Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
How To Become A CISO, Part 1
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
russellnomerconsulting
50%
50%
russellnomerconsulting,
 User Rank: Apprentice
6/29/2015 | 5:33:47 PM
Re: How to Become a CISO
The article also speaks to needing to beg, borrow, and steal resources when taking on the role of CISO.  I propose in many instances this constraint is largely self imposed as a direct result of not appropriately managing expectations and building the required trusting relationships at the beginning.   Furthermore, do we really want to position the CISO as a professional scapegoat?  Or does it make more sense to position the CISO as someone with the professional integrity and intestinal fortitude needed to hold their ground while leveraging soft skills for effectively building and managing a balanced security program?
ekwisca
50%
50%
ekwisca,
 User Rank: Apprentice
10/24/2014 | 5:21:08 PM
Re: extremely excited
@ODA155, I completely understand. Thank you for the advice. I am currently studying for my CISA to add it to my credentials. There's no end point to me studying. I continuously try to plug myself into different things in my profession for the exposure and experience. I'm looking to do all I can to have a wholly understanding of information security. Just for the benefit of being able to talk the talk of security to a wide range of business professionals. Becoming a C level executive is end my goal, me learning is a forever journey. Thanks again for the advice. Another thing to think about to help me through these tough studying times. Good thing I live in Chicago and it's almost winter. The temperature here is bound to keep me in the house with nothing to do but study.
ODA155
100%
0%
ODA155,
 User Rank: Ninja
10/24/2014 | 4:31:21 PM
Re: extremely excited
@ekwisca, Why is it "the end goal"... may I also recommend getting your CISA. In my opinion, the second most helpful trait of a successful security professional after a very good technical foundation is understanding IT audit, its language, the people who conduct them and navigating and using the audit report to you advantage. What you'll find, especially in smaller organizations is that you, the security pro will most likely be standing between management, admin\tech and auditors, juggling everyones needs and requirements against your own. And that is where the third most useful trait comes in... effective communication skills.
ekwisca
50%
50%
ekwisca,
 User Rank: Apprentice
10/24/2014 | 10:01:26 AM
extremely excited
I couldn't be more excited about this new series of articles on becoming a CISO. As a young professional in the security world, the CISO position is my end goal. Currently holding my CISSP and CCNA I hope I am on the right track for learning business as well as the technical side of the IT World. Looking forward to next Monday.
Sara Peters
50%
50%
Sara Peters,
 User Rank: Author
10/23/2014 | 4:23:16 PM
Re: How to Become a CISO
@ArthurK439  I agree with this: Information protection is crucial to the operations and success of the business, and to have it subordiante to a role that is primarily operational is a recipe for disaster.  But I also just spoke to a CISO who reports to a CIO, and he said that it isn't a problem with this CIO, because they understand and respect security. I wonder if, ultimately, it all depends upon the specific people, not their titles or organizational structure.
savoiadilucania
50%
50%
savoiadilucania,
 User Rank: Moderator
10/23/2014 | 11:13:14 AM
Re: Disagree, surprise there
@Sara Peters

The issue is the varying interpretations of what comprises someone that is "technical". For some, it's a candidate that can conceptually walk through technical subjects and enumerate the relevant risks. For others, it's someone that can furnish a detailed explanation of the end-to-end packet delivery process and enumerate the attack vectors along that path. I tend to favor those with a more robust command of security as a discipline, as they can make informed decisions. They are otherwise reliant upon delegation, which isn't the best strategy during times of crisis...
ArthurK439
50%
50%
ArthurK439,
 User Rank: Apprentice
10/22/2014 | 2:01:33 PM
Re: How to Become a CISO
I think we have seen the risks where having the CISO reporting to the CIO (Target comes to mind). As long as the CISO is viewed as being IT centric, and not about risk management, there will be an inclination to pidgeonhole it in the former category. At a minimum, it should be reporting to the CFO, and ideally to the CEO. Information protection is crucial to the operations and success of the business, and to have it subordiante to a role that is primarily operational is a recipe for disaster.

As for certifications, having a CISSP as a requirement to being a CISO is not mandatory. That being said, there are significant benefits in possessing it. Primarily, it ensures a common baseline, standardization of knowledge and common language. Secondly, it (and complimentary certifications such as the CISM, CISA and CRISC) is as close as currently we have as profesional designations. Both the ISC2 and ISACA have an ethics requirement, and with privacy and information being so tightly coupled these days, ethical and professional conduct considerations are crucial for a business leader. Just as I woul expect the CFO to be a CPA/CA, a Chief Counsel being a lawyer/JD, I would expect a CISO to be a CISSP/CISM/CISA/CRISC.

The fact is, the CISO role is hibrid in nature, requring both business acumen, technical knowledge, legal/regulatory, etc. Although I do not expect a CISO to configure a firewall, they should understand what it provides as a security control, after all.

 
SDiver
100%
0%
SDiver,
 User Rank: Strategist
10/21/2014 | 4:39:59 PM
Certificates and reporting to the CIO
Regarding certificates, I think that they do more than demonstrate competence.  After getting two certs myself I found them invaluable in separating the security 'fact' from 'fiction.'  Any good skill set requires an understanding of a foundations and I believe that the CISSP achieves that requirement.   I would agree with the 'no-cert' requirement if you can independently verify your skill set if you served in the military or law enforcement.


As for reporting to the CIO, the only logical reason I would agree is if you're the CISO of a data center.  I would be wary if the CISO reported to the CIO either in a regulated business such as health or financial.  Implementing the separation of duties concept in reasonable scenarios is the preferred method in a regulated environment.
GonzSTL
100%
0%
GonzSTL,
 User Rank: Ninja
10/21/2014 | 2:11:47 PM
Re: Disagree, surprise there
@ODA155 You probably find yourself preaching to the choir as much as I do. Don't you wish you could have a captive audience composed of exactly the right people who need to hear the message?
Marc Eggers
50%
50%
Marc Eggers,
 User Rank: Strategist
10/21/2014 | 2:01:55 PM
Re: Disagree, surprise there
@Marilyn Cohodas, I can say after having a number of discussions with HR personell in different industries that is a primary reason for it.  

I do not advocate certifications for certification sake, and I do understand how they are one measure of demonstrating competence prior to obtaining the position.  I used to be one of those who said "if they give me half a chance, I can prove that I can do that", but as time has gone on, I began to understand the position of "I need something to base this chance on other than the person says they can do it".  The certification is an independent mile marker that the person has at least put in the time and effort to learn that much about that subject(s).  
Page 1 / 3   >   >>


HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11565
PUBLISHED: 2020-04-06
An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa.
CVE-2020-11558
PUBLISHED: 2020-04-05
An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. audio_sample_entry_Read in isomedia/box_code_base.c does not properly decide when to make gf_isom_box_del calls. This leads to various use-after-free outcomes involving mdia_Read, gf_isom_delete_movie, and gf_isom_parse_m...
CVE-2020-11547
PUBLISHED: 2020-04-05
PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.
CVE-2020-11548
PUBLISHED: 2020-04-05
The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
CVE-2020-11542
PUBLISHED: 2020-04-04
3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the <KEY>MYKEY</KEY> substring.