Operations

6/13/2018
10:00 AM
Joel Fulton
Joel Fulton
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Why CISOs Need a Security Reality Check

We deserve a seat at the executive table, and we'll be much better at our jobs once we take it.

There is a problem with information security today. I don't mean the skills gap or the issues surrounding data privacy. I don't mean the struggle to keep ahead of the most recent threats and vulnerabilities. I don't even mean the next General Data Protection Regulation. In fact, this problem isn't a new problem; it has always been around.

Those other conversations are vitally important, but I'm referring instead to a pervasive and insidious problem, one as important as any other security challenge the industry currently faces: we security practitioners have either lost our way or, most often, failed to understand what our roles should be in the first place.

Let me explain.

In April, I attended the RSA Conference in San Francisco, where I met with some of the most cutting-edge security innovators in the country. Leaders gathered to share war stories and best practices, as well as demo and test the newest security tools they might take home to their own organizations. But something was missing.

RSA is an exciting conference that celebrates and represents the vibrant security community — attending typically is encouraging for the future. But as much as RSA symbolizes security's best, so too it is part of the problem: flash, swag, and groupthink. In sum, there's an over-reliance on the flavor of the week rather than on sound security best practices.

Not All That Glitters Is Gold
So, why does this focus on the "latest and greatest" security technology exist? In conversations with many other chief information security officers (CISOs), two answers rise to the top: first, the average tenure of a CISO is short. Perfect data on this is hazy, but it has been reported to be as short as 17 months, though there is indication the number is rising. Second, many CISOs still don't think or act as though we've earned the "C" in our titles.

The comparatively short CISO tenure is often rooted in the individual CISOs desire for gain and fear of loss. Most CISOs have very little upward or lateral mobility within an organization. To grow in our careers, improve our salaries, and gain new experiences, it's easier to move to other organizations. Further, a typical CISO must balance between being somewhere too short of a time to take blame ("it was the last person's fault"), long enough to leave an impact (so you can have successes to point to when looking for your next job), and too long (where a security incident actually happens and you take the fall).

As a result, we often choose to set short-term goals with shallow impact and do so with more condensed time frames than other C-level peers; we often seem desperate to show progress but choose methods that prevent it. We are tempted to do the easy things first, and leave the hardest things to the future ... or the next CISO.

All too often, these take the form of the new "shiny" security solution to make ourselves look good before taking the "quit while we are ahead" approach and moving to another organization to reset the scales. It's easy and common to fall into a consumer-mindset trap, buying the latest gadget, knowing full well that if it doesn't actually improve security, at least it looks like the CISO is doing something. It is a harsh truth, but not something I think is unfair. CISOs will frequently nod in agreement when discussing this subject and agree we can do better.

How We Can Change
For many organizations, the CISO role is relatively new, and as such, many organizations remain unsure of how to incorporate the position into the enterprise's operations. At Splunk, I'm fortunate this is not the case, but I've heard time and time again that it is true for many of my peers.

As a result, we CISOs are often left feeling unsure of our place at the table. Rather than being seen as strategic advisers, too many CISOs are seen as the people who just say "no." That's in contrast with other divisions of the organization, such as sales, marketing, and product development; when security is successful, you don't hear about it.

We need to do a better job of proving our ROI to the mission of the enterprise. We need to commit to a disciplined focus on achieving excellence in the fundamentals and delivering on the hard tasks, even if they are slow to accomplish and don't lead to stage presentations. We need to do a better job understanding why and in what ways security is a critical standard business practice equal in importance and function to every other operational area of an enterprise then displaying we believe it through our actions.

Today, security is swarmed by new applications and tools that promise to make security operations easier and organizations more secure. From automation to artificial intelligence, we're in a golden age of security innovation. It's easy to get swept up in the excitement, but we are moving past the era where security needs to be flashy. Instead, let's be a little more introspective and a lot more disciplined.

My charge to all CISOs and aspiring CISOs out there: spend some time reflecting on your own security practices. Know that security is no longer seen as a sunk cost to enterprises but as a core part of business. We do deserve a seat at the table, and we'll be much better at our jobs once we take it.

Related Content:

 

Top industry experts will offer a range of information and insight on who the bad guys are — and why they might be targeting your enterprise. Click for more information.

Joel Fulton, Ph.D., is Chief Information Security Officer for Splunk, leading the Splunk Global Security teams, where he also supports product development as well as customer and partner relationships. Prior to joining Splunk, Joel held security leadership positions at ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
6/14/2018 | 12:57:43 PM
Equifax
The CEO of this ongoing train wreck showed the true attitude of C-Suite to security pro issues when he testified that only one (1) IT drone unit as responsible for the hell at this firm --- by failing to apply a patch.  Wow!  Total ignorance of complex issues if their entire security protocol rests on one chap.  Incredible and from what i hear, many American firms are equally blind.  So we do NOT GET RESPECT and probably never will.  We should have such a seat --- but don't hold your breath. 
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.