1994, all I wanted was to access the Internet. As I grew older, I landed jobs in tech, and the Internet became more accessible. I did some help desk stuff in college, and I worked as a C developer at a startup in the late ‘90s. I preferred doing more infrastructure-type things. I eventually moved to Fidelity as a security engineer.

Networks versus application experience? Applications because they are harder to learn if you don’t have the background. To understand application security, you have to understand what’s happening everywhere else.

Best career advice to security engineers: As a technician, you are bound to hit a ceiling so at some point, you have to step up and take on leadership roles, learn the ways to navigate an organization, work with constituents, and build support for initiatives.

Advice for a CISO or CSO moving into a newly created role: Don’t build relationships only with the C-level people. Build them with the people who are responsible for implementation, too. When they come to me, I always urge them to help me understand where they are having issues [because] we have to tell the security story together. With the C-level, ask them what they want to see. Keep things simple. Only measure something that you can accurately measure. Only tell a story if you can tell it to the end. 

Biography: Joshua J. Koplik joined IAC/InterActive Corp. in September of 2014 as its chief information security officer. In this capacity, Koplik oversees information security across IAC and its broad portfolio of subsidiary businesses, which include Match, OKCupid, HomeAdvisor, and Tinder. Koplik previously served as director, global information security for Home Box Office, Inc. from 2009 to 2014, where he was responsible for information security & compliance for HBO’s global enterprise. Prior to joining HBO at its New York headquarters, Koplik served as director of technology risk management for Fidelity Investments in Boston. Mr. Koplik completed his bachelor’s degree in computer science from the University of Massachusetts, Boston, and has held a CISSP certification since 2005.

Related Content:

Dark Reading's all-day virtual event Nov. 15 offers an in-depth look at myths surrounding data defense and how to put business on a more effective security path. 

Vincent Liu (CISSP) is a Partner at Bishop Fox, a cyber security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he oversees firm management, client matters, and strategy consulting. Vincent is a ... View Full Bio
Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mervyn Chapman
50%
50%
Mervyn Chapman,
User Rank: Apprentice
12/26/2016 | 10:59:07 PM
Good article!
The Security field has always suffered from a shortage of effective ways to measure progress.  This is by no means perfect (as they both state), but it's a good defensible start for an organizational measurement effort.

 
Benefiter
50%
50%
Benefiter,
User Rank: Apprentice
11/12/2016 | 10:05:35 AM
Re:
Nice article, thanks a lot for your kind sharing!
Lily652
50%
50%
Lily652,
User Rank: Moderator
11/12/2016 | 5:18:04 AM
prayer times

Fine post. Thanks, I ll follow the next one. Useful and interesting information.  

Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8360
PUBLISHED: 2019-02-16
Themerig Find a Place CMS Directory 1.5 has SQL Injection via the find/assets/external/data_2.php cate parameter.
CVE-2019-8361
PUBLISHED: 2019-02-16
PHP Scripts Mall Responsive Video News Script has XSS via the Search Bar. This might, for example, be leveraged for HTML injection or URL redirection.
CVE-2019-8362
PUBLISHED: 2019-02-16
DedeCMS through V5.7SP2 allows arbitrary file upload in dede/album_edit.php or dede/album_add.php, as demonstrated by a dede/album_edit.php?dopost=save&formzip=1 request with a ZIP archive that contains a file such as "1.jpg.php" (because input validation only checks that .jpg, .png, o...
CVE-2019-8363
PUBLISHED: 2019-02-16
Verydows 2.0 has XSS via the index.php?c=main a parameter, as demonstrated by an a=index[XSS] value.
CVE-2019-8358
PUBLISHED: 2019-02-16
In Hiawatha before 10.8.4, a remote attacker is able to do directory traversal if AllowDotFiles is enabled.