Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

11/6/2014
11:59 AM
Julian Waits
Julian Waits
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

Once More Into the Breach, Dear CISO

The sad truth about CISOs is that they are seldom given power over security budgets or strategic IT decisions. To many C-level execs they exist to accept blame and are given little authority to effect change.

The search for a scapegoat is the easiest of all hunting expeditions, according to past President Dwight D. Eisenhower. If that’s the case, Chief Information Security Officers (CISO) must be worried that they will soon be stuffed and mounted in board rooms around the country.

Since the Target breach, cyber security has been thrust into the spotlight, with media coverage of the next major data breach dominating headlines on a near-weekly basis. The heightened visibility is creating speculation in the media and beyond about what enterprises, governments, and security experts are doing to fight cybercrime.

In an effort to respond, boards have elevated the CISO, a once obscure position, to the C-suite. But while the honorific is there, the responsibilities are not. A ThreatTrack-sponsored survey of 203 C-level executives recently found that the majority of them keep CISOs at a distance, give them limited responsibilities, and ultimately believe that they exist to serve as a scapegoat should a data breach occur. Respondents made it clear that CISOs are seldom given power over the security budget, or in making strategic IT decisions. In short, they exist to accept blame, but have no power to effect change.

This is a dilemma, one that goes beyond internal power struggles and instead represents a major problem for enterprise security. Many CISOs have not been put into a position to succeed, and by virtue of that, enterprise cyber security is not getting any better. The problem will continue until the CISO earns a seat at the table. It will take cooperation and hard work on the part of CISOs and their peers, but it needs to happen, and soon.

One of the major issues affecting CISOs is that their role is poorly defined. CISOs often lack the power to spend or implement policy, with those responsibilities resting elsewhere in organizations. Even something as simple as organizational structure is complicated for CISOs, with research showing that different organizations have them report to the CEO directly, the CIO, or even the CFO. With little decision-making power or structure, it isn’t hard to understand why C-level executives are skeptical of CISOs. There’s a good chance they don’t understand why the CISO is there at all.

While a defined role would help the CISO in his or her mission, there is another fine line that has to be walked -- the balance between business needs and cyber security policy. The national epidemic of data breaches has forced the hand of business leaders, making cyber security a top priority. But, it is still unclear who wins a debate in the enterprise when good cyber security policy gets in the way of efficient business processes. Given the lack of power in most CISOs’ hands, the answer might not be good for those who would like their data protected. That’s a problem.

Now the good news
All hope is not lost for CISOs. They have the ability to change how they are perceived and build positive reputations in the enterprise. And it starts with learning a new language – the language of the business, not of cyber security. The CISO’s role in the boardroom is to educate executives about risk. To gain credibility and change perceptions, CISOs need to stop discussing security in a vacuum and start explaining a technical problem in terms of what it means to the business. By putting cyber security in terms the rest of the C-suite understands, CISOs can begin to exert real influence and gain support.

More importantly, CISOs need to integrate security into the enterprise by explaining its value to the business. At the highest level, security is not about malware and breaches, it is about risk management.

CISOs should explain why a cyber security policy is necessary in terms of what is at stake for the business, and should be prepared to identify a return on investment when they make a large expenditure. Ultimately, good security practice is a positive for businesses, even a potential competitive advantage for enterprises that handle sensitive data. CISOs need to frame cyber security policy in that light, rather than as being a roadblock. The days of a “compliance” mindset for security are over, and CISOs will benefit greatly by taking a proactive, risk-based approach.

Additionally, CISOs can gain respect in the enterprise by proving their worth through metrics and goals. If demand is increased by 20%, the CMO gets the credit. CISOs need to define what success is through measurable metrics, and report on them on a regular basis. In the past, the CISO has been viewed as a spender and a scapegoat. CISOs need to defend themselves and their work by framing their successes in business terms (and not just a time of crisis), and explaining that good cyber security practice protects the bottom line.

Their position is not enviable, and their battle is uphill, but CISOs need to fight. With breaches discovered on a daily basis, there are few who would argue that enterprise security is not broken. But, only a small group of experts is uniquely qualified to fix it. CISOs can take on that role. They just have to win over their peers first. Enterprise security depends on it.

Julian Waits serves as President and Chief Executive Officer for ThreatTrack Security, guiding the company's growth as it traverses the enterprise security market with threat analysis, awareness, and defense solutions that combat advanced persistent threats (APTs), targeted ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
andregironda
100%
0%
andregironda,
User Rank: Strategist
11/7/2014 | 10:21:29 AM
Re: Not metrics and goals
Marilyn,

Please check out the Cyber Operations Maturity Framework. The basic model is the fusion center, originated at EUCOM -- fas dot org/irp/agency/dod/eucom/jac/

Typical SOCs are operating from a picture that emphasizes timelines and locality analysis, but without extensive exploratory or link analyses. They operate with indicators, but without indications analysis and without warning analysis (I&W) -- for example, I never see STIX that includes warning intelligence or attack indicators, only IoCs. Typical SOCs also separate the malware reversing process from the threat intelligence process too much... I mean, did you know that you can embed MAEC into STIX?

The primary issue for information security programs is lack of a formalized risk language and risk model based on costs to the business. For this, I could recommend FAIR as a starting point -- the book "Measuring and Managing Information Risk" (from the authors of FAIR) is timely.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
11/7/2014 | 10:05:18 AM
Re: Not metrics and goals
Great point about getting the right team in place to execute a cybersecurity plan @andregironda! What does that look like in your view and how would it differ from the organizational structure in the typical SOC?
andregironda
100%
0%
andregironda,
User Rank: Strategist
11/6/2014 | 6:05:30 PM
Not metrics and goals
CISOs don't need more metrics and goals layered on their existing metrics and goals. They need a vision and a mission and they need people to execute. If a CISO earns a $670,000 yearly salary, up from $400,000 two years ago -- then they already have a seat at the board. What they need now is to hire people with similarly-structured salaries to execute their vision.

The vision is simple: create a cyber analytical model based on something like the fusion center, construct a framework similar to the Cyber Operations Maturity Framework, and build a platform that can deliver the results. Any technology piece such as SIEM, Cyber Threat Intelligence, Mobile Device Management, or NGFW needs to be balanced against the model and the framework -- and it must integrate with the analytical platform. Typically, an analytical platform consists of exploratory data analysis, exploratory factor analysis, and link analysis -- perhaps graded on a reference-class forecast or similar probability distribution. If you don't know what I just said, perhaps you should pick up the book, "Measuring and Managing Information Risk", which basically explains an approachable, analytical risk model to the uninitiated.

The average lifetime of a CISO is still 2 years, but their salaries are doubling every 2 years. The rest of us information security professionals have seen stagnant salaries for 20 years -- ever since we existed. If the CISOs won't change the game, then leaders will rise from the trenches. Lead, follow, or get out of the way!
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29378
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...
CVE-2020-29379
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D4L V1.01.49 and V1600D-MINI V1.01.48 OLT devices. During the process of updating the firmware, the update script starts a telnetd -l /bin/sh process that does not require authentication for TELNET access.
CVE-2020-29380
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH is not always available. An attacker can intercept passwords sent in cleartext and conduct a man-in-...
CVE-2020-29381
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configuration" in the CLI via a crafted filename...
CVE-2020-29382
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. A hardcoded RSA private key (specific to V1600D, V1600G1, and V1600G2) is contained in the firmware images.