Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:06 PM
Connect Directly

Ex-CSOs Team, Offer Free Security Help

Former enterprise CSOs from Anheuser-Busch, State Farm Insurance, Deutsche Bank, and other firms form a new team at Websense that assists and mentors other CSOs -- gratis

A team of former CSOs from Zale Corp., Deutsche Bank, The New York Times, Anheuser-Busch, State Farm Insurance, and other big firms has been assembled at Websense to offer free security strategy, assessment, and attack response support to enterprise chief security officers.

The new Office of the CSO group at Websense is led by former Emerson Electric and New York Times CSO Jason Clark. "It started with many of us as previous CSOs. So many CSOs of large companies are struggling," says Clark, who says he was seeing this firsthand in his role as chief security and strategy officer at Websense after leaving his post as CISO and vice president of infrastructure at Emerson Electric.

"I noticed a major gap. I was being asked to come out and help them [CSOs] for an hour or two, and they weren't aligning their security strategies with what the business threats were," says Clark, who conceived of the Office of the CSO idea. "[So] I started hiring this team of all former CSOs from multiple companies that have practiced the craft."

The CSO team doesn't pitch Websense products, and its members say they steer clear of vendor-ease in order to maintain their integrity as impartial to allow them to return to enterprise CSO duties someday. "They wanted to help the community and will go back and be CSOs [again] at another time," Clark says.

But the group still comes with the Websense moniker. Office of the CSO member Neil Thacker, the former head of information security for U.K. national lottery organization Camelot and Deutsche Bank, says he doesn't get rewarded for clients that become paying customers, and the goal is to help the security community. Thacker, who is information security and strategy officer for Websense EMEA, says he took the gig at Websense because he likes educating and supporting security pros; he currently has a caseload of about 30 people.

"I'm very keen to keep my integrity as a security practitioner," he says. "If someone is interested in Websense, I tell them to go to websense. com, and now let's talk about the issues you're facing. I just want to help the community."

Still, the Office of the CSO obviously offers a savvy marketing opportunity for Websense, albeit indirect, security experts say. "This is very good and innovative branding and marketing for Websense," says Mike Rothman, president of Securosis and author of "The Pragmatic CSO." "If anybody can provide access to folks that have been there and done that before, I don't see anything wrong with that."

Rothman says the CSO team fills a gap for organizations that need help in an advisory role but don't want to fork out the big bucks for CSO consulting services. It's likely to be attractive to CSOs who may not have as much hands-on experience and know they need assistance, he says. "I think it's going to cater to a CSO that's mature enough to understand what they don't know," he says. "There is clearly a need out there for that kind of mentoring, an advisory shoulder to cry on ... a 'therapist.'"

The Websense CSO team offers free threat strategy assessment with a kill chain model exercise; security framework review using a threat simulation penetration test in a sandbox; a "toolkit" for CSOs that provides guidance on security success and training employees; and boardroom assistance, where the team offers communication strategies for aligning security projects with business plans and strategies.

But there are other free venues available for CSOs to share and learn from one another, such as industry ISACs and ISSA and other intelligence-sharing groups. "I would argue that these spaces are extremely valuable," says Eddie Schwartz, CSO for RSA Security, an EMC company.

Schwartz says he meets CSOs from around the world who often share with him the challenges or issues they are facing. He says he tries to help them, but he also connects them to other peers who may be a better match for a particular issue. It's all about free networking, information, and intelligence-sharing, he says.

"You find a lot of major vendors have that kind of thing going on," he says. "It's something we do."

[Attacks out of China that hit Google, Adobe, Intel, and other U.S. companies was not only a wake-up call for businesses in denial about persistent targeted attacks and cyberespionage, but they also forced the chief information security officer (CISO) to step out of the corporate confines and reach out to peers at other organizations. See 'Operation Aurora' Changing The Role Of The CISO .]

Clark says the Websense Office of the CSO's initial consultation is typically an hour-long conversation with the client, and then includes on-site visits as well. "We offer a threat modeling service ... you tell me three things you are worried about, and we put on a whiteboard what the controls are in each stage," Clark says. That could then become the client's next investments, he says.

A newly anointed CSO from a Fortune 1000 firm, for example, reached out to the Office of the CSO group. His bosses had asked him for a pitch on why the company needed a CSO, an update on the current state of security -- and a three-year security strategy for the company. "This guy was promoted to CSO -- he had been with his company for 12 years," Clark says. "He called us because he didn't know who to call" for help on this, he says.

Just how long a freebie service can survive in today's constantly changing security space is unclear. "We'll see if it has any staying power," Securosis' Rothman says. "I think it's a good concept, and it's good for the industry."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/28/2013 | 2:18:39 PM
re: Ex-CSOs Team, Offer Free Security Help
Sounds great, thanks for the info!
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive.
PUBLISHED: 2021-06-17
In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.
PUBLISHED: 2021-06-17
HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1.
PUBLISHED: 2021-06-17
An XSS issue was discovered in manage_custom_field_edit_page.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.