Tuesday, 30 January 2018

Positioning the CISO in the Executive Hierarchy

EC-Council Tutorials and Materials, EC-Council Certifications

The saga of positioning the Chief Information Security Officer (CISO) continues after more than fifteen years. This subject has been attempted by everyone from magazine editors to the annual RSA Security Conference. Yet, here we are. The role of CISO is still fighting for its place at executive table and there is no consensus as to whom the CISO should report.

Generally speaking, prior discussions on this subject have focused on two questions.

1. Where does the role of CISO belong in the organizational structure?
2. What are the “pros and cons” of various reporting structures?

So, why am I bringing this to your attention now? Because successful attacks on Big Data have become a much too frequent news lead. Information security and executive management have come under heavy fire in recent years due to a large number of high-profile data breaches (Yahoo, Target, Home Depot, Anthem BC/BS, the FBI, the Veterans Administration, and the list goes on). After each incident, someone must answer the questions: “How did this happen?” and “How do we prevent this from happening again?” The person in the “hot” seat is the person best able to answer these questions, namely the CISO.

CISOs are being roasted and not at comedy clubs. And you say, “Someone must be held responsible for allowing this to happen”. I agree about responsibility but I am skeptical of the sacrificial offering.

The CISO is an executive level position that exists to provide executive management with expert council and advice on matters of information security and asset protection. Unlike a Director of Information Security, the CISO has overall responsibility for information security management plus he or she would serve as a spokesperson representing INFOSEC to the executive committee. The success of the new CISO depends on accomplishing two meaningful goals within the first one hundred days:

1. developing a sound organizational foundation for the INFOSEC program and
2. demonstrating tactical progress to the members of the executive committee

To accomplish these objectives, the new CISO should not focus solely on technical details that may isolate the security organization from the key business operations. The CISO needs to be an integral part of the senior management team, not just the lead technical manager. A primary goal in the first 100 days should be to hire or select staff with the specialized skills that the INFOSEC program will require and then to organize this team in the most effective way possible.

If these objectives are known and generally accepted, why then do so many new CISOs fail? The answer is that achieving success demands that both personal and organizational characteristics are present A successful CISO possesses strong leadership and communication skills coupled with technical knowledge and vision. These personal characteristics suggest success, but the organization also has a responsibility to the CISO.

There are at least three keys to making the CISO role successful:

1) Independence — The CISO should be independent of influence or pressure from those involved in the day-to-day protection or purchase of corporate assets.
2) Empowerment – The CISO should be empowered to recommend, and upon agreement of the executive team, deploy all necessary processes, safeguards, and awareness training.
3) Organizational Position – The CISO should be positioned within the organization so as to facilitate his or her role as an enabler of “best practices”. It is essential that the implementation,     audit, and enforcement of “best practices” should not be limited to IT. INFOSEC issues are business issues.

In 2016, the roles of CIO, CTO, and CISO are still restricted, in many cases, to issues concerning new or embedded technologies. This organizational issue may lead to a duplication of effort and confusion as to the correct course of action in an emergency, leading to a slower response time. Is there a better way?

To answer that, let’s consider the totality of vulnerabilities found in information security. Research indicates that vulnerabilities may fall under one of three categories:

1. People – intentional or unintentional actions by people cause over 50% of incidents
2. Process – good security is a process; every pen test or audit offers the opportunity to revise and improve your existing processes
3. Technology – is everywhere and therefore the likelihood of an exploitable vulnerability existing in your organization is high.

EC-Council Tutorials and Materials, EC-Council Certifications

The Venn Diagram to the left illustrates what this relationship might look like. It is clear that the realms of people, processes, and technology overlap. Frequently, vulnerabilities are not isolated in silos that can be addressed simply by making technological changes. Consequently, approximately 50% of INFOSEC vulnerabilities are found in the realms of people, and process, not in technology. The role of CISO demands developing comprehensive solutions to complex business problems, therefore, its place in the organization should reflect that requirement.

A survey conducted in July 2014 by ThreatTrackSecurity found that:

1. 47% of CISOs report to the CEO or president,
2. 45% report to the CIO,
3. 4% to the chief compliance officer,
4. 2% to the COO or CFO
5. 2% to other

An additional finding of this 2014 survey was that legacy C-level managers view the role of CISO as a desirable add to the executive committee because they view the CISO as a scapegoat should the organization experience a catastrophic cyber breach. This finding confirms an opinion long held by the author of this article.

It would be wonderful (and too simple) if by writing this article, I could inform every organization and agency where the CISO(s) should reside in their respective hierarchies. Such a declaration would be hubris. The only person who can decide where your CISO belongs is “you”, the reader. By this, I mean someone with an in-depth understanding of the organization in question. That person may be a FTE or an experienced INFOSEC consultant. However, I can give you a framework from which you may base your decision.

1) The information security related roles of CIO, CTO, and CISO are all siloed in the same way. The best case is that they reinforce each other and present a solid front on matters of information security. The worst case leads to in-fighting which results in a fragmented security program. Attempting to manage a comprehensive, business focused security initiative from a siloed base will never work.

2) Since the CISO may be the newest addition to the executive team, there is a tendency to place the newcomer under the aegis of a mentor. This should be avoided.

3) Remember that your new CISO must be both technically skilled and a great communicator.

4) Remember the three keys to success: independence, empowerment, and organizational position

Now, let’s evaluate our three keys to CISO success against a hypothetical organization.

1) Reports to the CEO or President –
a. Independence – yes
b. Empowerment – yes
c. Organizational position – yes

2) Reports to CIO
a. Independence – no
b. Empowerment – maybe
c. Organizational position – no

3) Reports to Chief Compliance Officer
a. Independence – maybe
b. Empowerment – maybe
c. Organizational position – yes

4.) Reports to the COO or CFO
a. Independence – maybe
b. Empowerment – maybe
c. Organizational position – maybe

The Venn Diagram, referenced above, speaks to the concern that the CISO’s influence should not be siloed in IT without the capacity to affect business operations throughout the organization. It is possible that homing the CISO in IT may work, but my personal experience does not support this alternative.

Wherever the CISO is homed, there will be griping and complaints from the legacy C-levels. Some will want to claim the new member in order to extend their own influence. Others will want to avoid INFOSEC for fear of fallout from a data breach. This is life at the executive level.

The success of your chosen CISO should be dependent on his or her experience, skills, and an organizational scheme that recognizes security problems are business problems. After working through the above thought process, you now know where your CISO should be homed for the best chance of success.

Tuesday, 16 January 2018

Why the Role of the CISO Is Vital in Every Company

CISO Tutorials and Materials, EC-Council Learning

Should every company have a chief information security officer (CISO)? The short answer is yes, there should be one in every company.

The position can be a unique, stand-alone role or fall under the remit of another member of the executive team who is willing to take on responsibilities related to information security. So what is the remit and value of having a role dedicated to leading and managing information security implementation and risk mitigation?

Why a CISO?

Today’s collective operating environment is much different than it was in 2000, often referred to as the year of the dot-com boom. The maturation of criminals’ online capabilities is the most striking difference. Cybercriminals have evolved their ability to conduct network surveillance, launch distributed denial-of-service (DDoS) attacks and evolve both broad phishing attacks and spear-phishing attacks all designed to either monetize that which is accessed or extend their criminal capabilities.

While the criminals were adjusting their modus operandi, operating environments adjusted as well. Computing resources evolved from the centralized computer centers of the 1970s and ’80s to the client-based applications of the ’90s. Then, they progressed to cloud-centric offerings, which include the evolution of software-as-a-service, cloud storage, browsers that act like operating systems and a workforce of technology-savvy users. An organization’s CISO must not only analyze, formulate and mitigate information security risks, but he or she must also forge alliances and partnerships with the supporting business operations teams.

What’s the Value?

The valued CISO leads the information security efforts first, then manages those efforts. Today’s CISO cannot and will not be successful in his or her efforts without buy-in from both the corporate leadership team and those who are most affected by the information security policies and procedures: the operations teams. There are many ways to positively affect buy-in, including forming an enterprise-wide advisory board or council or ensuring the operations teams are included in the creation and review of the policies that are directly impacting their team’s efforts. It should come as no surprise to any security practitioner that users will construct work-around solutions when security policies and processes get between management’s directives and individual performance metrics. Aligning security policies and procedures and business outcomes is a must.

The key value provided by a CISO is in the role of business leadership, as the CISO must drive the information technology and security education of the workforce. In so doing, the efficacy of the various information security policies becomes clear, and the journey toward moving the workforce into a collaborative engagement with respect to information security begins. This collaborative effort goes beyond putting technological solutions on an employee’s client device(s) or network nodes. It must also include comprehensive training and awareness efforts. These efforts will go well beyond the “one-and-done” nature of new employee security orientation, or placing posters and coasters around the workplace.

Similarly, an annual and mandatory security briefing or training session is largely insufficient when it comes to aligning employees with new security concepts. All of these are useful pieces of the awareness training puzzle, yet they are not the solution. The real value lies within the opportunity to influence employee behavior when using these technologies and giving employees a method to triage the myriad threats that arrive on their doorstep every day.

With these steps, CISOs and their teams will be able to successfully evolve the perceived role of the information security department from the ” ‘No’ Police” to the “Business Enablers.” The educated workforce understands how information security practices can evolve; they understand how customers and clients evaluate companies with whom they engage not only by the goods they provide, but also on how well they protect customer and partner data. Once this perception hurdle is cleared, the value of the CISO as a business enabler becomes even more evident.