Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Most Effective CISOs Have Business Background, Says IBM Security Leader
Newest First  |  Oldest First  |  Threaded View
jimmyblake
50%
50%
jimmyblake,
 User Rank: Apprentice
11/13/2014 | 5:37:46 AM
Re: What worries me though...
I think it depends on the size of an organisation.  In a larger organisation no-single individual could ever have the depth of technical expertise to deliver a security capability - that is why you have management tiers, delegation and subject matter experts to deliver.  

To get the depth of knowledge in technical subjects that the mitigation of attacks from sophistacted attackers, as well as insider and supply-chain introduced risk, you need a team of people with a deep technical understanding in their field of expertise.  Even more importantly, all these silos need to be brought together into a capability that takes into consideration alignment to the threat profile of the business (understanding business isn't just blinky lights, there are people, processes and data that need securing to run as a functional whole and deliver revenye to the company); measuring operational effectiveness of your operational and technical controls); obtaining and retaining the skills in the business (recruitment, skills assessment, training, mentoring, staff retention); the right documented processes that are measureable for continual improvement, yet still flexible enought to handle the changing threat that we face.  

A lot of these skills don't get established when you've spent 10 years focusing on firewall policy or IDS signatures.  Don't get me wrong, I come from a development and then red-team background, but it's easier to learn the technical concepts to the depth at which you need to meaningfully undertake the above tasks than it is to take someone with a deep silo of knowledge in one aspect of information security and teach them to do the aove.
jimmyblake
50%
50%
jimmyblake,
 User Rank: Apprentice
11/13/2014 | 5:27:30 AM
Re: But are they the most effective CISOs?
I spend a lot of time in my current role evaulating the effectiveness and efficiency of operational informational security capabilities in organisations.  I've also been a CISO for a large multinational and I learnt the hard way.

It is almost always the case that capabilities that have been build and run by those who have come up the technical path to CISO have alignments with protection of line-of-business and they are typically heavily focused on technology, thinking of people, processes and continual improvement.  The management information produced by such departments is normally highly technical, typically relying on event counts rather than risk exposure to the critical assets that pay the bills.  As a result, the business often doesn't see the value of information security and doesn't enjoy talking to these strange guys who come up from the basement and speak a completely different language, this is often why CISOs don't have a seat at the boardroom table and everything is mediated through the CIO (which causes it's own conflict-of-interest problems).

The ideal situation, if your size of organisation supports it, is a CISO who manages "up-and-out" handling business alignment, the CapEx and OpEx of the capability, achieving the key performance indicators around effectiveness and efficiency and being the condiuit between the rest of the business and the information security function.  Then there is an "IT Security Director" or "Cyber Security Director" whos role it is to manage the "down and in" Busiiness and Usual (BAU) operations and tactical projects.  
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
11/7/2014 | 9:31:06 AM
Re: What worries me though...
That makes total sense to me @Marc Eggers! I especially like the last part of your analogy:

Determine where they are now.  Figure out what the greatest need is and what will have the greatest impact.  Prioritize, and then implement.  Then follow-up with testing.

Thanks for connecting the dots.
Marc Eggers
100%
0%
Marc Eggers,
 User Rank: Strategist
11/6/2014 | 1:25:51 PM
Re: What worries me though...
@Marilyn Cohodas, I believe that I can explain that a bit more... 

I am referring to the fact that companies will put time, money, and effort into upgrading their technical systems to make them more secure.  The company's people are the same way.  One needs to invest in the time and money and effort into training them to be security conscious.  I find that most users are more than willing, many are eager, to participate in helping to secure their workspace, their systems, their business processes, once they are aware of ways that what they do can be exploited.  It is important to make security important to them and make them aware of how their efforts help the organization be more secure.  

For example, helping users understand that even though they may not have access to sensitive data, if they do not have secure passwords and change them regularly, their account can be used to gain access to others accounts where sensitive data can be breached.  Looking at the American healthcare system, helping users to understand how their workspace and their practices can lead to leaked PHI (Protected Health Information) can lead to a HIPPA violation that could cost the company millions of dollars.  Training users to understand why they shouldn't hold the door open for someone they don't know and why.  Investing the time and effort into upgrading them from "users" to "security users" or empowering them to be "power users" will pay dividends in getting your employees invested in your organization.  This helps with employee retention and helps keep them on the lookout for other possible ways that they can improve the security of their workspace, their systems, their business processes, etc.  

And to complete the analogy, I believe that they need to be approached the same way a system upgrade should.  Determine where they are now.  Figure out what the greatest need is and what will have the greatest impact.  Prioritize, and then implement.  Then follow-up with testing.  

Does that make more sense?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
11/6/2014 | 12:44:38 PM
Re: What worries me though...
Hmmm.... @Marc Eggers. I'm not sure how to take your comment about looking "at the people as systems to be upgraded." Care to elaborate? 
Marc Eggers
50%
50%
Marc Eggers,
 User Rank: Strategist
11/6/2014 | 12:29:31 PM
What worries me though...
We see this in the business world a lot where those with the business background are the ones who are able to get promoted and get those positions.  While I agree that the CISO needs to understand risk management and business processes, what worries me the most is the fact that often that business acumen does not lend itself nor lead to an understanding of the technical systems behind the business processes.  

User education is extremely important as that is often one of the weakest links in an organizations and the easiest to exploit, the technical side needs to be understood as well.   Business folks tend to focus on the users and technologists tend to focus on the systems.  I believe that it takes a special person to be able to understand both.

Of course, I am biased being a technologist, I do think that it is more effective for a technologist to look at the people as systems to be upgraded than a business user to try to understand the obscure myriad of system connections in a modern business organization.
Marilyn Cohodas
0%
100%
Marilyn Cohodas,
 User Rank: Strategist
11/5/2014 | 3:57:23 PM
Re: But are they the most effective CISOs?
I guess the would depend on what makes a CISO effective. Is it pure knowledge of security technology or the best way to apply that knowledge to manage risk and protect business data and systems from attack. I would argue it's a combination of the two. 
dunsany
100%
0%
dunsany,
 User Rank: Apprentice
11/5/2014 | 3:52:12 PM
But are they the most effective CISOs?
That's really the question.  I know a lot of CISOs.  I know fewer effective ones.


News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7856
PUBLISHED: 2021-04-20
A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
CVE-2021-28793
PUBLISHED: 2021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
CVE-2021-25679
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed....
CVE-2021-25680
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only...
CVE-2021-25681
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The aff...