Year: 2015

Posted on

The Cybersecurity Canon: Winning As a CISO

The Cybersecurity Canon is official, and you can now see our website here. We modeled it after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have 20 books on the initial candidate list but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Book Review: Winning as a CISO (2005) by Rich Baich

Executive Summary

The latest candidate for the Cybersecurity Canon is Rich Baich’s Winning as a CISO. The roles of the chief information officer (CIO), the chief security officer (CSO), and the chief information security officer (CISO) in the modern enterprise have been constantly changing since we invented the need for such roles in the 1980s and 1990s. By the mid-2000s, the industry had settled on tucking the security function for an organization under the IT function of an organization. In other words, the CISO works for the CIO.

But Baich is an innovative thinker. He has looked at how the CISO role has evolved over the years and makes a pretty good case for where it needs to go next. By asking questions about the appropriate supervisor for a CISO, a CISO’s needed skill set, and ways to approach the CISO job function, Baich breaks new ground on how the industry should views these topics. Our industry will be slow to adopt these new ideas, but with the rash of highly publicized and impactful data breaches to the retail sector in 2014, perhaps the industry is ready to start making a change. Reviewing Baich’s book is a good place to start. It is Cybersecurity Canon-worthy, and you should have read it by now.

Introduction

The roles of the CIO, the CSO, and the CISO in the modern enterprise have been constantly changing since we invented the need for such roles in the 1980s and 1990s. I picked upWinning as a CISO because my boss handed it to me after he met the author, Rich Baich, at a security event. He said that Baich was a smart guy and had some interesting ideas about what modern CISOs in today’s environments about the modern CISO role in today’s environments. In this book, Baich explains some innovative thinking about what today’s CISOs should be responsible for, how they should fit into the organization, and how they might accomplish their tasks once they are established. In order to understand where Baich is coming from, it is useful to review the history of the CIO, CSO, and CISO roles in modern business.

CIO, CSO and CISO History

The idea of the C-suite did not really materialize until the 1920s when Alfred Sloan, the hugely successful chief executive officer (CEO) of General Motors, decided to distribute profit and loss (P&L) responsibility across his division managers in response to shareholder and regulator demand for more accountability.

Because of General Motors’ success with this new P&L model, business leaders across the world adopted it for their own organizations. That model lasted some 60 years until the 1980swhen CEOs realized that in order to drive organizational change, they needed executives with technical and functional specialties. CEOs began creating new C-level executive positions like chief marketing officers (CMOs), chief financial officers (CFOs), and, yes, CIOs. The idea of a C-level executive dedicated to security did not really emerge until the late 1990s, 10 years after the CIO position had become firmly established in modern business.

Steve Katz became the first CISO in 1995 when Citigroup created the role to respond to a highly publicized Russian malware incident. Since then, the security industry specifically and business leadership in general have been thinking and rethinking the need and the responsibilities for such a person.

The first practitioners came out of the technical ranks. Vendor solutions to mitigate the cyber threat ran on networks and workstations. In order to manage those solutions, it was helpful to have people who understood that world, but this was a new thing for the techies; trying to translate technical risk to a business leader did not always go very well. Security techies have always been, and still are, passionate about their responsibilities. The early trailblazers tended to say “no” to any new project because of the potential security risk. The business leaders did not want to deal with these people who wanted to make organizational decisions with no thought about the bottom line. It became convenient to tuck these kinds of people underneath the CIO organization. CISOs began working for the CIO because, from the C-suite perspective, all of that technical stuff belonged in one basket, and the security people did not know how to talk to the business people.

As business leaders began applying resources to mitigate cyber risk, other areas of security risk started to emerge: physical security, compliance, fraud prevention, business continuity, safety, ethics, privacy, brand protection, etc. The idea of the CSO role began to gain popularity with business leaders because they needed someone to look at the entire business, not just cybersecurity risk to the business, but general security risk to the business. CSO Magazinelaunched in 2002 to cater to that crowd.

By the mid-2000s, the industry had settled on tucking the security function for an organization under the IT function for an organization. In other words, the CISO works for the CIO. This is not bad, per se, and this arrangement works in many organizations. The IT folks generally handle the daily automation functions while the security teams have more of an oversight role in terms of security architecture, policy, risk assessment, and security operations.

But since then, the industry has been in flux. Not every company is organized the same way. While the CIO role has made its way to the senior executive suite in some companies (Intel Corp. and McAfee to name two), that is by no means the norm. The CSO role is likewise lagging. Both tend to be lodged at the second tier of executives in many companies. And while it is not universal, the CISO tends to work for the CIO.

The Story

All of this history is essential background to the key messages in Baich’s book Winning as a CISO. He published it in 2005 and was quite rightly taking a look at where the CISO role was heading next. He organized the book as a fictional story about an established company in which the CEO had decided to hire his first CISO. His executive leadership team – the CIO, the general counsel, and the chief operating officer (COO) – had to decide what the new CISO’s responsibilities were and where this individual would fit in the organizational structure. Once the CEO made those decisions, the newly hired CISO had to decide how to execute this new role.

The Tech

The book is a quick read, with only 115 pages including the end credits, but it is a primer on what a CISO should do for any organization. In essence, any organization could use Baich’s book as a basic job description for a new CISO hire.

What Are a CISO’s Responsibilities?

When the story’s CEO brought his executive staff together to discuss the new position, he had them develop a list of responsibilities for the new hire. Here is the list:

  • Security Architecture
  • Incident Response
  • Security Awareness
  • Identity Management
  • Security Policy Development and Compliance
  • Due Diligence for Acquisitions and Mergers
  • Risk Management

I think this is a pretty good list of high-level responsibilities. Anything that comes up later that we might want the CISO to do can be easily shoehorned into one of these broad categories. Once the staff agreed to the responsibilities, the next step was to determine which senior executive should own them. In other words, which senior executive should the CISO work for?

To Whom Does the CISO Report?

All of the senior staff members had their perspectives. The CIO said, “The CISO should report to the IT Department because the focus of information security is related to technology. Information security solves technology related risks.” The general counsel said, “The CISO should report through the legal structure. [The] focus can be placed on compliance.” The COO said, “The CISO will have to collaborate with all departments, and everyone, including the sales team will benefit, but the team member who will need to utilize the resulting information the most will be the COO. A clear understanding of the operational risk factors will enable the successful CISO to present to the COO with a rubric of important options.”

The CEO weighed each of these perspectives and had a few of his own. He said that he did not want the new CISO to have to wrestle with any artificial organizational conflicts because he chose to put the position under one senior executive as opposed to another. He said that putting the CISO under the CIO had a number of problems, but the most important one was that it created a conflict of interest. “Reporting to the CIO would be like putting your boss on report.” The CISO’s job is to make things more secure, and sometimes that job may be in direct conflict with the CIO’s job of making things more efficient. With the CISO under the CIO, the organization automatically weights efficiency needs over security needs, and that obviates the reason to hire the CISO in the first place.

An opposing view comes from Forbes reporter Howard Baldwin. Baldwin complained in March 2014 that he did not like recent changes he was seeing within organizations that had broken out the security function to be a peer to the CIO. He says that these CIOs are highly paid executives who can handle competing priorities. In other words, the CIO can handle making decisions between security and efficiency. In other words, that is what we pay a person in this position to do.

But that is not the point. In an interview by Jack Rosenberger, Eric Cole — founder and chief scientist at Secure Anchor Consulting — speculated on one of the reasons that may have contributed to the Target breach in 2014. Cole said, “It is almost a guarantee that Target had an amazing security team, and they were screaming and yelling about all of the security issues, but there was no advocate who was listening to them and fighting for their cause with the executives.”

Cole is pointing out that of the priorities the Target CIO had to juggle, security lost out. As Brian Krebs reported in the Guardian, “Virtually all aspects of retail operations are connected to the Internet these days: when the security breaks down, the technology breaks down – and if the technology breaks down, the business grinds to a halt.” Before the breach, the pressure to keep the IT infrastructure up and running must have been immense for both the now-resigned CIO and the now-fired CEO. Krebs suggests that in hindsight, because of the breach’s devastating impact to the business, the Target CISO should not have worked for the CIO. It should have been the other way around.

In Baich’s story, the CEO had reservations about putting the CISO under other staff organizations too. He said that putting the CISO under the general counsel “would potentially position the Information Security department as an arm of the audit department.” According to Baich, auditing support is something the new CISO should help with, but based on the responsibilities the executive staff developed, the CISO’s role is much bigger.

The CEO ultimately put the CISO under the COO. To him, it made sense that the CISO position be perfectly positioned to support the entire organization and not one specific staff element. I think this makes sense. If loss associated with security is something that will potentially materially affect the business, it makes total sense to raise the platform of the person in charge of it to have a view of the entire organization and the power to affect change. If that is the case, then what skill sets are needed for the person who takes on that responsibility?

What Skill Sets Does a CISO Need?

Once he decided whom the CISO should work for, the CEO turned again to his senior staff to determine what skill sets would be essential for success. Without fanfare, Baich lists these five attributes:

  • Must have an MBA
  • Prior budget or P&L experience
  • A proven ability to lead an effective information security organization
  • Experience and skill as a change agent
  • Ability to serve as an information security expert for the executive team

The last three skills are fairly standard for many senior job positions in any organization. The first two are where Baich is providing some innovative thinking. Requiring an MBA and P&L experience for a CISO, as a mandatory requirement, is not the common thinking in the industry, but it is spot on for where the industry needs to go. As I said earlier, most CISOs have come up through the technical ranks and have little if any business experience. This is probably the main reason that security teams and business teams have a hard time communicating with each other. By requiring a CISO to have business experience first, Baich flips the typical experience equation on its head. Instead of training highly technical employees to be proficient in business concerns at the mid- to latter parts of their careers, he is suggesting that we take traditional business people and train them to be proficient in managing security operations.

“If performing vulnerability assessments, configuring firewalls, and performing network forensics makes you happy then becoming Chief Information Security Officer may not be the right career choice for you.”

Just like a traditional business person might find himself or herself as a general manager, product manager, finance officer, or marketing officer, Baich is suggesting we add security officer to the list, and I agree with him.

How Do You Be a CISO?

In Baich’s story, the CEO placed the CISO under the COO in order to give the position a matrixed view of the business. In that kind of environment, how does a CISO succeed? In spite of all the listed responsibilities this CISO has for the organization, Baich says that the most important implied responsibility for the CISO is running his or her organization like a business. The CISO needs to become the general manager of the security program.

“Ultimately, the success of any business, new or old, depends on a leader’s ability to build a team, market and sell the product, and run the business, still meeting the established measurements necessary to effectively operate the business.”

Although the CISO in this story will bring in no revenue, this individual has to demonstrate to the business leadership the value of the position in other ways. The CISO must become a world-class internal marketing person for every aspect of the security program. It is not enough to make the organization more secure. The CISO’s efforts to do so must demonstrably show how the security program is helping the organization grow.

Conclusion

Baich is an innovative thinker. He has looked at how the CISO role has evolved over the years and makes a pretty good case for where it needs to go next. By asking questions about the appropriate supervisor for a CISO, a CISO’s needed skill set, and ways to approach the CISO job function, Baich breaks new ground on how to think about these topics. Baich published the book in 2005. Back then, there was not a lot of impetus to change the current situation, and I do not see the industry adopting these ideas any time soon. But with the rash of highly publicized and impactful data breaches to the retail sector in 2014, perhaps the industry is ready to make a change. It is obvious that the way we are doing it now is not working. Because of Baich’s innovative thinking about the next step in the evolution of the CISO role, Winning as a CISO is Cybersecurity Canon-worthy, and you should have read it by now.

[Palo Alto Networks Blog]

Posted on

Insider Threat, Shadow IT Concerns Spur Cloud Security

Surveys show cloud tops 2015 priorities.

As security professional prioritize for 2015, cloud security initiatives once again sit on top of their to-do lists. According to two surveys out in the past week, insider threat and shadow IT concerns continue to thrust cloud security to the forefront, with cloud identity and access management and cloud governance among those controls needing the most help.

“As companies move data to the cloud, they are looking to put in place policies and processes so that employees can take advantage of cloud services that drive business growth without compromising the security, compliance, and governance of corporate data,” said Jim Reavis, CEO of the Cloud Security Alliance, which together with vendor Skyhigh released a reportthat showed cloud security as the top security priority for IT organizations in 2015.

The highlights from the survey detailed in that report showed that only about 8 percent of organizations today believe they truly know the scope of unauthorized cloud purchasing—so-called shadow IT.  This jibes with findings in another report released last week from Netskope, which showed that IT professionals constantly underestimate the extent of shadow IT in their organization—with organizations estimating one-tenth of the actual number of apps found by cloud app audits.

This poses scary consequences as organizational data exits corporate boundaries within unsanctioned apps. For example, 17 percent of organizations last year experienced an insider incident, according to the CSA report, and 15 percent of corporate cloud users have had their credentials compromised, according to the Netskope report.

Part of the reason this situation has arisen is that security organizations are ill-equipped help their businesses move quickly toward the cloud through well-crafted and balanced cloud governance policies. According to the CSA survey, about a third of organizations today are full-steam ahead with cloud adoption and 51 percent of respondents feel pressured to approve services that don’t meet security or compliance requirements. But just 16 percent of organizations have a fully enforced cloud governance policy.

What’s more, even among organizations with policies or in the middle of creating a policy through a cloud governance committee, just 43 percent of them include line-of-business representation.

“Employees today have shifted from thinking of apps as a nice-to-have to a must-have, and CISOs must continue to adapt to that trend to secure their sensitive corporate and customer data across all cloud apps, including those unsanctioned by IT,” says Sanjay Beri, CEO and founder of Netskope.

As the CSA concludes in its report, IT in 2015 must find better ways to govern data in the cloud similar to data on premises. Not only will that take investment in enforcement technology, but also collaboration with the very stakeholders who are driving cloud adoption in the first place.

“IT will also need to work more collaboratively with busiess users to understand the motivations behind shadow IT and enable the cloud services that drive employee productivity and growth in the business without sacrificing security,” the report concludes.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. 

[DarkReading]

Posted on

Cloud Services Adoption: Rates, Reasons & Security Fears

Concern over data breaches and privacy are two reasons enterprises in the European Union didn’t increase their use of cloud services in 2014, according to the EU’s recent Eurostat report.

“Heaven’s not beyond the clouds, it’s just beyond the fear.” – Garth Brooks

A lot of Europeans believe that the European Union is really an employment scheme for bureaucrats who want to live in Brussels — which is, admittedly, a nice place to live. But for those of us in the analyst business, the EU is one of our best sources of the data we need to advise people on their technology needs.

I firmly believe that cloud services are no longer optional. Any business, large or small, needs cloud services to both remain competitive as well as to get better control over its bottom line. So I eagerly looked forward to the release last month of the EU’s Eurostat report on “Cloud computing – statistics on the use by enterprises,” which was broken out by country.

It wasn’t really a surprise that Finland led the way, nor that Hungary, Bulgaria, Greece, Poland, Latvia, and Romania were the trailers among the 28 member states. What was surprising, though, was the low percentages of adoption. Finland, the leader, barely passed 50% when counting those enterprises that used at least some cloud services. Those listed above as “trailers” were all under 10%. And the seemingly “advanced” countries of France, Austria, and Germany barely reached above the trailers, coming in at 11 to 12%.

When broken out by sector, information and communication were, not surprisingly, the leaders at 45%, followed by professional, scientific, and technical activities at 27%. Enterprises reported that they relied on the cloud mainly for their email services (66%) and, in second place, for file storage (53%).

Those organizations already using cloud services viewed the fear of security breaches as the main reason they hadn’t increased their use. In light of the spectacular breaches (such as Sony’s) revealed recently, that’s not an unwarranted fear. Well, until you realize that it was datacenter — and not cloud — resources that were stolen in the Sony incident.

Another fear is the proliferation of data privacy issues among the various member countries of the EU. That, and the various spying revelations that have come from the Snowden incident, have made a number of enterprises wary of putting personal and privileged information into the cloud. It was hoped that a new EU Data Protection Regulation would clear up the privacy issues when it was promulgated this year, but there are now fears that serious differences remaining between the European Parliament and the 28 member states will push the regulation into 2016, further clouding (pun intended) the issue for commercial organizations.

But by far the biggest surprise, to me, in the Eurostat survey was the reason given by those enterprises that have yet to use any cloud services as to why that is so; for the 81% of European enterprises not using the cloud, the main stumbling block was insufficient knowledge of cloud computing! In fact, though, while there are many good reasons for adopting cloud services, there is little guidance for planning it. The first step is for companies to take a strategic approach to cloud migration rather than a tactical response to business unit demands.

Once the strategy is in place, a clear definition of the business objectives of cloud-based services can be developed, the attendant risks can be quantified, the necessary policies for operating in the cloud can be documented, and board-level direction of cloud adoption can occur. Then the pitfalls can be avoided.

You need to know that with cloud services, as with most things in your corporate life, ignorance can be fatal.

Dave Kearns is a senior analyst for Kuppinger-Cole, Europe’s leading analyst company for identity-focused information security and networking. His columns and books have provided a thorough grounding in the basic philosophies of directory technology, networking, and identity management to a generation of technologists.

[DarkReading]

Posted on

Implementing Cybersecurity with NIST Cybersecurity Framework and COBIT 5

Cybersecurity risks, like financial and reputational risks, are business risks. The NIST Cybersecurity Framework (CSF) focuses on the use of business factors that guide the activities to respond to cybersecurity risks as an integral part of the organizational risk management processes.

The framework consists of three parts:

  • The framework core
  • A framework profile
  • Framework implementation tiers

The Framework Core
The framework core is a set of cybersecurity activities, desired outcomes and references that are common to all critical infrastructure sectors. It provides detailed guidelines for the development of individual organizational profiles.

A Framework Profile
Through the use of profiles, the framework will help the organization align cybersecurity activities with business requirements, risk tolerance and resources.

Framework Implementation Tiers
Framework implementation tiers provide a mechanism for organizations to observe and understand the cybersecurity risk and the processes in place to manage that risk.

Since the framework refers to recognized global standards for cybersecurity, it can be used by any organization and can serve as a model for international cooperation in strengthening cybersecurity for critical infrastructures.

Organizations have unique risks, different threats, different vulnerabilities and varied risk tolerances, all of which will influence how the practices of the framework are implemented.

Definition of Critical Infrastructure
Critical infrastructure can be defined as systems and assets so vital that the incapacity or destruction of such systems and assets would have a critical impact on national economic security or public health or safety, or any combination of those matters.

The CSF offers a risk-based approach that uses metrics to continuously improve cybersecurity. Though it was originally intended to support critical infrastructure providers, it is applicable to any organization wishing to manage and reduce the risk of cybersecurity. The CSF helps improve risk management of each organization and ultimately reduce the risk of cybersecurity worldwide.

As part of its Cybersecurity Nexus (CSX) program, ISACA offers a step-by-step guide for the implementation of NIST CSF. The activities and processes that are proposed can help to determine what to do in each phase, but are not prescriptive and should be adapted to meet individual organizational goals:

  • CSF Step 1: Prioritize and Scope: COBIT Phase 1: What are the drivers?
  • CSF Step 2: Orient
  • CSF Step 3: Create a Current Profile: COBIT Phase 2: Where are we now?
  • CSF Step 4: Conduct a Risk Assessment
  • CSF Step 5: Create a Target Profile: COBIT Phase 3: Where do we want to be?
  • CSF Step 6: Determine, Analyze and Prioritize Gaps: COBIT Phase 4: What needs to be done?
  • CSF Step 7: Implement Action Plan: COBIT Phase 5: How do we get there?
  • CSF Action Plan Review: COBIT Phase 6: Did we get there?
  • CSF Lifecycle Management: COBIT Phase 7: How do we keep the momentum going?

The challenges and opportunities lead to risk assessments and priorities, and foster organizational commitment and ownership. Thus, successful governance and management processes are institutionalized in the organizational culture.

Juan Carlos Morales, CISA, CISM, CGEIT, CRISC
IT governance and risk management consultant and trainer
COBIT 5 accredited trainer

[ISACA]

Posted on

Cybersecurity Canon: Your Vote Counts

The Cybersecurity Canon is official, and you can see our website here. We modeled it after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have 25 books on the candidate list and we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite – we’re actively soliciting your feedback!

Coming soon: You will get the chance to vote on which books you want to see join Parmy Olson’s We Are Anonymous in the Cybersecurity Canon.

Public Internet voting opens on February 1, so watch this space to find out how to vote for your favorite cybersecurity book. Winners will be inducted into the Canon at the Awards Ceremony during the Ignite Conference in Las Vegas on April 1, 2015.

Don’t see your favorite cybersecurity book on the candidate list? You should submit it for consideration.

[Palo Alto Networks Blog]

English
English
Exit mobile version