Comments
Newest First | Oldest First | Threaded View
Re: extremely excited
@ODA155, I completely understand. Thank you for the advice. I am currently studying for my CISA to add it to my credentials. There's no end point to me studying. I continuously try to plug myself into different things in my profession for the exposure and experience. I'm looking to do all I can to have a wholly understanding of information security. Just for the benefit of being able to talk the talk of security to a wide range of business professionals. Becoming a C level executive is end my goal, me learning is a forever journey. Thanks again for the advice. Another thing to think about to help me through these tough studying times. Good thing I live in Chicago and it's almost winter. The temperature here is bound to keep me in the house with nothing to do but study.
Re: extremely excited
@ekwisca, Why is it "the end goal"... may I also recommend getting your CISA. In my opinion, the second most helpful trait of a successful security professional after a very good technical foundation is understanding IT audit, its language, the people who conduct them and navigating and using the audit report to you advantage. What you'll find, especially in smaller organizations is that you, the security pro will most likely be standing between management, admin\tech and auditors, juggling everyones needs and requirements against your own. And that is where the third most useful trait comes in... effective communication skills.
extremely excited
I couldn't be more excited about this new series of articles on becoming a CISO. As a young professional in the security world, the CISO position is my end goal. Currently holding my CISSP and CCNA I hope I am on the right track for learning business as well as the technical side of the IT World. Looking forward to next Monday.
Re: How to Become a CISO
@ArthurK439 I agree with this: Information protection is crucial to the operations and success of the business, and to have it subordiante to a role that is primarily operational is a recipe for disaster. But I also just spoke to a CISO who reports to a CIO, and he said that it isn't a problem with this CIO, because they understand and respect security. I wonder if, ultimately, it all depends upon the specific people, not their titles or organizational structure.
Re: Disagree, surprise there
@Sara Peters
The issue is the varying interpretations of what comprises someone that is "technical". For some, it's a candidate that can conceptually walk through technical subjects and enumerate the relevant risks. For others, it's someone that can furnish a detailed explanation of the end-to-end packet delivery process and enumerate the attack vectors along that path. I tend to favor those with a more robust command of security as a discipline, as they can make informed decisions. They are otherwise reliant upon delegation, which isn't the best strategy during times of crisis...
The issue is the varying interpretations of what comprises someone that is "technical". For some, it's a candidate that can conceptually walk through technical subjects and enumerate the relevant risks. For others, it's someone that can furnish a detailed explanation of the end-to-end packet delivery process and enumerate the attack vectors along that path. I tend to favor those with a more robust command of security as a discipline, as they can make informed decisions. They are otherwise reliant upon delegation, which isn't the best strategy during times of crisis...
Re: How to Become a CISO
I think we have seen the risks where having the CISO reporting to the CIO (Target comes to mind). As long as the CISO is viewed as being IT centric, and not about risk management, there will be an inclination to pidgeonhole it in the former category. At a minimum, it should be reporting to the CFO, and ideally to the CEO. Information protection is crucial to the operations and success of the business, and to have it subordiante to a role that is primarily operational is a recipe for disaster.
As for certifications, having a CISSP as a requirement to being a CISO is not mandatory. That being said, there are significant benefits in possessing it. Primarily, it ensures a common baseline, standardization of knowledge and common language. Secondly, it (and complimentary certifications such as the CISM, CISA and CRISC) is as close as currently we have as profesional designations. Both the ISC2 and ISACA have an ethics requirement, and with privacy and information being so tightly coupled these days, ethical and professional conduct considerations are crucial for a business leader. Just as I woul expect the CFO to be a CPA/CA, a Chief Counsel being a lawyer/JD, I would expect a CISO to be a CISSP/CISM/CISA/CRISC.
The fact is, the CISO role is hibrid in nature, requring both business acumen, technical knowledge, legal/regulatory, etc. Although I do not expect a CISO to configure a firewall, they should understand what it provides as a security control, after all.
As for certifications, having a CISSP as a requirement to being a CISO is not mandatory. That being said, there are significant benefits in possessing it. Primarily, it ensures a common baseline, standardization of knowledge and common language. Secondly, it (and complimentary certifications such as the CISM, CISA and CRISC) is as close as currently we have as profesional designations. Both the ISC2 and ISACA have an ethics requirement, and with privacy and information being so tightly coupled these days, ethical and professional conduct considerations are crucial for a business leader. Just as I woul expect the CFO to be a CPA/CA, a Chief Counsel being a lawyer/JD, I would expect a CISO to be a CISSP/CISM/CISA/CRISC.
The fact is, the CISO role is hibrid in nature, requring both business acumen, technical knowledge, legal/regulatory, etc. Although I do not expect a CISO to configure a firewall, they should understand what it provides as a security control, after all.
Certificates and reporting to the CIO
Regarding certificates, I think that they do more than demonstrate competence. After getting two certs myself I found them invaluable in separating the security 'fact' from 'fiction.' Any good skill set requires an understanding of a foundations and I believe that the CISSP achieves that requirement. I would agree with the 'no-cert' requirement if you can independently verify your skill set if you served in the military or law enforcement.
As for reporting to the CIO, the only logical reason I would agree is if you're the CISO of a data center. I would be wary if the CISO reported to the CIO either in a regulated business such as health or financial. Implementing the separation of duties concept in reasonable scenarios is the preferred method in a regulated environment.
As for reporting to the CIO, the only logical reason I would agree is if you're the CISO of a data center. I would be wary if the CISO reported to the CIO either in a regulated business such as health or financial. Implementing the separation of duties concept in reasonable scenarios is the preferred method in a regulated environment.
Re: Disagree, surprise there
@ODA155 You probably find yourself preaching to the choir as much as I do. Don't you wish you could have a captive audience composed of exactly the right people who need to hear the message?
Re: Disagree, surprise there
@Marilyn Cohodas, I can say after having a number of discussions with HR personell in different industries that is a primary reason for it.
I do not advocate certifications for certification sake, and I do understand how they are one measure of demonstrating competence prior to obtaining the position. I used to be one of those who said "if they give me half a chance, I can prove that I can do that", but as time has gone on, I began to understand the position of "I need something to base this chance on other than the person says they can do it". The certification is an independent mile marker that the person has at least put in the time and effort to learn that much about that subject(s).
I do not advocate certifications for certification sake, and I do understand how they are one measure of demonstrating competence prior to obtaining the position. I used to be one of those who said "if they give me half a chance, I can prove that I can do that", but as time has gone on, I began to understand the position of "I need something to base this chance on other than the person says they can do it". The certification is an independent mile marker that the person has at least put in the time and effort to learn that much about that subject(s).
White Papers
Video
1 Comments
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Well, if you hadn't made us skip the Lockpicking Village at DEF CON this year, MAYBE this wouldn't be an issue!"
Latest Comment: "Well, if you hadn't made us skip the Lockpicking Village at DEF CON this year, MAYBE this wouldn't be an issue!"
Current Issue
Building and Managing an IT Security Operations ProgramAs cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
How Enterprises Are Developing Secure Applications
IT security and application development are disparate processes that are increasingly coming together. Here's a look at how that's happening.
Twitter Feed
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database CVE-2019-7068
PUBLISHED: 2019-05-24
PUBLISHED: 2019-05-24
PUBLISHED: 2019-05-24
PUBLISHED: 2019-05-24
PUBLISHED: 2019-05-24
From DHS/US-CERT's National Vulnerability Database CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
- Terms of Service
- Privacy Statement
- Legal Entities
- Copyright © 2019 UBM, All rights reserved
Tweet This
User Rank: Apprentice
6/29/2015 | 5:33:47 PM