Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Dark Reading Radio

The Changing Role of the Chief Information Security Officer
Date / Time: Wednesday, January 20, 2016, 1:00 p.m. New York/10:00 a.m. San Francisco
Overview:

As cyber attacks become increasingly prevalent in business, the CISO is spending less time in the data center and more time in the corporate boardroom. Join Dark Reading community editor Marilyn Cohodas in a thought-provoking discussion about the evolving role of the CISO. Our guests include Jon Allen, Assistant VP & CISO, Baylor University, and Owanate Bestman, Cyber Security Executive Recruiter, Barclay Simpson.



The audio player will load automatically when the radio show audio begins. Some corporate networks block the sort of streaming audio content used by this player. Please make sure you have the latest version of Adobe Flash for your Internet browser via Adobe's web site. If the player loads but you are not able to hear the live audio, you may still be able to hear the archived audio after the live program begins by returning to this page. Please try refreshing your browser a few times if you still cannot hear the audio. More Troubleshooting
Live Chat
You must login to participate in this chat. Please login.

Yes, many thanks to all the participants and especially to our great guest speakers

Strategist

This has really been a great discussion. As we reach the top of the hour, just wanted to say a big thank you to Jon and Owanate for being here!

Strategist

Capabilities: relevant industry experience and the ability to handle PROVEN crisis' / breaches accordingly.

 

The best chance is good communication skills - the ability to balance between the harsh reality of a bad situation and the appropriate response - even if that response is more funding

@ Kelly.  In my CISO role at an agency in the Intelligence Community, the friction was fairly constant with two CIOs.  I was new to the organization, an outside hire, and the change I was driving scared the CIOs desire for status quo.

Apprentice

Owanate, what would you say are the one or two capabilities that make a candidate most attractive as a potential CISO hire, and what characteristics give a CISO the best chance of long-term success at a post?

Strategist

More often where i hear of this friction is when one of the two positions is filled by a new person from outside the organization.  That person may be brought the table as a change agent and friction will then occur.  I think in mature organization with clearly defined roles the friction is much lower that it once was.

 

Apprentice

@Kelly - I'm actually not sure on this one.  One thing I can say is that no-one wants a breach and no-one wants to be the blocker of Securiity implementing something that may prevent that. (we know breaches occur regardless) but its more a matter of perception in this case

Is friction between the CIO and CISO now more of a myth than reality?

@ Lance - yes! Not so much certification- but experience in Privacy laws an perhaps implementing a Privacy training programme for example

In my role I partner with general counsel to server the privacy function.  The ceritfication I see most often is a CIPP but that is typically a certification that dedicated privacy officers obtain. 

 

Apprentice

Tim,  In the Federal Reserve Bank System (Boston, CHicago, Richmond), the CISO went to being the COO.

Apprentice

@tim - a move to the vendor side or a bigger company.  Or chair a new an aspiring certification

I'm interested in where an executive might go from being a CISO. Are there examples of CISOs moving on to become COOs or CEOs?  If you've been a CISO for a while, what would be the next step? A bigger company? Maybe move to the vendor side?

Strategist

Owanate:  Are you seeing any requirements for Privacy experience or certifications for CISO positions?  If so, which certification?

Apprentice

So it's better to look outside your organization if you aspire to be a CISO!

Strategist

The are becoming more important - but the traditional certifications are powerful and can separate you from other applicants

Just a thought that the soft skills (being able to talk to non-technical administrators), management skills, and project skills are as important as certifications at the CISO level

 

Apprentice

@Marilyn - yes but.....

 

The board recognise that in order to implement change - its often neccessary to bring in external talent. Those who have dealt with crisis' outside of their firm and can implement change

Good question Sara!  I have experienced that in some interviews, even having served as a CISO for two large organizations--they seem to look for perfection I dont recognize the experience. 

Apprentice

Yes Sara - thats the problem in general.  It's my job to ensure that they are realistic: to gauge the tope 3 things they are looking for out of their list of 10 and educate them as to why they should interview the people that meet their crucial requirements

I expect that some qualified people are afraid to apply for a CISO job because the job listing asks for everything under the sun. Do you think that's potentially a trouble? That companies might be missing out on the right candidate because they're too busy looking for the "perfect" candidate?

Author

It's a well paid position but it depends on the size of the organisation and hiw seriously they take security.  $300k is a more realistic figure for a large firm.  But.... if they happen to have a breach  all of a sudden they are willing to pay $400k for the right CISO :)

Really thoughtful discussion, Jon and Owanate! Not to sound crass, but I did an interview the other day in which someone said offhandedly that CISOs average around $350K in annual salary. Is that anywhere close to what you're seeing out there? I understand it's increasingly becoming a pretty well-paid position.

Strategist

It sounds like you have all the right qualifications.  CISSP, CISM and CISA.  you may want to consider a project based qualificaiton.  They can be quite easy to acquire and go a long way

Security talent is absolutely a challange.  I think one of the keys is selling the position and the organization.  There have been numerous talks about generation Y and what is important to them.  More often compensation is not at the top of their list.  Feeling like they are doing something valuable, work life balance are in many cases key decision factors for them.  Candidates in information secuirty are interviewing the oraganization as much as we are interviewing them.  They will have their choice of jobs and we need to make sure "sell" how we meet their decision criteria. 

Apprentice

What security certification do you recommed for a CISO? I already have my CISSP, CISA, CEH and PMP. I have a M.S in Information Resource Management and B.S in Computer Science. I have recent paid to attend the C|CISO course next week.

Apprentice

Not a division Lance, but more of a merger between the two which can be very difficult to find

I think the key on the ability to learn is during the interview.  Talking about their past experiences with technologies and new technolgies.  How do they best learn.  Do they enjoy taking on new technolgies.  You have to become a bit of a psycholoist like any interview to understand the skills the candidate brings foward.

Apprentice

Jon - Owante:  Is there a division between strategic and technical ability that you look for in CISO positions?

Apprentice

Interesting phrase there "ability to learn." How can you tell that a candidate has that? And if you're a candidate, how do you show you have that ability?

Author

John and Owanate: Is it getting any easier to find security talent for your security teams? What types of initiatives are you undertaking to find the right people for the job/s?

"Trying to find a utopia of an individual."  That sounds like a pretty accurate description of the CISO job description companies are looking for.

Author

The term metrics still gives me a headache, and I'm sure lots of people feel the same way. I also wonder how many CISOs have been able use metrics they created for one organization within their next organization. How transferrable are they?

Author

Dark Reading will be hosting a related discussion in our virtual event, Cyber Security: The Business View on Tuesday 1/26 beginning at 11am Eastern. It's an all-day event with a variety of different presentations and topics. You can find more information on the main Dark Reading pages.

Strategist

Welcome to John and Owanate! It will be interesting to hear both their perspectives on how the CISO's job is evolving and how their responsibilities are becoming more critical in the business.

Strategist

The player should have loaded: If you don't see it, please refresh your browser window.

Author

Should the player be loaded at this point?  I don't see anything?

Apprentice

We'd love to have your voice in the discussion here. To take part, just type your comment into the "Your Post" box and then click on the "Post" button below the box. Feel free to introduce yourself before the show starts -- I think you'll find that we're a very friendly community here! 

Author

Hey, everyone, we're glad you could join us! When the show is scheduled to start, an audio player should appear above the "Your Post" window. If it doesn't appear, you might need to refresh your browser until it does. If it appears but doesn't start playing, then you may need to click on the "play" button on the far left of the player. 

Author
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Creating an Effective Incident Response Plan
Security teams are realizing their organizations will experience a cyber incident at some point. An effective incident response plan that takes into account their specific requirements and has been tested is critical. This issue of Tech Insights also includes: -a look at the newly signed cyber-incident law, -how organizations can apply behavioral psychology to incident response, -and an overview of the Open Cybersecurity Schema Framework.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-4202
PUBLISHED: 2022-11-29
A vulnerability, which was classified as problematic, was found in GPAC 2.1-DEV-rev490-g68064e101-master. Affected is the function lsr_translate_coords of the file laser/lsr_dec.c. The manipulation leads to integer overflow. It is possible to launch the attack remotely. The exploit has been disclose...
CVE-2022-40799
PUBLISHED: 2022-11-29
Data Integrity Failure in 'Backup Config' in D-Link DNR-322L <= 2.60B15 allows an authenticated attacker to execute OS level commands on the device.
CVE-2022-41568
PUBLISHED: 2022-11-29
LINE client for iOS before 12.17.0 might be crashed by sharing an invalid shared key of e2ee in group chat.
CVE-2022-43326
PUBLISHED: 2022-11-29
An Insecure Direct Object Reference (IDOR) vulnerability in the password reset function of Telos Alliance Omnia MPX Node 1.0.0-1.4.[*] allows attackers to arbitrarily change user and Administrator account passwords.
CVE-2022-45329
PUBLISHED: 2022-11-29
AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability via the Search parameter. This vulnerability allows attackers to access database information.