Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

11:59 AM
Julian Waits
Julian Waits
Connect Directly
E-Mail vvv

Once More Into the Breach, Dear CISO

The sad truth about CISOs is that they are seldom given power over security budgets or strategic IT decisions. To many C-level execs they exist to accept blame and are given little authority to effect change.

The search for a scapegoat is the easiest of all hunting expeditions, according to past President Dwight D. Eisenhower. If that’s the case, Chief Information Security Officers (CISO) must be worried that they will soon be stuffed and mounted in board rooms around the country.

Since the Target breach, cyber security has been thrust into the spotlight, with media coverage of the next major data breach dominating headlines on a near-weekly basis. The heightened visibility is creating speculation in the media and beyond about what enterprises, governments, and security experts are doing to fight cybercrime.

In an effort to respond, boards have elevated the CISO, a once obscure position, to the C-suite. But while the honorific is there, the responsibilities are not. A ThreatTrack-sponsored survey of 203 C-level executives recently found that the majority of them keep CISOs at a distance, give them limited responsibilities, and ultimately believe that they exist to serve as a scapegoat should a data breach occur. Respondents made it clear that CISOs are seldom given power over the security budget, or in making strategic IT decisions. In short, they exist to accept blame, but have no power to effect change.

This is a dilemma, one that goes beyond internal power struggles and instead represents a major problem for enterprise security. Many CISOs have not been put into a position to succeed, and by virtue of that, enterprise cyber security is not getting any better. The problem will continue until the CISO earns a seat at the table. It will take cooperation and hard work on the part of CISOs and their peers, but it needs to happen, and soon.

One of the major issues affecting CISOs is that their role is poorly defined. CISOs often lack the power to spend or implement policy, with those responsibilities resting elsewhere in organizations. Even something as simple as organizational structure is complicated for CISOs, with research showing that different organizations have them report to the CEO directly, the CIO, or even the CFO. With little decision-making power or structure, it isn’t hard to understand why C-level executives are skeptical of CISOs. There’s a good chance they don’t understand why the CISO is there at all.

While a defined role would help the CISO in his or her mission, there is another fine line that has to be walked -- the balance between business needs and cyber security policy. The national epidemic of data breaches has forced the hand of business leaders, making cyber security a top priority. But, it is still unclear who wins a debate in the enterprise when good cyber security policy gets in the way of efficient business processes. Given the lack of power in most CISOs’ hands, the answer might not be good for those who would like their data protected. That’s a problem.

Now the good news
All hope is not lost for CISOs. They have the ability to change how they are perceived and build positive reputations in the enterprise. And it starts with learning a new language – the language of the business, not of cyber security. The CISO’s role in the boardroom is to educate executives about risk. To gain credibility and change perceptions, CISOs need to stop discussing security in a vacuum and start explaining a technical problem in terms of what it means to the business. By putting cyber security in terms the rest of the C-suite understands, CISOs can begin to exert real influence and gain support.

More importantly, CISOs need to integrate security into the enterprise by explaining its value to the business. At the highest level, security is not about malware and breaches, it is about risk management.

CISOs should explain why a cyber security policy is necessary in terms of what is at stake for the business, and should be prepared to identify a return on investment when they make a large expenditure. Ultimately, good security practice is a positive for businesses, even a potential competitive advantage for enterprises that handle sensitive data. CISOs need to frame cyber security policy in that light, rather than as being a roadblock. The days of a “compliance” mindset for security are over, and CISOs will benefit greatly by taking a proactive, risk-based approach.

Additionally, CISOs can gain respect in the enterprise by proving their worth through metrics and goals. If demand is increased by 20%, the CMO gets the credit. CISOs need to define what success is through measurable metrics, and report on them on a regular basis. In the past, the CISO has been viewed as a spender and a scapegoat. CISOs need to defend themselves and their work by framing their successes in business terms (and not just a time of crisis), and explaining that good cyber security practice protects the bottom line.

Their position is not enviable, and their battle is uphill, but CISOs need to fight. With breaches discovered on a daily basis, there are few who would argue that enterprise security is not broken. But, only a small group of experts is uniquely qualified to fix it. CISOs can take on that role. They just have to win over their peers first. Enterprise security depends on it.

Julian Waits serves as President and Chief Executive Officer for ThreatTrack Security, guiding the company's growth as it traverses the enterprise security market with threat analysis, awareness, and defense solutions that combat advanced persistent threats (APTs), targeted ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
11/7/2014 | 10:21:29 AM
Re: Not metrics and goals

Please check out the Cyber Operations Maturity Framework. The basic model is the fusion center, originated at EUCOM -- fas dot org/irp/agency/dod/eucom/jac/

Typical SOCs are operating from a picture that emphasizes timelines and locality analysis, but without extensive exploratory or link analyses. They operate with indicators, but without indications analysis and without warning analysis (I&W) -- for example, I never see STIX that includes warning intelligence or attack indicators, only IoCs. Typical SOCs also separate the malware reversing process from the threat intelligence process too much... I mean, did you know that you can embed MAEC into STIX?

The primary issue for information security programs is lack of a formalized risk language and risk model based on costs to the business. For this, I could recommend FAIR as a starting point -- the book "Measuring and Managing Information Risk" (from the authors of FAIR) is timely.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
11/7/2014 | 10:05:18 AM
Re: Not metrics and goals
Great point about getting the right team in place to execute a cybersecurity plan @andregironda! What does that look like in your view and how would it differ from the organizational structure in the typical SOC?
User Rank: Strategist
11/6/2014 | 6:05:30 PM
Not metrics and goals
CISOs don't need more metrics and goals layered on their existing metrics and goals. They need a vision and a mission and they need people to execute. If a CISO earns a $670,000 yearly salary, up from $400,000 two years ago -- then they already have a seat at the board. What they need now is to hire people with similarly-structured salaries to execute their vision.

The vision is simple: create a cyber analytical model based on something like the fusion center, construct a framework similar to the Cyber Operations Maturity Framework, and build a platform that can deliver the results. Any technology piece such as SIEM, Cyber Threat Intelligence, Mobile Device Management, or NGFW needs to be balanced against the model and the framework -- and it must integrate with the analytical platform. Typically, an analytical platform consists of exploratory data analysis, exploratory factor analysis, and link analysis -- perhaps graded on a reference-class forecast or similar probability distribution. If you don't know what I just said, perhaps you should pick up the book, "Measuring and Managing Information Risk", which basically explains an approachable, analytical risk model to the uninitiated.

The average lifetime of a CISO is still 2 years, but their salaries are doubling every 2 years. The rest of us information security professionals have seen stagnant salaries for 20 years -- ever since we existed. If the CISOs won't change the game, then leaders will rise from the trenches. Lead, follow, or get out of the way!
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...
PUBLISHED: 2020-09-23
An issue was discovered in Xen 4.14.x. There is a missing unlock in the XENMEM_acquire_resource error path. The RCU (Read, Copy, Update) mechanism is a synchronisation primitive. A buggy error path in the XENMEM_acquire_resource exits without releasing an RCU reference, which is conceptually similar...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the violation of various internal assumptions. This may lead to out of bounds memory a...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm (either bitness) ones. 32-bit x86 domains...