Day: July 5, 2014

In part 1 and part 2 of this series, we examined the history of the CSO and various arguments as to where the CSO role should sit in the organization. Now let’s talk about how the “new” CSO plays a much bigger role in the overall C-suite and what skills a CSO requires.

Is the C-suite ready to welcome a CSO?

Some large companies have the CSO listed as part of the company’s leadership team (Cisco and Oracle to name two) but this is not the norm in most organizations. To me, that implies that the company does not consider security essential to the business and the C-level governance of that business. Legal is essential. HR is essential. Finance, Marketing, and Sales are all essential. So why isn’t security?

It is interesting to note that business leaders run out as fast as they can to hire a CSO/CISO as soon as they get hit by a significant breach: RSA, Sony, Adobe and Target all followed this pattern. Obviously, this is a little backwards. But these kinds of events are causing business leaders to rethink how important security is to their business. I predict that they will eventually lead to the elevation of the CSO to the leadership team as a best practice.

What every CSO should have

I still believe the CSO should come up from the technical ranks. Today’s world is so complicated technically that if you do not have that background, you can be completely overwhelmed by the latest security trend. The true CSO skill that has to be learned, though, is how to translate that technical knowledge into something that a business leader will understand or care about.

Let’s look at the Heartbleed incident as an example. That vulnerability exposed many companies to a non-traditional hack-attack pattern. Without an understanding of the potential risk to that attack pattern, security people could not possibly translate the business risk to the company leadership.

In other words, the CEO does not care about how many machines have to be patched with the latest Microsoft Patch Tuesday release. He does care if the Microsoft Patch Tuesday release affects a key revenue-generating component to his business and should consider re-directing resources to this component in order to reduce the risk sooner than later. This business translation is often hard for techies. But it can and it must be done, and the CSO is the ideal person to do it.

Evangelizing Security

In any organization, the security state evolves over time. There are security controls already in place that mitigate certain threats and there is a plan to implement other security controls to mitigate other threats.

For internal evangelism, I have found that it makes sense to explain the controls to the average employee at a very high level, explain what could happen if the control was not in place and demonstrate where the control was successful in preventing that scenario. That discussion makes it real and is not some abstract idea where the security guys make the employees do stuff for no apparent reason

For external evangelism, it behooves all security practitioners to participate in the community sharing best practices that work and even things that have been tried but failed to produce the desired result. When you are trying to break new ground on a new security idea in your organization, it helps very much to say that other folks in the security community have also tried it with some success.

What should be required of a CSO in 2014 and over the next few years? Leave a comment below and let me know what you think. 

Rick Howard

In Part 1 of this series I talked about the evolution of the CSO role and how security shouldn’t be subservient to all other operations in all cases. Let’s dig a little deeper into why this is so.

Should Physical and Digital Security Merge or Be Kept Separate?

I understand why organizations have these two separate security groups. Before the Internet days, the CISO function didn’t really exist, and the physical security function was usually relegated to the bottom of the leadership chain. You needed guards and fences and things like that, but those kinds of operations were more like commodity items, like power to the building, trash pickup or other maintenance roles. You needed them but once you established them, they did not materially affect the business even if they failed for a day or two (in most cases). Because of this, Physical Security tended to fall under the Facilities Management groups.

We’ve talked about the Internet of Things, though, and boy, does that change the situation. Everything is interconnected. Just like every other organization in the business, the physical security groups have a lot of IT security components, from badges to IP-enabled surveillance cameras. These groups and their electronic tools could still operate by themselves, but it makes sense that business leadership tasks somebody in the company to make sure that these tools are compatible with the approved security architecture plan. In my mind, that is the CSO organization.

Just like the idea that there is no such thing as cyber risk to the business, only risk to the business, I don’t think there is a need for separate cyber security and physical security teams. In this day and age, it is all security. Just for ease of management, it makes sense to keep it all under one umbrella.  My perfect organization would have a CSO in charge of all security of the company, with the CISO under that person with a dotted line to the CIO.  The Physical Security Director would also work for the CSO but by design would have a close working relationship with the CISO.

CSO and IT: A Healthy Tension

There has always been a healthy tension between the IT people in an organization and the security people in an organization. The IT folks are concerned about security for sure, but they are often more concerned with keeping the systems running and squeezing as much cost out of any particular project that they can. And that is what they should be doing. Meanwhile, the security people are more focused on business risk, not just for IT projects but for every aspect of the business: HR, Legal, Operations, Finance, Strategy, Marketing, and Sales.  Most of these other business functions have an IT-Security component, but cyber risk is not the only risk that leaders have to monitor.

Sometime in the mid-2000s, it became convenient to tuck the security function for an organization under the IT function of the organization. In other words, the CISO works for the CIO. This is not a bad idea, per se, and is an arrangement that works in many organizations. The IT folks generally handle the day-to-day automation functions while the security teams perform more of an oversight role in terms of security architecture, policy, risk assessment and SOC Operations. But to me, that kind of organization shows that company leadership does not fully understand the larger problem. We are not talking about only Cyber Risk to the business. We are talking about risk to the business.

Forbes’ Howard Baldwin back in March complained that he did not like recent changes he was seeing within organizations that have broken out the security function to be a peer to the CIO. He says that these CIOs are highly paid executives that can handle competing priorities. But that is not the point – something that was really underscored in the investigation following the Target breach.

In an interview by Jack Rosenberger, Eric Cole, founder and Chief Scientist at Secure Anchor Consulting, speculated on one of the reasons that may have contributed to the Target breach:

“It is almost a guarantee that Target had an amazing security team, and they were screaming and yelling about all of the security issues, but there was no advocate who was listening to them and fighting for their cause with the executives.”

Cole is pointing out that in all of the priorities that the Target CIO had to juggle, security lost out. And as Brian Krebs reported in the Guardian in May,

“Virtually all aspects of retail operations are connected to the Internet these days: when the security breaks down, the technology breaks down – and if the technology breaks down, the business grinds to a halt.”

Before the breach, the pressure to keep the IT infrastructure up and running must have been immense for both the former CIO and CEO. Krebs suggests that in hindsight, because of the devastating impact to the business, the Target CISO should not have worked for the CIO – that it should have been the other way around.

Check back for Part 3 of this series, where we’ll talk about the role of the CSO in relation to the rest of the C-suite.

Rick Howard

The job description for the people that are responsible for IT security within an organization has been in a state of flux for over a decade. Since Steve Katz became the first CISO back in 1995, both business leaders and the security industry in general have been thinking and rethinking the need for such a person and the responsibilities that he or she should have.

The Evolution of the CSO

Citigroup became the first commercial company to recognize the need for the brand new corporate CISO role when they responded to a highly publicized Russian malware incident. As cyber threats continued to grow in terms of real risk to the business and in the minds of the general public, business leaders recognized the need to dedicate resources to manage that risk.

The first practitioners came out of the technical ranks — the IT shops. Vendor solutions to mitigate the cyber threat ran on networks and workstations. In order to manage those solutions, it was helpful to have people who understood that world. But this was a new thing for the techies: trying to translate technical risk to a business leader not versed in IT security did not always go very well. That’s when it became convenient to tuck these kinds of people underneath the Chief Information Officer (CIO) reporting organization. CISOs began working for the CIO because, from the C-Suite perspective, all of that “technical stuff” belonged in one basket.

But as business leaders began applying resources to mitigate cyber risk, other areas of security risk started to emerge: physical security, compliance, fraud prevention, business continuity, safety, ethics, privacy, brand protection, etc. The idea of the Chief Security Officer role began to get popular with business leaders because they needed somebody to look at the entire business — not just the cyber security risk to the business but the general security risk presented by any one or a combination of those challenges. CSO Magazine launched in 2002 to cater to that crowd. [21], and in 2004, American National Standards Institute accredited the Certified Information Systems Security Professional (CISSP) program where Information Assurance practitioners could get certified in a recognized, agreed-upon set of skills.

Since then, the industry has been in flux. Not every company organizes the same way. While the CIO has made its way to the executive suite in some companies (Intel, for example), that is by no means the norm. The Chief Security Officer is likewise not yet a fixture, but I suspect that situation is changing. Let’s talk about why.

CSO/CISO As A Distinct Role

The CISO role has emerged in the last five years as the de facto role to manage cyber security. If there isn’t somebody in the organization with the title of CISO, there is somebody in charge of IT security. This person generally works for the CIO but not in all cases. I do a lot traveling around the world talking to customers and speaking at security events. From speaking with many CISOs, CSOs and CIOs, the community has decided that the IT groups handle the day-to-day IT operations while the security groups have much more of an oversight role: risk assessment, incident response, policy controls, etc. This means that the IT groups keep the firewalls up and running while the security groups are monitoring the logs and advising the CIO on security architecture and policy.

I don’t think this is the right model, either. In this modern world, I do not believe that security should be subservient to operations in all cases. Yes, the company has to keep its servers operational, but that does not imply that if push comes to shove, security is the first thing that we turn off in order to maintain operations.

For companies that understand risk to the business, security and operations are peers. Over Parts 2 and 3 of this series, I’ll explain why this is so important.

Rick Howard