Recently among friends and contacts we’ve had a bit of discussion about information security leadership, but kind of expected it based on my recent stance on what the information security officer position requires. The other night I was put on the spot when I made a comment and the response was, “so if you’re not technical, you cannot do security work?” Or, something like that.
I didn’t want to be rude and do understand that there is a whole domain of IT risk, information risk, security governance, and audit that focuses on policy, procedures, and resilience and many other important issues and subjects. That was the focus of the first five years of my career at EY and KPMG, and even internal audit at PwC – but that was back in the late 1990’s and early 2000’s! Organizations that have private data and intellectual property to leak, already have risk and control departments to focus on policy and procedure review, another team that focuses on disaster recovery, and a cybersecurity function. Many refer to that as the second line – after operations/business (first line), and before internal audit (third line). Even when that falls into the information security department directly, it is a supporting function to the role of actively securing the environment.
That is probably where I have had a radical change of my perspective as it relates to cybersecurity and what the job requirements for a CISO have become. Cybersecurity cannot continue to be treated as a second line of defense in the internal control structure because the tasks required to vigilantly and appropriately maintain security are part of the front line of businesses that face the public. The public internet to be precise. Cybersecurity defenses need to be treated as part of doing business with the most publicly exposed teams (sales, marketing, product development) because a large part of the ransomware threat requires a social engineering step.
That is just one type of threat to deal with even within ransomware. There is not only ransom by encryption, but ransom by DNS DDoS attack, ransom by leakage, and probably others. If you look at other attack surfaces from publicly exposed devices – VPN points, SSH login points, web applications – then you really have to be technical enough to digest all of the information related to the attack vectors. Even better than digesting the information, having hands-on experience in a lab (or otherwise:) structuring such attacks would be what most medium and larger enterprises need to defend from what we will continue to see into the foreseeable future: double or triple digit increases in percentage of cyber attacks. In one form or the other.
The CISO must translate cyber threat, vulnerabilities, current attacks, and intelligence into risk and actionable directions. As Japan’s Cybersecurity Minister says, “but we hire experts for that…” Well, those are experts that are going to want decisions from a leader, and if the leader does not have the knowledge to direct, it would be partially effective at the very best. That is similar to the hospital (or rest home) administrator walking into the operating room to do brain surgery. Do we want to be partially effective when APT groups are attacking our organizations? A cyber security expert with solid penetration, vulnerability testing, and incident management experience, combined with offensive tactical training within leadership is the best defense. There is no replacement for solid offensive skills and experience, security-focused technical systems knowledge, and communication skills.
The CISO must translate cyber threat, vulnerabilities, current attacks, and intelligence into risk and actionable directions
Softer skills, such as people management, budgeting, planning, and other management requirements are important – but those skills are also important to the medical surgeon that runs an independent practice! You can figure that out, but it is secondary to effectively handling cybersecurity issues, which are inevitably technical attacks with technical defenses. When we go to the dentist, we’re not given a whole lot of comfort by seeing a psychologist certificate on the wall. A psychologist would require people skills, direction skills, and management skills, but you probably don’t want a psychologist poking into your oral cavity with technical (and sharp) tools, right? Or, if we asked about her training and education, there would be absolutely no comfort in hearing that she was transferred from clinic’s psychology department a couple months ago! In the same manner, we should not feel comfortable with security managed by an executive with no cybersecurity experience, certifications, nor technical capability!
While organizations say they recognize cybersecurity risk as we report consistent leakages and ransomware attacks, the people responsible for the role to handle these threats and risks are largely untrained and non-technical. There is one thing for sure, the leadership within adversaries are trained and technical. Why would the response and defense be handled by somebody less trained and technical?
There is one thing for sure, the leadership within adversaries are trained and technical
Giving security experts a say in the corporate culture, and driving the tone at the top on cybersecurity issues is still a passive exercise. This provides attackers an even greater advantage, over and above the current advantage. The C-Suite (including paper CISOs) leverage every security vendor offering and shiny blinky toys only to resolve their fear, uncertainty, and doubt. These devices do not secure your company. Talent using the tools and leadership directing the talent effectively secures your company.
Just my two cents. It’s time that we make sure our security chiefs are experienced and trained. Nothing like a CISO that wants to discuss risk. Risk is important but let’s get down to the technical details about handling a threat? Paper certifications and shiny blinky lights do not and should not put the security threats facing an organization at ease. People management skills are important and required, but applying the proper vigilance from the proper angles toward the correct areas of technology and human activity is a technical craft built from training, experience, skills, and talent. It is a craft that is largely founded on capability that cannot be blindly delegated. Just as Sarbanes-Oxley legislation requires that a CFO be certified and qualified for the role they fill. It’s time to start holding management to the same level of accountability for the people they put in CISO roles.