Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
How To Become A CISO, Part 1
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 3   >   >>
ODA155
50%
50%
ODA155,
User Rank: Ninja
10/21/2014 | 1:45:24 PM
Re: Disagree, surprise there
@GonzSTL... then please consider my comments reinforcement... and you can never have enough of that!
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/21/2014 | 1:10:16 PM
Re: Disagree, surprise there
@ODA155 I'm not sure that we disagree on much. I am by no means advocating that a CISO must have a CISSP. I mentioned the CISSP to detail what the certification encompassed. Additionally, I brought the certification topic as the tie breaker when everything else appears equal with respect to business and technical experience. Incidentally, chasing down CPEs to maintain a cert is almost trivial with respect to time and resources. I agree with you that training resources are vital to security professionals.

You mentioned the power of persuasion, which I wholeheartedly agree with. In fact, I mentioned it when I broached the subject of communicating laterally, upward and downward in the corporate ladder. I think that the single biggest obstacle to a security program is the failure to effectively communicate the security message to the C-suite primarily for budgetary and priority concerns, and to the rest of the organization for implementation and acceptance.
ODA155
50%
50%
ODA155,
User Rank: Ninja
10/21/2014 | 12:29:30 PM
Re: Disagree, surprise there
@GonzSTL,... also... if I'm hiring a CISO, I don't what him out there chasing down CPE's trying to maintain a cert, but I do want him to understand what it was like when he had to do that... then he'll understand why security professions working for him will need every training dollar that he can get.
ODA155
50%
50%
ODA155,
User Rank: Ninja
10/21/2014 | 12:26:17 PM
Re: Disagree, surprise there
@GonzSTL,

CISO, like most other positions of leadership is just that, leading and setting the tone. I can see why you'd want you security wonks, which I am, to have their CISSP. I shows that they have proven that they are capable of learning a framework to learn concepts that will guide and further their careers, but I can also see why it really doesn't matter if the CISO has one or not... you're not hiring a CISO because they have a CISSP, you're hiring them because you believe they have proven through prior experience, responsibilities and positions that they are the right person for the job, cert or not.

The one thing that any CISO needs that cannot be quntified is the power of persuation, he\she needs to be able to take the information for subordinate leaders and craft into a message that is powerful enough so that the people who really do make the decisions understand what is required to hold back\fight the threat(s) and what those threats are.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/21/2014 | 11:27:28 AM
Re: Disagree, surprise there
The CISSP exam covers the 10 domains of the (ISC)² CBK, a collection of topics relevant to information security professionals. I admit that the CBK is broad and doesn't necessarily mean that the CISSP has advanced or in depth knowledge in any or all of those domains, but the important thing to note is that it shows that the individual is knowledgeable in those areas critical to IT security. In addition to the exam, maintaining the certification involves successful completion of CPEs not just in the CBK but also in soft skills as defined in their "Group B" professional development activities. (ISC)² recognizes the importance of those skills and the criticality of communication laterally, upward, and downward in the corporate structure. Some of the Group B topics are management courses, interpersonal communications skills, team development skills, etc. The ideal CISO must be able to bridge the gap between the geeks and the suits, and convey the security message adequately and effectively. I get the argument that certifications can be obtained by paying lots of money to a "certificate mill", but you have to start or end somewhere. If businesses and technical experiences are equal, wouldn't you want a certificate to be a tie breaker, especially one that doesn't involve just geeky stuff? One of my favorite sayings to my students: organizations want to hire geeks to protect their IT assets, but they don't want to hire a geek with the personality of a door knob.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/21/2014 | 11:16:30 AM
Re: Disagree, surprise there
@savoiadilucania  That's interesting that your experience would differ so much from what Mark sees in his work match-making CISOs and companies. I wonder if it differs by region (Mark's in the northeast) or industry sector? Most of the CISOs I know also come from IT backgrounds, but I think that's changing.
ODA155
50%
50%
ODA155,
User Rank: Ninja
10/21/2014 | 11:10:17 AM
Re: How to Become a CISO
@Sara, I think that most CISO are assigned under the CIO is because most companies do not realize how effective a CISO can be if he\she were under, say the CFO. In all of the companies I've worked for the CFO was a very big deal and had power, thus that gave the CISO a direct ear to someone who could make a difference, and let's face it, if you (CIO) control the CISO, you control the message.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/21/2014 | 10:55:46 AM
Re: How to Become a CISO
Sara, that would be a very interesting story. We often hear from CIOs and CISOs regarding this topic, but rarely hear from CEOs. Recently, the SEC commissioner hinted that cyber security should be a part of the board of directors' risk oversight responsibilities. That almost implies that the CISO should have a seat at the C table.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/21/2014 | 10:48:40 AM
Re: Disagree, surprise there
That's a great point about how important (and prevalent) CISSP certification actually is for someome in the CISO role. My suspicion is that it's necessary, primarily, to reassure the CISSP's that are working in the group, that the CISO knows the basics, or at least talks the same language. But how it relates to the broader policy and leadership functions of the job is definitely open for discussion...
savoiadilucania
50%
50%
savoiadilucania,
User Rank: Moderator
10/21/2014 | 10:33:15 AM
Disagree, surprise there
"A company's first CISO has less power than its subsequent CISOs". Quite honestly, CISOs are never really empowered. With few exceptions, they tend to be placed at the upper end of middle management or the lower end of upper management. Ideally they should have an equivalent level of influence as a CFO, CIO, or COO.

"CISOs are more likely to come from a technical background." God no. On paper they might appear to have significant technical breadth/depth but in reality have had a career based in policy/compliance. CISOs that are technical are a rarity in my experience.

"A CISSP certification isn't necessarily required for a CISO." It's not required in the sense that it's a worthless certification that does nothing to asset the level of security apptitude one possesses. But I am yet to see a CISO candidate opening/job posting that does not have "CISSP or equivalent" in the qualifications.
<<   <   Page 2 / 3   >   >>


COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15526
PUBLISHED: 2020-07-09
In Redgate SQL Monitor 7.1.4 through 10.1.6 (inclusive), the scope for disabling some TLS security certificate checks can extend beyond that defined by various options on the Configuration &gt; Notifications pages to disable certificate checking for alert notifications. These TLS security checks are...
CVE-2020-10756
PUBLISHED: 2020-07-09
An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request, also known as ping. This flaw allows a malicious guest to leak the contents of the host memory, re...
CVE-2020-12421
PUBLISHED: 2020-07-09
When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user. This vulnerability affects Firefox ESR &lt; 6...
CVE-2020-12422
PUBLISHED: 2020-07-09
In non-standard configurations, a JPEG image created by JavaScript could have caused an internal variable to overflow, resulting in an out of bounds write, memory corruption, and a potentially exploitable crash. This vulnerability affects Firefox &lt; 78.
CVE-2020-12423
PUBLISHED: 2020-07-09
When the Windows DLL &quot;webauthn.dll&quot; was missing from the Operating System, and a malicious one was placed in a folder in the user's %PATH%, Firefox may have loaded the DLL, leading to arbitrary code execution. *Note: This issue only affects the Windows operating system; other operating sys...