Timeless Gifts for the CISO in your Life
By Daniel Schwalbe
Timeless Gifts for the CISO in your Life
It has been a rough year for Chief Information Security Officers (CISOs). 2017 has followed the trend of prior years with its fair share of headline-making breaches, including Verizon, Uber, Equifax, and many more. The full impact that these breaches had on affected customers is hard to quantify, but the word "devastating" sure comes to mind.
The one thing that often gets ignored in the wake of a major breach announcement is the toll that it takes on the employees, especially the IT and security staff, of the companies that were responsible for preventing the data loss. As we head into 2018, CISOs could use the following timeless gifts to help them face the inevitable breaches ahead:
Practical Tools A good set of tools is nice to have, provided they actually do the job you need them to do. But there is also a lot of snake oil out there. In my previous CISO role, I spent a non-trivial amount of time fending off companies who were trying to sell me security products that I neither asked for nor needed.
If the sales people had done their homework, it should have been painfully obvious that their "one-size-fits-most-solution" would not work in, or scale to, my particular environment at the time. The hallmark of a practical tool is that it can help solve a real-world problem that exists right now, and do so with minimal fluff or overhead.
Effective Collaboration In my experience, operational security professionals don't collaborate enough with their peers in other organizations. The bad guys manage to share information more frequently and more effectively than the good guys, which is part of the reason why the bad guys continue to score in the battle over cybersecurity.
Collaboration is critical to our success as security professionals. Yet we are often hindered in our efforts to share information and collaborate with peers from other organizations by lawyers and corporate secrecy. CISOs and their teams need the freedom to collaborate with their peers, threat information sharing groups and other trusted contacts. It improves the organizational security posture and goes a long way towards catching up with the bad guys.
Authority and Accountability Even after all the breaches that have captured the public's attention, many CISOs still lack the proper institutional authority to make important risk decisions on behalf of the organization they serve. In those cases, the CISO often reports to the senior executive in charge of IT. Since the Security and IT missions are frequently at odds, limiting a CISO's direct decision-making authority is a way to cement IT's control over security. The fact that this can create a massive conflict of interest is not lost on most security professionals.
In the fast-moving world of cybersecurity, the ability to be nimble and make important decisions quickly is key. CISOs must be given the authority to do what needs to be done to protect the company's interests. But with great power comes great responsibility, so authority must be tied to accountability. The way to limit any potential overreach is by holding CISOs accountable for their actions or inactions.
Boardroom Support One of the better strategies to reduce a company's overall risk exposure is to establish and maintain an organizational culture of security. This holistic approach can help integrate sound security practices into day-to-day operations, and replace the old "security as an afterthought" approach.
But without full support from the boardroom, any attempts of implementing this strategy are likely doomed from the start. It begins with resources, which, without buy-in from the very top, will likely be difficult to get allocated. But the board also sets the corporate culture, so if they don't think security is important, the rest of the company is unlikely to take it seriously either.
Additional Resources/Funding Despite the steady number of high profile breaches, security departments frequently remain under-funded. Why? As mentioned previously, security departments often get grouped under the larger IT organization. As a result, the security budget is typically a subset of the IT budget. When security and IT missions are at odds, but IT controls the purse strings, security tends to lose.
As long as security departments are expected to run on shoestring budgets, can't get new funding, headcount or tools, aren't allowed to collaborated with their peers and are prevented from presenting directly to the board, we will likely see the number of major breaches increasing. If you are a senior IT leader or Director on a corporate board, talk to your CISO today about the staff and tools they need to protect your organization – don't wait until your company name is in the headlines.
Daniel Schwalbe is Deputy CISO and Director of Engineering for Farsight Security, Inc..