Vulnerabilities / Threats

1/25/2019
10:30 AM
Todd Fitzgerald
Todd Fitzgerald
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The 5 Stages of CISO Success, Past & Future

In cybersecurity, as in history, security leaders who forget the lessons of the past will be doomed to repeat them.

The chief information security officer (CISO) role may seem relatively new to those who work in organizations hiring their first or second CISO. However, it has been almost 25 years since Steve Katz was hired as the first CISO at Citibank. While few organizations would argue today that an organization does not need someone accountable for the cybersecurity program, the role is quite varied across organizations.

The position may exist at an executive level (i.e., executive or senior vice president role), a middle management role (director/manager) or may be an individual role combined with other system administration activities in a small organization. Whatever the level, to quote Harry Truman, what CISOs should know to be successful today is that the only thing new in the world is the history you don't know.”

I believe the past teaches us that there are five distinct stages of CISO evolution that lead to a cybersecurity success story. Each stage had a different focus based upon the events at the time, as shown in the following diagram.

Graphic Source: Todd Fitzgerald
Graphic Source: Todd Fitzgerald

CISO Phase 1: The Limited Security Phase (Pre-2000)
Organizations secured their assets during this phase, but without the level of management and board of director awareness we have today. The function was typically buried in the data center and the main function was to provide logon access and authorization to files. As such, the function was primarily a technically oriented function.

2019 CISO Advisory: Technical skills are still necessary, but not sufficient for CISO success. Emphasis should be on breadth of technical knowledge across the entire infrastructure versus depth in a specific technology.

CISO Phase 2: Regulatory Compliance (2000–2004)
This phase saw the passage of a plethora of new laws addressing privacy and security in the healthcare, government, and financial sectors. It was during this period that the requirement for an "information security officer," commonly referred to today as the CISO, came into being for many organizations. Connectivity to the Internet and mainstream awareness of data breaches were occurring. Company resources were mobilized to "check the box" for security compliance, typically adhering to a set of controls defined by ISO27001/2 or COBIT.

2019 CISO Advisory: The laws are ever-changing, and the CISO needs to be aware of laws affecting the organization, as well as the differences between the controls necessary to be compliant with each law. Successful CISOs will consolidate these requirements and tie implementation projects to satisfy multiple laws to reduce organizational change management disruption.

CISO Phase 3: Risk-Oriented CISO (2004–2008)
The "check-the-box" compliance phase did not live up to expectations because organizations could not afford to secure all the information equally. The movement to a risk-based approach facilitated allocation of funds to more critical assets and a better use of people, process, and technology. This also provided an inroad to corporate risk management and enabled a conversation of information security risk along with other organizational risks.

2019 CISO Advisory: CISOs must always look at controls in terms of probability and impact, recognizing the organization can choose to accept, mitigate, transfer, or avoid the risk. These risk strategies must be clearly defined and explicitly approved by management.

CISO Phase 4: Socially Mobile Cloud-Enabled Threat Aware CISO (2008–2016)
Just when the CISO was getting a handle on risk, new technologies were implemented, such as the introduction of social media on a mass scale, a smartphone in every pocket, consumerization of technology, and migration to the cloud. All of this happened in less than a decade, and the CISO had to adjust. The CISO could not say, "No, this technology is too risky."

2019 CISO Advisory: The technical environment today will substantially change within the next five to 10 years. Artificial intelligence, the Internet of Things, managed security service provider outsourcing, machine learning, quantum computing, blockchain, mobile applications, managing third-party vendor relationships, and different methods of managing these components will emerge, and the CISO will need to stay ahead of the curve to adapt. Always.

CISO Phase 5: Privacy and the Data-Aware CISO (2016–2020s)
Several major incidents involving the use of personal information for social media purposes beyond the expectations of individuals has given rise to an increased focus on privacy. The General Data Protection Regulation (GDPR), effective May 2018, also increased the visibility of data protection through the introduction of substantial fines as much as 4% of annual turnover (revenue). Organizations, until now, typically have been deficient in the management and retention of unstructured data as well as business ownership and access to the structured information within the organization.

2019 CISO Advisory: The CISO must have knowledge of the critical information assets, or crown jewels: where they are kept, for what purpose, and for how long. The CISO should become as knowledgeable in privacy laws and concepts as much as being knowledgeable of security practices. The CISO must know where the data is, how it flows through the organization, and how it is being secured. In the event of a breach, this information becomes crucial for the incident response teams.

We still have a long way to go to educate members of the workforce with their own roles with respect to cybersecurity. As indicated in recent culture of cybersecurity research from ISACA and CMMI Institute, only 34% of employees, outside of the security team, adequately understand their role in the organization's desired cybersecurity culture.

Bottom line, in 2019 the CISO who understands the breadth of technology used and desired by the organization, complies with the regulations via control frameworks, assesses information asset risk, expands security beyond the organization (such as cloud, mobile, social media, threat intelligence networking), and knows how the privacy regulations affect the organization (where the data is, how it is being used, and how it is being protected) will be the CISOs in demand by their organization and others.

Author’s note: This evolution to CISO and the implications, along with an insightful interview with the first CISO, Steve Katz, are detailed in the author's newly released 2019 book, CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers.

Related Content:

Todd Fitzgerald has built and led information Fortune 500/large company security programs for 20 years. He was named 2016–17 Chicago CISO of the Year, ranked Top 50 Information Security Executive, authored four books  —   CISO Compass: Navigating ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
EdwardThirlwall
50%
50%
EdwardThirlwall,
User Rank: Apprentice
2/20/2019 | 3:50:03 AM
Defend and protect!
I'm sure that the requirements are going to continue to change across the ages. What is more important is that the CISO has relevant knowledge and experience to deal with exceptions as they happen. I reckon that crisis handling would be one of the top priorities that they would have to know how to handle, above and beyond preventative measures for their company!
NathanDavidson
50%
50%
NathanDavidson,
User Rank: Apprentice
2/19/2019 | 2:33:16 AM
Is it extra or necessary?
It is true that we often think lightly of things that we are not aware of. If a particular position isn't something that is familiar within the organisation that we work in, we might perceive it as unnecessary. Little do we know that other firms have actually been hiring one in order to ensure everything is in order. So are they just doing something extra or are we really the party who is missing out on something?
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-0218
PUBLISHED: 2019-04-22
A vulnerability was discovered wherein a specially crafted URL could enable reflected XSS via JavaScript in the pony mail interface.
CVE-2019-11383
PUBLISHED: 2019-04-22
An issue was discovered in the Medha WiFi FTP Server application 1.8.3 for Android. An attacker can read the username/password of a valid user via /data/data/com.medhaapps.wififtpserver/shared_prefs/com.medhaapps.wififtpserver_preferences.xml
CVE-2019-11459
PUBLISHED: 2019-04-22
The tiff_document_render() and tiff_document_get_thumbnail() functions in the TIFF document backend in GNOME Evince through 3.32.0 did not handle errors from TIFFReadRGBAImageOriented(), leading to uninitialized memory use when processing certain TIFF image files.
CVE-2019-11460
PUBLISHED: 2019-04-22
An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3.30 prior to 3.30.2.2, and 3.32 prior to 3.32.1.1. A compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI ioctl to push characters into the input buffer of the thumbnailer's control...
CVE-2019-8452
PUBLISHED: 2019-04-22
A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security client for Windows before E80.96 to any file on the system will get its permission changed so that all users can access that linked file. Doing this on files with limited access gains t...