1) Chief information security officers are glorified auditors or risk managers. Yeah, so what's your point? True, CISOs are often charged with helping their companies comply with various government and industry regulations (HIPAA, SOX, PCI, etc.) that could end up costing hundreds of thousands of dollars in fines if those regs are violated. And one of the CISO's greatest responsibilities is making sure their companies aren't placing themselves at risk of having employee or customer data spilled onto the Web's black market for personal information, whether from malicious cyber attacks, lost/stolen laptops laden with company data, or insiders who exceed their access privileges. If that's not enough, some security chiefs sit on their companies' IT employment diversity councils (such as Cigna's Craig Shumard) or work with industry boards such as the Data Link Security Subcommittee to help design the next generation of aircraft (as Continental's Andre Gold does).
To properly manage all of the responsibilities of a CISO, both within a company and in dealing with regulators and customers, "you have to have a slight case of ADHD (Attention Deficit Hyperactivity Disorder)," says Michael Barrett, PayPal's chief information security officer.
2) It's all about the technology. Not necessarily. "We have a paper shredding policy, but an individual can circumvent that by bringing home a piece of paper and throwing it away in their trash," Cigna's Shumard says. "There's no technology to that." Half of Cigna's information protection policies don't address technology controls because the information isn't digital. That's where security awareness among employees comes into play. "We're only as strong as our weakest link, and the weakest link is the person who doesn't know what they're doing," he adds.
Says PayPal's Barrett, "Eighty percent of the effect is in fact psychological. You tell people that you're monitoring even before you implement the technology."
3) Security spending is a bottomless pit because CISOs are chasing a goal that they can never reach. Don't equate strong security with emerging and often complicated technologies, network access control being one that comes to mind. "Good security doesn't necessarily cost more money," Cigna's Shumard says. "Maintaining good health on your desktops is just plain cost effective and it provides good security."
Of course, it's unrealistic to think that any CISO can drive their company's level of risk to zero. Instead, PayPal's Barrett says, a CISO must know how to identify risks and prioritize resources. "And you have to be able to revise the plan as you go along," he adds.
4) Endpoint security should be every company's top priority. A priority, sure, especially given all of the high-profile laptop thefts that have cost organizations lots of money and caused much embarrassment. But today's security concerns shouldn't obscure preparation for new threats. "The browser is really the way people experience the Internet," says Mozilla's chief security something-or-other Window Snyder (I'm not making that up; that's her real title). "It's an incredibly powerful vehicle for changing the way people interact with information, but it's also a primary vector for attack."
5) Vendors will lead the way in mitigating security threats through innovative new products. Let's fix the problems that exist today before we introduce new ones. "I don't encourage vendors to be more innovative, I encourage them to recognize that when a building is crumbling, you don't build scaffolding around that building to prop it up," says AT&T senior VP and chief security officer Ed Amoroso. "You figure out why the building is crumbling." Companies don't need more innovation, "we need more sanity to recognize that we've got vulnerabilities in our software and systems that are so complicated that you have no clue how people get in or don't get in," he adds.
6) The threat landscape changes too quickly to keep up. Hogwash, says PayPal's Barrett. "People could see phishing coming, but they seemed surprised anyway. If you do your crystal ball gazing appropriately, things won't sneak up on you," he says.
7) Every company needs a CISO. Not necessarily. "Organizations first and foremost have to be serious about information risk management before elevating security to the role where you have a CISO or director of information security," Continental's Gold says.