Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:06 PM
Connect Directly

Ex-CSOs Team, Offer Free Security Help

Former enterprise CSOs from Anheuser-Busch, State Farm Insurance, Deutsche Bank, and other firms form a new team at Websense that assists and mentors other CSOs -- gratis

A team of former CSOs from Zale Corp., Deutsche Bank, The New York Times, Anheuser-Busch, State Farm Insurance, and other big firms has been assembled at Websense to offer free security strategy, assessment, and attack response support to enterprise chief security officers.

The new Office of the CSO group at Websense is led by former Emerson Electric and New York Times CSO Jason Clark. "It started with many of us as previous CSOs. So many CSOs of large companies are struggling," says Clark, who says he was seeing this firsthand in his role as chief security and strategy officer at Websense after leaving his post as CISO and vice president of infrastructure at Emerson Electric.

"I noticed a major gap. I was being asked to come out and help them [CSOs] for an hour or two, and they weren't aligning their security strategies with what the business threats were," says Clark, who conceived of the Office of the CSO idea. "[So] I started hiring this team of all former CSOs from multiple companies that have practiced the craft."

The CSO team doesn't pitch Websense products, and its members say they steer clear of vendor-ease in order to maintain their integrity as impartial to allow them to return to enterprise CSO duties someday. "They wanted to help the community and will go back and be CSOs [again] at another time," Clark says.

But the group still comes with the Websense moniker. Office of the CSO member Neil Thacker, the former head of information security for U.K. national lottery organization Camelot and Deutsche Bank, says he doesn't get rewarded for clients that become paying customers, and the goal is to help the security community. Thacker, who is information security and strategy officer for Websense EMEA, says he took the gig at Websense because he likes educating and supporting security pros; he currently has a caseload of about 30 people.

"I'm very keen to keep my integrity as a security practitioner," he says. "If someone is interested in Websense, I tell them to go to websense. com, and now let's talk about the issues you're facing. I just want to help the community."

Still, the Office of the CSO obviously offers a savvy marketing opportunity for Websense, albeit indirect, security experts say. "This is very good and innovative branding and marketing for Websense," says Mike Rothman, president of Securosis and author of "The Pragmatic CSO." "If anybody can provide access to folks that have been there and done that before, I don't see anything wrong with that."

Rothman says the CSO team fills a gap for organizations that need help in an advisory role but don't want to fork out the big bucks for CSO consulting services. It's likely to be attractive to CSOs who may not have as much hands-on experience and know they need assistance, he says. "I think it's going to cater to a CSO that's mature enough to understand what they don't know," he says. "There is clearly a need out there for that kind of mentoring, an advisory shoulder to cry on ... a 'therapist.'"

The Websense CSO team offers free threat strategy assessment with a kill chain model exercise; security framework review using a threat simulation penetration test in a sandbox; a "toolkit" for CSOs that provides guidance on security success and training employees; and boardroom assistance, where the team offers communication strategies for aligning security projects with business plans and strategies.

But there are other free venues available for CSOs to share and learn from one another, such as industry ISACs and ISSA and other intelligence-sharing groups. "I would argue that these spaces are extremely valuable," says Eddie Schwartz, CSO for RSA Security, an EMC company.

Schwartz says he meets CSOs from around the world who often share with him the challenges or issues they are facing. He says he tries to help them, but he also connects them to other peers who may be a better match for a particular issue. It's all about free networking, information, and intelligence-sharing, he says.

"You find a lot of major vendors have that kind of thing going on," he says. "It's something we do."

[Attacks out of China that hit Google, Adobe, Intel, and other U.S. companies was not only a wake-up call for businesses in denial about persistent targeted attacks and cyberespionage, but they also forced the chief information security officer (CISO) to step out of the corporate confines and reach out to peers at other organizations. See 'Operation Aurora' Changing The Role Of The CISO .]

Clark says the Websense Office of the CSO's initial consultation is typically an hour-long conversation with the client, and then includes on-site visits as well. "We offer a threat modeling service ... you tell me three things you are worried about, and we put on a whiteboard what the controls are in each stage," Clark says. That could then become the client's next investments, he says.

A newly anointed CSO from a Fortune 1000 firm, for example, reached out to the Office of the CSO group. His bosses had asked him for a pitch on why the company needed a CSO, an update on the current state of security -- and a three-year security strategy for the company. "This guy was promoted to CSO -- he had been with his company for 12 years," Clark says. "He called us because he didn't know who to call" for help on this, he says.

Just how long a freebie service can survive in today's constantly changing security space is unclear. "We'll see if it has any staying power," Securosis' Rothman says. "I think it's a good concept, and it's good for the industry."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/28/2013 | 2:18:39 PM
re: Ex-CSOs Team, Offer Free Security Help
Sounds great, thanks for the info!
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.