Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
How To Become A CISO, Part 1
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 3   >   >>
ODA155
50%
50%
ODA155,
User Rank: Ninja
10/21/2014 | 1:45:24 PM
Re: Disagree, surprise there
@GonzSTL... then please consider my comments reinforcement... and you can never have enough of that!
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/21/2014 | 1:10:16 PM
Re: Disagree, surprise there
@ODA155 I'm not sure that we disagree on much. I am by no means advocating that a CISO must have a CISSP. I mentioned the CISSP to detail what the certification encompassed. Additionally, I brought the certification topic as the tie breaker when everything else appears equal with respect to business and technical experience. Incidentally, chasing down CPEs to maintain a cert is almost trivial with respect to time and resources. I agree with you that training resources are vital to security professionals.

You mentioned the power of persuasion, which I wholeheartedly agree with. In fact, I mentioned it when I broached the subject of communicating laterally, upward and downward in the corporate ladder. I think that the single biggest obstacle to a security program is the failure to effectively communicate the security message to the C-suite primarily for budgetary and priority concerns, and to the rest of the organization for implementation and acceptance.
ODA155
50%
50%
ODA155,
User Rank: Ninja
10/21/2014 | 12:29:30 PM
Re: Disagree, surprise there
@GonzSTL,... also... if I'm hiring a CISO, I don't what him out there chasing down CPE's trying to maintain a cert, but I do want him to understand what it was like when he had to do that... then he'll understand why security professions working for him will need every training dollar that he can get.
ODA155
50%
50%
ODA155,
User Rank: Ninja
10/21/2014 | 12:26:17 PM
Re: Disagree, surprise there
@GonzSTL,

CISO, like most other positions of leadership is just that, leading and setting the tone. I can see why you'd want you security wonks, which I am, to have their CISSP. I shows that they have proven that they are capable of learning a framework to learn concepts that will guide and further their careers, but I can also see why it really doesn't matter if the CISO has one or not... you're not hiring a CISO because they have a CISSP, you're hiring them because you believe they have proven through prior experience, responsibilities and positions that they are the right person for the job, cert or not.

The one thing that any CISO needs that cannot be quntified is the power of persuation, he\she needs to be able to take the information for subordinate leaders and craft into a message that is powerful enough so that the people who really do make the decisions understand what is required to hold back\fight the threat(s) and what those threats are.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/21/2014 | 11:27:28 AM
Re: Disagree, surprise there
The CISSP exam covers the 10 domains of the (ISC)² CBK, a collection of topics relevant to information security professionals. I admit that the CBK is broad and doesn't necessarily mean that the CISSP has advanced or in depth knowledge in any or all of those domains, but the important thing to note is that it shows that the individual is knowledgeable in those areas critical to IT security. In addition to the exam, maintaining the certification involves successful completion of CPEs not just in the CBK but also in soft skills as defined in their "Group B" professional development activities. (ISC)² recognizes the importance of those skills and the criticality of communication laterally, upward, and downward in the corporate structure. Some of the Group B topics are management courses, interpersonal communications skills, team development skills, etc. The ideal CISO must be able to bridge the gap between the geeks and the suits, and convey the security message adequately and effectively. I get the argument that certifications can be obtained by paying lots of money to a "certificate mill", but you have to start or end somewhere. If businesses and technical experiences are equal, wouldn't you want a certificate to be a tie breaker, especially one that doesn't involve just geeky stuff? One of my favorite sayings to my students: organizations want to hire geeks to protect their IT assets, but they don't want to hire a geek with the personality of a door knob.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/21/2014 | 11:16:30 AM
Re: Disagree, surprise there
@savoiadilucania  That's interesting that your experience would differ so much from what Mark sees in his work match-making CISOs and companies. I wonder if it differs by region (Mark's in the northeast) or industry sector? Most of the CISOs I know also come from IT backgrounds, but I think that's changing.
ODA155
50%
50%
ODA155,
User Rank: Ninja
10/21/2014 | 11:10:17 AM
Re: How to Become a CISO
@Sara, I think that most CISO are assigned under the CIO is because most companies do not realize how effective a CISO can be if he\she were under, say the CFO. In all of the companies I've worked for the CFO was a very big deal and had power, thus that gave the CISO a direct ear to someone who could make a difference, and let's face it, if you (CIO) control the CISO, you control the message.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/21/2014 | 10:55:46 AM
Re: How to Become a CISO
Sara, that would be a very interesting story. We often hear from CIOs and CISOs regarding this topic, but rarely hear from CEOs. Recently, the SEC commissioner hinted that cyber security should be a part of the board of directors' risk oversight responsibilities. That almost implies that the CISO should have a seat at the C table.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/21/2014 | 10:48:40 AM
Re: Disagree, surprise there
That's a great point about how important (and prevalent) CISSP certification actually is for someome in the CISO role. My suspicion is that it's necessary, primarily, to reassure the CISSP's that are working in the group, that the CISO knows the basics, or at least talks the same language. But how it relates to the broader policy and leadership functions of the job is definitely open for discussion...
savoiadilucania
50%
50%
savoiadilucania,
User Rank: Moderator
10/21/2014 | 10:33:15 AM
Disagree, surprise there
"A company's first CISO has less power than its subsequent CISOs". Quite honestly, CISOs are never really empowered. With few exceptions, they tend to be placed at the upper end of middle management or the lower end of upper management. Ideally they should have an equivalent level of influence as a CFO, CIO, or COO.

"CISOs are more likely to come from a technical background." God no. On paper they might appear to have significant technical breadth/depth but in reality have had a career based in policy/compliance. CISOs that are technical are a rarity in my experience.

"A CISSP certification isn't necessarily required for a CISO." It's not required in the sense that it's a worthless certification that does nothing to asset the level of security apptitude one possesses. But I am yet to see a CISO candidate opening/job posting that does not have "CISSP or equivalent" in the qualifications.
<<   <   Page 2 / 3   >   >>


SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19604
PUBLISHED: 2019-12-11
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a &quot;git submodule update&quot; operation can run commands found in the .gitmodules file of a malicious repository.
CVE-2019-14861
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permiss...
CVE-2019-14870
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authent...
CVE-2019-14889
PUBLISHED: 2019-12-10
A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence...
CVE-2019-1484
PUBLISHED: 2019-12-10
A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input, aka 'Windows OLE Remote Code Execution Vulnerability'.