Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
How To Become A CISO, Part 1
Oldest First  |  Newest First  |  Threaded View
Page 1 / 3   >   >>
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/21/2014 | 9:13:20 AM
How to Become a CISO
This is a great article, and I can't wait for the rest of the series. Mark Aiello makes some excellent points, especially regarding companies where the CISO is a newly formed role. What I would like to know is why a company that creates the new CISO role would have that person report to the CIO. That creates a potential conflict of interest, and violates a sacred rule of integrity – the separation of duties (SoD). SoD is a fundamental principle of regulations like SOX and GLBA, yet organizations do not see that it also applies to security, where it is just as critical as it is to the financial aspects of the organization. But how do you communicate that to an organization where the CIO is firmly entrenched, and has great influence with the rest of the C-suite? It would be interesting to hear from CEOs of organizations where CISOs report to CIOs, to see what their rationale was for allowing that reporting structure.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/21/2014 | 10:27:37 AM
Re: How to Become a CISO
@GonzSTL  This is a good idea:  "It would be interesting to hear from CEOs of organizations where CISOs report to CIOs, to see what their rationale was for allowing that reporting structure."  Maybe we can do a story or two on that in the near future. 
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/21/2014 | 10:32:23 AM
Re: How to Become a CISO
@GonzSTL  I'd imagine that most companies put the CISO under the CIO, because they still see security as a part of IT, and only IT. I understand why -- most of the security efforts rely on IT in one way or another. It does seem a bit silly to name anybody "chief" and have them report to anyone but the CEO, but I imagine that some companies just add the position to add a new tier to the payment structure and give the top security person a raise.... it amazes me just how often that sort of thing happens in big corporations
savoiadilucania
50%
50%
savoiadilucania,
User Rank: Moderator
10/21/2014 | 10:33:15 AM
Disagree, surprise there
"A company's first CISO has less power than its subsequent CISOs". Quite honestly, CISOs are never really empowered. With few exceptions, they tend to be placed at the upper end of middle management or the lower end of upper management. Ideally they should have an equivalent level of influence as a CFO, CIO, or COO.

"CISOs are more likely to come from a technical background." God no. On paper they might appear to have significant technical breadth/depth but in reality have had a career based in policy/compliance. CISOs that are technical are a rarity in my experience.

"A CISSP certification isn't necessarily required for a CISO." It's not required in the sense that it's a worthless certification that does nothing to asset the level of security apptitude one possesses. But I am yet to see a CISO candidate opening/job posting that does not have "CISSP or equivalent" in the qualifications.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/21/2014 | 10:48:40 AM
Re: Disagree, surprise there
That's a great point about how important (and prevalent) CISSP certification actually is for someome in the CISO role. My suspicion is that it's necessary, primarily, to reassure the CISSP's that are working in the group, that the CISO knows the basics, or at least talks the same language. But how it relates to the broader policy and leadership functions of the job is definitely open for discussion...
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/21/2014 | 10:55:46 AM
Re: How to Become a CISO
Sara, that would be a very interesting story. We often hear from CIOs and CISOs regarding this topic, but rarely hear from CEOs. Recently, the SEC commissioner hinted that cyber security should be a part of the board of directors' risk oversight responsibilities. That almost implies that the CISO should have a seat at the C table.
ODA155
50%
50%
ODA155,
User Rank: Ninja
10/21/2014 | 11:10:17 AM
Re: How to Become a CISO
@Sara, I think that most CISO are assigned under the CIO is because most companies do not realize how effective a CISO can be if he\she were under, say the CFO. In all of the companies I've worked for the CFO was a very big deal and had power, thus that gave the CISO a direct ear to someone who could make a difference, and let's face it, if you (CIO) control the CISO, you control the message.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/21/2014 | 11:16:30 AM
Re: Disagree, surprise there
@savoiadilucania  That's interesting that your experience would differ so much from what Mark sees in his work match-making CISOs and companies. I wonder if it differs by region (Mark's in the northeast) or industry sector? Most of the CISOs I know also come from IT backgrounds, but I think that's changing.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/21/2014 | 11:27:28 AM
Re: Disagree, surprise there
The CISSP exam covers the 10 domains of the (ISC)² CBK, a collection of topics relevant to information security professionals. I admit that the CBK is broad and doesn't necessarily mean that the CISSP has advanced or in depth knowledge in any or all of those domains, but the important thing to note is that it shows that the individual is knowledgeable in those areas critical to IT security. In addition to the exam, maintaining the certification involves successful completion of CPEs not just in the CBK but also in soft skills as defined in their "Group B" professional development activities. (ISC)² recognizes the importance of those skills and the criticality of communication laterally, upward, and downward in the corporate structure. Some of the Group B topics are management courses, interpersonal communications skills, team development skills, etc. The ideal CISO must be able to bridge the gap between the geeks and the suits, and convey the security message adequately and effectively. I get the argument that certifications can be obtained by paying lots of money to a "certificate mill", but you have to start or end somewhere. If businesses and technical experiences are equal, wouldn't you want a certificate to be a tie breaker, especially one that doesn't involve just geeky stuff? One of my favorite sayings to my students: organizations want to hire geeks to protect their IT assets, but they don't want to hire a geek with the personality of a door knob.
ODA155
50%
50%
ODA155,
User Rank: Ninja
10/21/2014 | 12:26:17 PM
Re: Disagree, surprise there
@GonzSTL,

CISO, like most other positions of leadership is just that, leading and setting the tone. I can see why you'd want you security wonks, which I am, to have their CISSP. I shows that they have proven that they are capable of learning a framework to learn concepts that will guide and further their careers, but I can also see why it really doesn't matter if the CISO has one or not... you're not hiring a CISO because they have a CISSP, you're hiring them because you believe they have proven through prior experience, responsibilities and positions that they are the right person for the job, cert or not.

The one thing that any CISO needs that cannot be quntified is the power of persuation, he\she needs to be able to take the information for subordinate leaders and craft into a message that is powerful enough so that the people who really do make the decisions understand what is required to hold back\fight the threat(s) and what those threats are.
Page 1 / 3   >   >>


US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3738
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
CVE-2019-3739
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
CVE-2019-3740
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
CVE-2019-3756
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P3 (6.6.0.3), contain an information disclosure vulnerability. Information relating to the backend database gets disclosed to low-privileged RSA Archer users' UI under certain error conditions.
CVE-2019-3758
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P2 (6.6.0.2), contain an improper authentication vulnerability. The vulnerability allows sysadmins to create user accounts with insufficient credentials. Unauthenticated attackers could gain unauthorized access to the system using those accounts.