Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Most Effective CISOs Have Business Background, Says IBM Security Leader
Newest First  |  Oldest First  |  Threaded View
jimmyblake
jimmyblake,
 User Rank: Apprentice
11/13/2014 | 5:37:46 AM
Re: What worries me though...
I think it depends on the size of an organisation.  In a larger organisation no-single individual could ever have the depth of technical expertise to deliver a security capability - that is why you have management tiers, delegation and subject matter experts to deliver.  

To get the depth of knowledge in technical subjects that the mitigation of attacks from sophistacted attackers, as well as insider and supply-chain introduced risk, you need a team of people with a deep technical understanding in their field of expertise.  Even more importantly, all these silos need to be brought together into a capability that takes into consideration alignment to the threat profile of the business (understanding business isn't just blinky lights, there are people, processes and data that need securing to run as a functional whole and deliver revenye to the company); measuring operational effectiveness of your operational and technical controls); obtaining and retaining the skills in the business (recruitment, skills assessment, training, mentoring, staff retention); the right documented processes that are measureable for continual improvement, yet still flexible enought to handle the changing threat that we face.  

A lot of these skills don't get established when you've spent 10 years focusing on firewall policy or IDS signatures.  Don't get me wrong, I come from a development and then red-team background, but it's easier to learn the technical concepts to the depth at which you need to meaningfully undertake the above tasks than it is to take someone with a deep silo of knowledge in one aspect of information security and teach them to do the aove.
jimmyblake
jimmyblake,
 User Rank: Apprentice
11/13/2014 | 5:27:30 AM
Re: But are they the most effective CISOs?
I spend a lot of time in my current role evaulating the effectiveness and efficiency of operational informational security capabilities in organisations.  I've also been a CISO for a large multinational and I learnt the hard way.

It is almost always the case that capabilities that have been build and run by those who have come up the technical path to CISO have alignments with protection of line-of-business and they are typically heavily focused on technology, thinking of people, processes and continual improvement.  The management information produced by such departments is normally highly technical, typically relying on event counts rather than risk exposure to the critical assets that pay the bills.  As a result, the business often doesn't see the value of information security and doesn't enjoy talking to these strange guys who come up from the basement and speak a completely different language, this is often why CISOs don't have a seat at the boardroom table and everything is mediated through the CIO (which causes it's own conflict-of-interest problems).

The ideal situation, if your size of organisation supports it, is a CISO who manages "up-and-out" handling business alignment, the CapEx and OpEx of the capability, achieving the key performance indicators around effectiveness and efficiency and being the condiuit between the rest of the business and the information security function.  Then there is an "IT Security Director" or "Cyber Security Director" whos role it is to manage the "down and in" Busiiness and Usual (BAU) operations and tactical projects.  
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
11/7/2014 | 9:31:06 AM
Re: What worries me though...
That makes total sense to me @Marc Eggers! I especially like the last part of your analogy:

Determine where they are now.  Figure out what the greatest need is and what will have the greatest impact.  Prioritize, and then implement.  Then follow-up with testing.

Thanks for connecting the dots.
Marc Eggers
Marc Eggers,
 User Rank: Strategist
11/6/2014 | 1:25:51 PM
Re: What worries me though...
@Marilyn Cohodas, I believe that I can explain that a bit more... 

I am referring to the fact that companies will put time, money, and effort into upgrading their technical systems to make them more secure.  The company's people are the same way.  One needs to invest in the time and money and effort into training them to be security conscious.  I find that most users are more than willing, many are eager, to participate in helping to secure their workspace, their systems, their business processes, once they are aware of ways that what they do can be exploited.  It is important to make security important to them and make them aware of how their efforts help the organization be more secure.  

For example, helping users understand that even though they may not have access to sensitive data, if they do not have secure passwords and change them regularly, their account can be used to gain access to others accounts where sensitive data can be breached.  Looking at the American healthcare system, helping users to understand how their workspace and their practices can lead to leaked PHI (Protected Health Information) can lead to a HIPPA violation that could cost the company millions of dollars.  Training users to understand why they shouldn't hold the door open for someone they don't know and why.  Investing the time and effort into upgrading them from "users" to "security users" or empowering them to be "power users" will pay dividends in getting your employees invested in your organization.  This helps with employee retention and helps keep them on the lookout for other possible ways that they can improve the security of their workspace, their systems, their business processes, etc.  

And to complete the analogy, I believe that they need to be approached the same way a system upgrade should.  Determine where they are now.  Figure out what the greatest need is and what will have the greatest impact.  Prioritize, and then implement.  Then follow-up with testing.  

Does that make more sense?
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
11/6/2014 | 12:44:38 PM
Re: What worries me though...
Hmmm.... @Marc Eggers. I'm not sure how to take your comment about looking "at the people as systems to be upgraded." Care to elaborate? 
Marc Eggers
Marc Eggers,
 User Rank: Strategist
11/6/2014 | 12:29:31 PM
What worries me though...
We see this in the business world a lot where those with the business background are the ones who are able to get promoted and get those positions.  While I agree that the CISO needs to understand risk management and business processes, what worries me the most is the fact that often that business acumen does not lend itself nor lead to an understanding of the technical systems behind the business processes.  

User education is extremely important as that is often one of the weakest links in an organizations and the easiest to exploit, the technical side needs to be understood as well.   Business folks tend to focus on the users and technologists tend to focus on the systems.  I believe that it takes a special person to be able to understand both.

Of course, I am biased being a technologist, I do think that it is more effective for a technologist to look at the people as systems to be upgraded than a business user to try to understand the obscure myriad of system connections in a modern business organization.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
11/5/2014 | 3:57:23 PM
Re: But are they the most effective CISOs?
I guess the would depend on what makes a CISO effective. Is it pure knowledge of security technology or the best way to apply that knowledge to manage risk and protect business data and systems from attack. I would argue it's a combination of the two. 
dunsany
dunsany,
 User Rank: Apprentice
11/5/2014 | 3:52:12 PM
But are they the most effective CISOs?
That's really the question.  I know a lot of CISOs.  I know fewer effective ones.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-1172
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
CVE-2023-1469
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
CVE-2023-1466
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
CVE-2023-1467
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
CVE-2023-1468
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...