Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Most Effective CISOs Have Business Background, Says IBM Security Leader
Newest First  |  Oldest First  |  Threaded View
jimmyblake
jimmyblake,
User Rank: Apprentice
11/13/2014 | 5:37:46 AM
Re: What worries me though...
I think it depends on the size of an organisation.  In a larger organisation no-single individual could ever have the depth of technical expertise to deliver a security capability - that is why you have management tiers, delegation and subject matter experts to deliver.  

To get the depth of knowledge in technical subjects that the mitigation of attacks from sophistacted attackers, as well as insider and supply-chain introduced risk, you need a team of people with a deep technical understanding in their field of expertise.  Even more importantly, all these silos need to be brought together into a capability that takes into consideration alignment to the threat profile of the business (understanding business isn't just blinky lights, there are people, processes and data that need securing to run as a functional whole and deliver revenye to the company); measuring operational effectiveness of your operational and technical controls); obtaining and retaining the skills in the business (recruitment, skills assessment, training, mentoring, staff retention); the right documented processes that are measureable for continual improvement, yet still flexible enought to handle the changing threat that we face.  

A lot of these skills don't get established when you've spent 10 years focusing on firewall policy or IDS signatures.  Don't get me wrong, I come from a development and then red-team background, but it's easier to learn the technical concepts to the depth at which you need to meaningfully undertake the above tasks than it is to take someone with a deep silo of knowledge in one aspect of information security and teach them to do the aove.
jimmyblake
jimmyblake,
User Rank: Apprentice
11/13/2014 | 5:27:30 AM
Re: But are they the most effective CISOs?
I spend a lot of time in my current role evaulating the effectiveness and efficiency of operational informational security capabilities in organisations.  I've also been a CISO for a large multinational and I learnt the hard way.

It is almost always the case that capabilities that have been build and run by those who have come up the technical path to CISO have alignments with protection of line-of-business and they are typically heavily focused on technology, thinking of people, processes and continual improvement.  The management information produced by such departments is normally highly technical, typically relying on event counts rather than risk exposure to the critical assets that pay the bills.  As a result, the business often doesn't see the value of information security and doesn't enjoy talking to these strange guys who come up from the basement and speak a completely different language, this is often why CISOs don't have a seat at the boardroom table and everything is mediated through the CIO (which causes it's own conflict-of-interest problems).

The ideal situation, if your size of organisation supports it, is a CISO who manages "up-and-out" handling business alignment, the CapEx and OpEx of the capability, achieving the key performance indicators around effectiveness and efficiency and being the condiuit between the rest of the business and the information security function.  Then there is an "IT Security Director" or "Cyber Security Director" whos role it is to manage the "down and in" Busiiness and Usual (BAU) operations and tactical projects.  
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
11/7/2014 | 9:31:06 AM
Re: What worries me though...
That makes total sense to me @Marc Eggers! I especially like the last part of your analogy:

Determine where they are now.  Figure out what the greatest need is and what will have the greatest impact.  Prioritize, and then implement.  Then follow-up with testing.

Thanks for connecting the dots.
Marc Eggers
Marc Eggers,
User Rank: Strategist
11/6/2014 | 1:25:51 PM
Re: What worries me though...
@Marilyn Cohodas, I believe that I can explain that a bit more... 

I am referring to the fact that companies will put time, money, and effort into upgrading their technical systems to make them more secure.  The company's people are the same way.  One needs to invest in the time and money and effort into training them to be security conscious.  I find that most users are more than willing, many are eager, to participate in helping to secure their workspace, their systems, their business processes, once they are aware of ways that what they do can be exploited.  It is important to make security important to them and make them aware of how their efforts help the organization be more secure.  

For example, helping users understand that even though they may not have access to sensitive data, if they do not have secure passwords and change them regularly, their account can be used to gain access to others accounts where sensitive data can be breached.  Looking at the American healthcare system, helping users to understand how their workspace and their practices can lead to leaked PHI (Protected Health Information) can lead to a HIPPA violation that could cost the company millions of dollars.  Training users to understand why they shouldn't hold the door open for someone they don't know and why.  Investing the time and effort into upgrading them from "users" to "security users" or empowering them to be "power users" will pay dividends in getting your employees invested in your organization.  This helps with employee retention and helps keep them on the lookout for other possible ways that they can improve the security of their workspace, their systems, their business processes, etc.  

And to complete the analogy, I believe that they need to be approached the same way a system upgrade should.  Determine where they are now.  Figure out what the greatest need is and what will have the greatest impact.  Prioritize, and then implement.  Then follow-up with testing.  

Does that make more sense?
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
11/6/2014 | 12:44:38 PM
Re: What worries me though...
Hmmm.... @Marc Eggers. I'm not sure how to take your comment about looking "at the people as systems to be upgraded." Care to elaborate? 
Marc Eggers
Marc Eggers,
User Rank: Strategist
11/6/2014 | 12:29:31 PM
What worries me though...
We see this in the business world a lot where those with the business background are the ones who are able to get promoted and get those positions.  While I agree that the CISO needs to understand risk management and business processes, what worries me the most is the fact that often that business acumen does not lend itself nor lead to an understanding of the technical systems behind the business processes.  

User education is extremely important as that is often one of the weakest links in an organizations and the easiest to exploit, the technical side needs to be understood as well.   Business folks tend to focus on the users and technologists tend to focus on the systems.  I believe that it takes a special person to be able to understand both.

Of course, I am biased being a technologist, I do think that it is more effective for a technologist to look at the people as systems to be upgraded than a business user to try to understand the obscure myriad of system connections in a modern business organization.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
11/5/2014 | 3:57:23 PM
Re: But are they the most effective CISOs?
I guess the would depend on what makes a CISO effective. Is it pure knowledge of security technology or the best way to apply that knowledge to manage risk and protect business data and systems from attack. I would argue it's a combination of the two. 
dunsany
dunsany,
User Rank: Apprentice
11/5/2014 | 3:52:12 PM
But are they the most effective CISOs?
That's really the question.  I know a lot of CISOs.  I know fewer effective ones.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file