Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
How To Become A CISO, Part 1
Oldest First  |  Newest First  |  Threaded View
<<   <   Page 2 / 3   >   >>
ODA155
50%
50%
ODA155,
User Rank: Ninja
10/21/2014 | 12:29:30 PM
Re: Disagree, surprise there
@GonzSTL,... also... if I'm hiring a CISO, I don't what him out there chasing down CPE's trying to maintain a cert, but I do want him to understand what it was like when he had to do that... then he'll understand why security professions working for him will need every training dollar that he can get.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/21/2014 | 1:10:16 PM
Re: Disagree, surprise there
@ODA155 I'm not sure that we disagree on much. I am by no means advocating that a CISO must have a CISSP. I mentioned the CISSP to detail what the certification encompassed. Additionally, I brought the certification topic as the tie breaker when everything else appears equal with respect to business and technical experience. Incidentally, chasing down CPEs to maintain a cert is almost trivial with respect to time and resources. I agree with you that training resources are vital to security professionals.

You mentioned the power of persuasion, which I wholeheartedly agree with. In fact, I mentioned it when I broached the subject of communicating laterally, upward and downward in the corporate ladder. I think that the single biggest obstacle to a security program is the failure to effectively communicate the security message to the C-suite primarily for budgetary and priority concerns, and to the rest of the organization for implementation and acceptance.
ODA155
50%
50%
ODA155,
User Rank: Ninja
10/21/2014 | 1:45:24 PM
Re: Disagree, surprise there
@GonzSTL... then please consider my comments reinforcement... and you can never have enough of that!
Marc Eggers
50%
50%
Marc Eggers,
User Rank: Strategist
10/21/2014 | 2:01:55 PM
Re: Disagree, surprise there
@Marilyn Cohodas, I can say after having a number of discussions with HR personell in different industries that is a primary reason for it.  

I do not advocate certifications for certification sake, and I do understand how they are one measure of demonstrating competence prior to obtaining the position.  I used to be one of those who said "if they give me half a chance, I can prove that I can do that", but as time has gone on, I began to understand the position of "I need something to base this chance on other than the person says they can do it".  The certification is an independent mile marker that the person has at least put in the time and effort to learn that much about that subject(s).  
GonzSTL
100%
0%
GonzSTL,
User Rank: Ninja
10/21/2014 | 2:11:47 PM
Re: Disagree, surprise there
@ODA155 You probably find yourself preaching to the choir as much as I do. Don't you wish you could have a captive audience composed of exactly the right people who need to hear the message?
SDiver
100%
0%
SDiver,
User Rank: Strategist
10/21/2014 | 4:39:59 PM
Certificates and reporting to the CIO
Regarding certificates, I think that they do more than demonstrate competence.  After getting two certs myself I found them invaluable in separating the security 'fact' from 'fiction.'  Any good skill set requires an understanding of a foundations and I believe that the CISSP achieves that requirement.   I would agree with the 'no-cert' requirement if you can independently verify your skill set if you served in the military or law enforcement.


As for reporting to the CIO, the only logical reason I would agree is if you're the CISO of a data center.  I would be wary if the CISO reported to the CIO either in a regulated business such as health or financial.  Implementing the separation of duties concept in reasonable scenarios is the preferred method in a regulated environment.
ArthurK439
50%
50%
ArthurK439,
User Rank: Apprentice
10/22/2014 | 2:01:33 PM
Re: How to Become a CISO
I think we have seen the risks where having the CISO reporting to the CIO (Target comes to mind). As long as the CISO is viewed as being IT centric, and not about risk management, there will be an inclination to pidgeonhole it in the former category. At a minimum, it should be reporting to the CFO, and ideally to the CEO. Information protection is crucial to the operations and success of the business, and to have it subordiante to a role that is primarily operational is a recipe for disaster.

As for certifications, having a CISSP as a requirement to being a CISO is not mandatory. That being said, there are significant benefits in possessing it. Primarily, it ensures a common baseline, standardization of knowledge and common language. Secondly, it (and complimentary certifications such as the CISM, CISA and CRISC) is as close as currently we have as profesional designations. Both the ISC2 and ISACA have an ethics requirement, and with privacy and information being so tightly coupled these days, ethical and professional conduct considerations are crucial for a business leader. Just as I woul expect the CFO to be a CPA/CA, a Chief Counsel being a lawyer/JD, I would expect a CISO to be a CISSP/CISM/CISA/CRISC.

The fact is, the CISO role is hibrid in nature, requring both business acumen, technical knowledge, legal/regulatory, etc. Although I do not expect a CISO to configure a firewall, they should understand what it provides as a security control, after all.

 
savoiadilucania
50%
50%
savoiadilucania,
User Rank: Moderator
10/23/2014 | 11:13:14 AM
Re: Disagree, surprise there
@Sara Peters

The issue is the varying interpretations of what comprises someone that is "technical". For some, it's a candidate that can conceptually walk through technical subjects and enumerate the relevant risks. For others, it's someone that can furnish a detailed explanation of the end-to-end packet delivery process and enumerate the attack vectors along that path. I tend to favor those with a more robust command of security as a discipline, as they can make informed decisions. They are otherwise reliant upon delegation, which isn't the best strategy during times of crisis...
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/23/2014 | 4:23:16 PM
Re: How to Become a CISO
@ArthurK439  I agree with this: Information protection is crucial to the operations and success of the business, and to have it subordiante to a role that is primarily operational is a recipe for disaster.  But I also just spoke to a CISO who reports to a CIO, and he said that it isn't a problem with this CIO, because they understand and respect security. I wonder if, ultimately, it all depends upon the specific people, not their titles or organizational structure.
ekwisca
50%
50%
ekwisca,
User Rank: Apprentice
10/24/2014 | 10:01:26 AM
extremely excited
I couldn't be more excited about this new series of articles on becoming a CISO. As a young professional in the security world, the CISO position is my end goal. Currently holding my CISSP and CCNA I hope I am on the right track for learning business as well as the technical side of the IT World. Looking forward to next Monday.
<<   <   Page 2 / 3   >   >>


COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because &quot;admins are considered trustworthy&quot;; however, the behavior &quot;contradicts our secu...
CVE-2020-25791
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
CVE-2020-25792
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
CVE-2020-25793
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From&lt;InlineArray&lt;A, T&gt;&gt;.