Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
How To Become A CISO, Part 1
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
russellnomerconsulting
50%
50%
russellnomerconsulting,
User Rank: Apprentice
6/29/2015 | 5:33:47 PM
Re: How to Become a CISO
The article also speaks to needing to beg, borrow, and steal resources when taking on the role of CISO.  I propose in many instances this constraint is largely self imposed as a direct result of not appropriately managing expectations and building the required trusting relationships at the beginning.   Furthermore, do we really want to position the CISO as a professional scapegoat?  Or does it make more sense to position the CISO as someone with the professional integrity and intestinal fortitude needed to hold their ground while leveraging soft skills for effectively building and managing a balanced security program?
ekwisca
50%
50%
ekwisca,
User Rank: Apprentice
10/24/2014 | 5:21:08 PM
Re: extremely excited
@ODA155, I completely understand. Thank you for the advice. I am currently studying for my CISA to add it to my credentials. There's no end point to me studying. I continuously try to plug myself into different things in my profession for the exposure and experience. I'm looking to do all I can to have a wholly understanding of information security. Just for the benefit of being able to talk the talk of security to a wide range of business professionals. Becoming a C level executive is end my goal, me learning is a forever journey. Thanks again for the advice. Another thing to think about to help me through these tough studying times. Good thing I live in Chicago and it's almost winter. The temperature here is bound to keep me in the house with nothing to do but study.
ODA155
100%
0%
ODA155,
User Rank: Ninja
10/24/2014 | 4:31:21 PM
Re: extremely excited
@ekwisca, Why is it "the end goal"... may I also recommend getting your CISA. In my opinion, the second most helpful trait of a successful security professional after a very good technical foundation is understanding IT audit, its language, the people who conduct them and navigating and using the audit report to you advantage. What you'll find, especially in smaller organizations is that you, the security pro will most likely be standing between management, admin\tech and auditors, juggling everyones needs and requirements against your own. And that is where the third most useful trait comes in... effective communication skills.
ekwisca
50%
50%
ekwisca,
User Rank: Apprentice
10/24/2014 | 10:01:26 AM
extremely excited
I couldn't be more excited about this new series of articles on becoming a CISO. As a young professional in the security world, the CISO position is my end goal. Currently holding my CISSP and CCNA I hope I am on the right track for learning business as well as the technical side of the IT World. Looking forward to next Monday.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/23/2014 | 4:23:16 PM
Re: How to Become a CISO
@ArthurK439  I agree with this: Information protection is crucial to the operations and success of the business, and to have it subordiante to a role that is primarily operational is a recipe for disaster.  But I also just spoke to a CISO who reports to a CIO, and he said that it isn't a problem with this CIO, because they understand and respect security. I wonder if, ultimately, it all depends upon the specific people, not their titles or organizational structure.
savoiadilucania
50%
50%
savoiadilucania,
User Rank: Moderator
10/23/2014 | 11:13:14 AM
Re: Disagree, surprise there
@Sara Peters

The issue is the varying interpretations of what comprises someone that is "technical". For some, it's a candidate that can conceptually walk through technical subjects and enumerate the relevant risks. For others, it's someone that can furnish a detailed explanation of the end-to-end packet delivery process and enumerate the attack vectors along that path. I tend to favor those with a more robust command of security as a discipline, as they can make informed decisions. They are otherwise reliant upon delegation, which isn't the best strategy during times of crisis...
ArthurK439
50%
50%
ArthurK439,
User Rank: Apprentice
10/22/2014 | 2:01:33 PM
Re: How to Become a CISO
I think we have seen the risks where having the CISO reporting to the CIO (Target comes to mind). As long as the CISO is viewed as being IT centric, and not about risk management, there will be an inclination to pidgeonhole it in the former category. At a minimum, it should be reporting to the CFO, and ideally to the CEO. Information protection is crucial to the operations and success of the business, and to have it subordiante to a role that is primarily operational is a recipe for disaster.

As for certifications, having a CISSP as a requirement to being a CISO is not mandatory. That being said, there are significant benefits in possessing it. Primarily, it ensures a common baseline, standardization of knowledge and common language. Secondly, it (and complimentary certifications such as the CISM, CISA and CRISC) is as close as currently we have as profesional designations. Both the ISC2 and ISACA have an ethics requirement, and with privacy and information being so tightly coupled these days, ethical and professional conduct considerations are crucial for a business leader. Just as I woul expect the CFO to be a CPA/CA, a Chief Counsel being a lawyer/JD, I would expect a CISO to be a CISSP/CISM/CISA/CRISC.

The fact is, the CISO role is hibrid in nature, requring both business acumen, technical knowledge, legal/regulatory, etc. Although I do not expect a CISO to configure a firewall, they should understand what it provides as a security control, after all.

 
SDiver
100%
0%
SDiver,
User Rank: Strategist
10/21/2014 | 4:39:59 PM
Certificates and reporting to the CIO
Regarding certificates, I think that they do more than demonstrate competence.  After getting two certs myself I found them invaluable in separating the security 'fact' from 'fiction.'  Any good skill set requires an understanding of a foundations and I believe that the CISSP achieves that requirement.   I would agree with the 'no-cert' requirement if you can independently verify your skill set if you served in the military or law enforcement.


As for reporting to the CIO, the only logical reason I would agree is if you're the CISO of a data center.  I would be wary if the CISO reported to the CIO either in a regulated business such as health or financial.  Implementing the separation of duties concept in reasonable scenarios is the preferred method in a regulated environment.
GonzSTL
100%
0%
GonzSTL,
User Rank: Ninja
10/21/2014 | 2:11:47 PM
Re: Disagree, surprise there
@ODA155 You probably find yourself preaching to the choir as much as I do. Don't you wish you could have a captive audience composed of exactly the right people who need to hear the message?
Marc Eggers
50%
50%
Marc Eggers,
User Rank: Strategist
10/21/2014 | 2:01:55 PM
Re: Disagree, surprise there
@Marilyn Cohodas, I can say after having a number of discussions with HR personell in different industries that is a primary reason for it.  

I do not advocate certifications for certification sake, and I do understand how they are one measure of demonstrating competence prior to obtaining the position.  I used to be one of those who said "if they give me half a chance, I can prove that I can do that", but as time has gone on, I began to understand the position of "I need something to base this chance on other than the person says they can do it".  The certification is an independent mile marker that the person has at least put in the time and effort to learn that much about that subject(s).  
Page 1 / 3   >   >>


Greater Focus on Privacy Pays Off for Firms
Robert Lemos, Contributing Writer,  1/27/2020
Average Ransomware Payments More Than Doubled in Q4 2019
Jai Vijayan, Contributing Writer,  1/27/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Must be a Communication Breakdown!
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20215
PUBLISHED: 2020-01-29
D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via a urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because HTTP_ST is mishandled. The value of the urn: service/device is checked with the strstr function, which allows an attacker t...
CVE-2019-20216
PUBLISHED: 2020-01-29
D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via the urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because REMOTE_PORT is mishandled. The value of the urn: service/device is checked with the strstr function, which allows an atta...
CVE-2019-20217
PUBLISHED: 2020-01-29
D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via the urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because SERVER_ID is mishandled. The value of the urn: service/device is checked with the strstr function, which allows an attack...
CVE-2020-8428
PUBLISHED: 2020-01-29
fs/namei.c in the Linux kernel before 5.5 has a may_create_in_sticky use-after-free, which allows local users to cause a denial of service (OOPS) or possibly obtain sensitive information from kernel memory, aka CID-d0cb50185ae9. One attack vector may be an open system call for a UNIX domain socket, ...
CVE-2020-5227
PUBLISHED: 2020-01-28
Feedgen (python feedgen) before 0.9.0 is susceptible to XML Denial of Service attacks. The *feedgen* library allows supplying XML as content for some of the available fields. This XML will be parsed and integrated into the existing XML tree. During this process, feedgen is vulnerable to XML Denial o...