Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
How To Become A CISO, Part 1
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 3   >   >>
ODA155
50%
50%
ODA155,
User Rank: Ninja
10/21/2014 | 1:45:24 PM
Re: Disagree, surprise there
@GonzSTL... then please consider my comments reinforcement... and you can never have enough of that!
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/21/2014 | 1:10:16 PM
Re: Disagree, surprise there
@ODA155 I'm not sure that we disagree on much. I am by no means advocating that a CISO must have a CISSP. I mentioned the CISSP to detail what the certification encompassed. Additionally, I brought the certification topic as the tie breaker when everything else appears equal with respect to business and technical experience. Incidentally, chasing down CPEs to maintain a cert is almost trivial with respect to time and resources. I agree with you that training resources are vital to security professionals.

You mentioned the power of persuasion, which I wholeheartedly agree with. In fact, I mentioned it when I broached the subject of communicating laterally, upward and downward in the corporate ladder. I think that the single biggest obstacle to a security program is the failure to effectively communicate the security message to the C-suite primarily for budgetary and priority concerns, and to the rest of the organization for implementation and acceptance.
ODA155
50%
50%
ODA155,
User Rank: Ninja
10/21/2014 | 12:29:30 PM
Re: Disagree, surprise there
@GonzSTL,... also... if I'm hiring a CISO, I don't what him out there chasing down CPE's trying to maintain a cert, but I do want him to understand what it was like when he had to do that... then he'll understand why security professions working for him will need every training dollar that he can get.
ODA155
50%
50%
ODA155,
User Rank: Ninja
10/21/2014 | 12:26:17 PM
Re: Disagree, surprise there
@GonzSTL,

CISO, like most other positions of leadership is just that, leading and setting the tone. I can see why you'd want you security wonks, which I am, to have their CISSP. I shows that they have proven that they are capable of learning a framework to learn concepts that will guide and further their careers, but I can also see why it really doesn't matter if the CISO has one or not... you're not hiring a CISO because they have a CISSP, you're hiring them because you believe they have proven through prior experience, responsibilities and positions that they are the right person for the job, cert or not.

The one thing that any CISO needs that cannot be quntified is the power of persuation, he\she needs to be able to take the information for subordinate leaders and craft into a message that is powerful enough so that the people who really do make the decisions understand what is required to hold back\fight the threat(s) and what those threats are.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/21/2014 | 11:27:28 AM
Re: Disagree, surprise there
The CISSP exam covers the 10 domains of the (ISC)² CBK, a collection of topics relevant to information security professionals. I admit that the CBK is broad and doesn't necessarily mean that the CISSP has advanced or in depth knowledge in any or all of those domains, but the important thing to note is that it shows that the individual is knowledgeable in those areas critical to IT security. In addition to the exam, maintaining the certification involves successful completion of CPEs not just in the CBK but also in soft skills as defined in their "Group B" professional development activities. (ISC)² recognizes the importance of those skills and the criticality of communication laterally, upward, and downward in the corporate structure. Some of the Group B topics are management courses, interpersonal communications skills, team development skills, etc. The ideal CISO must be able to bridge the gap between the geeks and the suits, and convey the security message adequately and effectively. I get the argument that certifications can be obtained by paying lots of money to a "certificate mill", but you have to start or end somewhere. If businesses and technical experiences are equal, wouldn't you want a certificate to be a tie breaker, especially one that doesn't involve just geeky stuff? One of my favorite sayings to my students: organizations want to hire geeks to protect their IT assets, but they don't want to hire a geek with the personality of a door knob.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/21/2014 | 11:16:30 AM
Re: Disagree, surprise there
@savoiadilucania  That's interesting that your experience would differ so much from what Mark sees in his work match-making CISOs and companies. I wonder if it differs by region (Mark's in the northeast) or industry sector? Most of the CISOs I know also come from IT backgrounds, but I think that's changing.
ODA155
50%
50%
ODA155,
User Rank: Ninja
10/21/2014 | 11:10:17 AM
Re: How to Become a CISO
@Sara, I think that most CISO are assigned under the CIO is because most companies do not realize how effective a CISO can be if he\she were under, say the CFO. In all of the companies I've worked for the CFO was a very big deal and had power, thus that gave the CISO a direct ear to someone who could make a difference, and let's face it, if you (CIO) control the CISO, you control the message.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/21/2014 | 10:55:46 AM
Re: How to Become a CISO
Sara, that would be a very interesting story. We often hear from CIOs and CISOs regarding this topic, but rarely hear from CEOs. Recently, the SEC commissioner hinted that cyber security should be a part of the board of directors' risk oversight responsibilities. That almost implies that the CISO should have a seat at the C table.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/21/2014 | 10:48:40 AM
Re: Disagree, surprise there
That's a great point about how important (and prevalent) CISSP certification actually is for someome in the CISO role. My suspicion is that it's necessary, primarily, to reassure the CISSP's that are working in the group, that the CISO knows the basics, or at least talks the same language. But how it relates to the broader policy and leadership functions of the job is definitely open for discussion...
savoiadilucania
50%
50%
savoiadilucania,
User Rank: Moderator
10/21/2014 | 10:33:15 AM
Disagree, surprise there
"A company's first CISO has less power than its subsequent CISOs". Quite honestly, CISOs are never really empowered. With few exceptions, they tend to be placed at the upper end of middle management or the lower end of upper management. Ideally they should have an equivalent level of influence as a CFO, CIO, or COO.

"CISOs are more likely to come from a technical background." God no. On paper they might appear to have significant technical breadth/depth but in reality have had a career based in policy/compliance. CISOs that are technical are a rarity in my experience.

"A CISSP certification isn't necessarily required for a CISO." It's not required in the sense that it's a worthless certification that does nothing to asset the level of security apptitude one possesses. But I am yet to see a CISO candidate opening/job posting that does not have "CISSP or equivalent" in the qualifications.
<<   <   Page 2 / 3   >   >>


COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.