Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Most Effective CISOs Have Business Background, Says IBM Security Leader
Newest First  |  Oldest First  |  Threaded View
jimmyblake
jimmyblake,
 User Rank: Apprentice
11/13/2014 | 5:37:46 AM
Re: What worries me though...
I think it depends on the size of an organisation.  In a larger organisation no-single individual could ever have the depth of technical expertise to deliver a security capability - that is why you have management tiers, delegation and subject matter experts to deliver.  

To get the depth of knowledge in technical subjects that the mitigation of attacks from sophistacted attackers, as well as insider and supply-chain introduced risk, you need a team of people with a deep technical understanding in their field of expertise.  Even more importantly, all these silos need to be brought together into a capability that takes into consideration alignment to the threat profile of the business (understanding business isn't just blinky lights, there are people, processes and data that need securing to run as a functional whole and deliver revenye to the company); measuring operational effectiveness of your operational and technical controls); obtaining and retaining the skills in the business (recruitment, skills assessment, training, mentoring, staff retention); the right documented processes that are measureable for continual improvement, yet still flexible enought to handle the changing threat that we face.  

A lot of these skills don't get established when you've spent 10 years focusing on firewall policy or IDS signatures.  Don't get me wrong, I come from a development and then red-team background, but it's easier to learn the technical concepts to the depth at which you need to meaningfully undertake the above tasks than it is to take someone with a deep silo of knowledge in one aspect of information security and teach them to do the aove.
jimmyblake
jimmyblake,
 User Rank: Apprentice
11/13/2014 | 5:27:30 AM
Re: But are they the most effective CISOs?
I spend a lot of time in my current role evaulating the effectiveness and efficiency of operational informational security capabilities in organisations.  I've also been a CISO for a large multinational and I learnt the hard way.

It is almost always the case that capabilities that have been build and run by those who have come up the technical path to CISO have alignments with protection of line-of-business and they are typically heavily focused on technology, thinking of people, processes and continual improvement.  The management information produced by such departments is normally highly technical, typically relying on event counts rather than risk exposure to the critical assets that pay the bills.  As a result, the business often doesn't see the value of information security and doesn't enjoy talking to these strange guys who come up from the basement and speak a completely different language, this is often why CISOs don't have a seat at the boardroom table and everything is mediated through the CIO (which causes it's own conflict-of-interest problems).

The ideal situation, if your size of organisation supports it, is a CISO who manages "up-and-out" handling business alignment, the CapEx and OpEx of the capability, achieving the key performance indicators around effectiveness and efficiency and being the condiuit between the rest of the business and the information security function.  Then there is an "IT Security Director" or "Cyber Security Director" whos role it is to manage the "down and in" Busiiness and Usual (BAU) operations and tactical projects.  
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
11/7/2014 | 9:31:06 AM
Re: What worries me though...
That makes total sense to me @Marc Eggers! I especially like the last part of your analogy:

Determine where they are now.  Figure out what the greatest need is and what will have the greatest impact.  Prioritize, and then implement.  Then follow-up with testing.

Thanks for connecting the dots.
Marc Eggers
Marc Eggers,
 User Rank: Strategist
11/6/2014 | 1:25:51 PM
Re: What worries me though...
@Marilyn Cohodas, I believe that I can explain that a bit more... 

I am referring to the fact that companies will put time, money, and effort into upgrading their technical systems to make them more secure.  The company's people are the same way.  One needs to invest in the time and money and effort into training them to be security conscious.  I find that most users are more than willing, many are eager, to participate in helping to secure their workspace, their systems, their business processes, once they are aware of ways that what they do can be exploited.  It is important to make security important to them and make them aware of how their efforts help the organization be more secure.  

For example, helping users understand that even though they may not have access to sensitive data, if they do not have secure passwords and change them regularly, their account can be used to gain access to others accounts where sensitive data can be breached.  Looking at the American healthcare system, helping users to understand how their workspace and their practices can lead to leaked PHI (Protected Health Information) can lead to a HIPPA violation that could cost the company millions of dollars.  Training users to understand why they shouldn't hold the door open for someone they don't know and why.  Investing the time and effort into upgrading them from "users" to "security users" or empowering them to be "power users" will pay dividends in getting your employees invested in your organization.  This helps with employee retention and helps keep them on the lookout for other possible ways that they can improve the security of their workspace, their systems, their business processes, etc.  

And to complete the analogy, I believe that they need to be approached the same way a system upgrade should.  Determine where they are now.  Figure out what the greatest need is and what will have the greatest impact.  Prioritize, and then implement.  Then follow-up with testing.  

Does that make more sense?
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
11/6/2014 | 12:44:38 PM
Re: What worries me though...
Hmmm.... @Marc Eggers. I'm not sure how to take your comment about looking "at the people as systems to be upgraded." Care to elaborate? 
Marc Eggers
Marc Eggers,
 User Rank: Strategist
11/6/2014 | 12:29:31 PM
What worries me though...
We see this in the business world a lot where those with the business background are the ones who are able to get promoted and get those positions.  While I agree that the CISO needs to understand risk management and business processes, what worries me the most is the fact that often that business acumen does not lend itself nor lead to an understanding of the technical systems behind the business processes.  

User education is extremely important as that is often one of the weakest links in an organizations and the easiest to exploit, the technical side needs to be understood as well.   Business folks tend to focus on the users and technologists tend to focus on the systems.  I believe that it takes a special person to be able to understand both.

Of course, I am biased being a technologist, I do think that it is more effective for a technologist to look at the people as systems to be upgraded than a business user to try to understand the obscure myriad of system connections in a modern business organization.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
11/5/2014 | 3:57:23 PM
Re: But are they the most effective CISOs?
I guess the would depend on what makes a CISO effective. Is it pure knowledge of security technology or the best way to apply that knowledge to manage risk and protect business data and systems from attack. I would argue it's a combination of the two. 
dunsany
dunsany,
 User Rank: Apprentice
11/5/2014 | 3:52:12 PM
But are they the most effective CISOs?
That's really the question.  I know a lot of CISOs.  I know fewer effective ones.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Incorporating a Prevention Mindset into Threat Detection and Response
Threat detection and response systems, by definition, are reactive because they have to wait for damage to be done before finding the attack. With a prevention-mindset, security teams can proactively anticipate the attacker's next move, rather than reacting to specific threats or trying to detect the latest techniques in real-time. The report covers areas enterprises should focus on: What positive response looks like. Improving security hygiene. Combining preventive actions with red team efforts.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-29248
PUBLISHED: 2022-05-25
Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to ...
CVE-2022-29402
PUBLISHED: 2022-05-25
TP-Link TL-WR840N EU v6.20 was discovered to contain insecure protections for its UART console. This vulnerability allows attackers to connect to the UART port via a serial connection and execute commands as the root user without authentication.
CVE-2021-27783
PUBLISHED: 2022-05-25
User generated PPKG file for Bulk Enroll may have unencrypted sensitive information exposed.
CVE-2021-27779
PUBLISHED: 2022-05-25
VersionVault Express exposes sensitive information that an attacker can use to impersonate the server or eavesdrop on communications with the server.
CVE-2021-44719
PUBLISHED: 2022-05-25
Docker Desktop 4.3.0 has Incorrect Access Control.