Palo Alto Networks ASE v3.0
Hiring Your First CISO: A How-to
ISACA Now recently talked to Joyce Brocaglia, founder and CEO of Alta Associates, an executive search firm specializing in Information Security, IT Risk Management and Privacy. Brocaglia shared her insider views on the process of hiring a first Chief Information Security Officer (CISO).
What are the top considerations when hiring an organization’s first CISO?
The most important thing companies must understand is why they have made the decision to hire a CISO in the first place. Clients frequently see the following scenarios: 1) They currently have someone managing security who is incapable of creating a comprehensive strategy. 2) They have a decentralized organization and want a CISO to develop a centralized organization. 3) Their board of directors or audit committee has concerns and recommends they install a CISO.
Each scenario influences the skills a successful candidate should possess. After understanding why they are hiring a CISO, they must determine where the role sits in the organizational chart, its budget, team makeup and compensation.
What should an organization look for in CISO candidates?
First-time CISOs must have immediate credibility within the organization. That means they should hit the ground running, assess the current state of the information security program, and create a roadmap for moving forward. Typically their initial 90-day goals are to meet key stakeholders, understand organizational needs and identify low-hanging fruit. That means the candidate must be client-facing and collaborative, while also possessing the requisite technical skills. Many successful first-time CISO candidates are currently second in command at larger, more mature organizations. Candidates interested in building an organization, have a holistic approach to risk and can articulate technical issues in business terms, are best suited for this role.
What is the process for a best-in-class CISO search?
Although many companies consider doing the search themselves, given the demand for CISOs and the complexity of the role, they are best served by retaining an executive search firm specializing in information security. Many firms have recently recognized the potential revenue in cybersecurity recruiting and claim to be specialists, so buyers beware. Hiring managers and talent acquisition executives should thoroughly interview search firms and ask for examples of recent similar successful searches and references.
A track record and trusted network of industry relationships are keys to successful CISO searches. The hiring company should be confident in the recruiting firm’s knowledge of market data on compensation, its ability to understand their culture and its network to provide a diverse slate of qualified candidates. With extreme demand for well-qualified candidates, an inverse relationship exists between the length of the interview process and likelihood of acceptance. Organizations should streamline the process by ensuring interviewers understand the CISO role and responsibilities, and remember to sell the benefits of joining the team. Our firm sets up a launch call with the hiring manager and key stakeholders, provides a slate of spot-on candidates within the first 15 days, has biweekly update calls and partners to find the best possible candidate in a timely manner.
How is the CISO position established in an organization?
The decision to hire a CISO usually comes from the board of directors or C-suite executives. Some become uncomfortable with their organization’s risk level. Others respond to a breach, an audit or consulting firm recommendation. Some recognize the need to be proactive about security and keep their company out of the headlines. The executive team must ensure the new CISO is positioned high enough in the organizational chart. Most companies have the CISO report directly to the CIO. They also need to provide the CISO executive sponsorship and support in an active, public way internally and externally to demonstrate the company has prioritized cybersecurity and the CISO role. This supports the CISO’s efforts to influence the culture changes often required in organizations that had not previously considered information security an important differentiator and contributor to success.
Editor’s note: The ISACA Now Blog section is celebrating Women in Technology Month throughout June by featuring female bloggers. If you are a female blogger and would like to contribute a blog, please contact us at news@isaca.org.
Joyce Brocaglia, Founder/CEO, Alta Associates
[ISACA Now Blog]
From Control to Enablement: Key Lessons From the IT Audit Director Forums
Digital transformation, emerging technologies, cybersecurity, Internet of Things (IoT), increased adoption/understanding of technology by business areas and other trends are having a huge impact on organizations and the IT audit profession.
Speed to market and innovative implementation of technologies are more important today than even five years ago. It’s innovate or perish. At the same time, organizations are intent on increasing their understanding of cybersecurity threats and managing their exposure.
Enterprises want to guarantee that their capital investments are of high quality, address and/or create market demands, and do not expose themselves to cyber threats. The world of audit and assurance is evolving quickly to ensure that these challenges are met.
Changing IT Audit’s Perspective
Organizations are looking to IT auditors to not only ensure quality but also realize the positive potential of technology. By leveraging new technologies to measure quality and ensure compliance and proper operations, the assurance profession will continue to play a critical role in the success of organizations. Fundamental to this thinking is changing our perspective from one of control to one of enablement. This change raises numerous important questions:
- How are your peers addressing the evolution to enablement?
- How have they redefined their roles to be enablers?
- What can ISACA do to help with this evolution?
- How do we facilitate discussion among our stakeholders to address these emerging and highly relevant topics?
- Do we have the right skilled people in the right positions to provide the value that organizations require from us?
- How do we retool our existing audit professionals?
- How do we attract the best talent and then keep them motivated and committed?
We’ll be discussing these very issues during a live webinar entitled Key Lessons from the IT Audit Director Forums on Tuesday, 14 June, at 11 a.m. (CDT). Click here to attend.
IT Audit Thought Leadership
ISACA has been hosting IT Audit Director Forums at our CACS conferences as a way to present thought leadership from key experts, gather constituent insights and challenges and facilitate discussions around topics chosen by our constituents. The IT Audit Director Forums facilitate and encourage peer to peer discussions around relevant topics, such as the impact of data analytics and IoT on the assurance profession.
During this webinar, we will walk through the key lessons of the most recent IT Audit Director Forums and identify the top challenges that you face today and in the future. If you were unable to attend the IT Audit Director Forums at the recent CACS conferences, I highly recommend that you attend this webinar. This is a great opportunity to hear what your peers are doing, their concerns and their solutions.
This is an exciting and challenging time within the IT audit profession as organizations work to meet the challenges of digital transformation and other critical issues. It’s up to us as professionals to help lead the way. In the future, we would like to hear from you on the biggest challenges you face and how we at ISACA can provide the right tools, templates, knowledge assets and research to help you.
To attend the Key Lessons from the IT Audit Director Forums webinar on Tuesday, 14 June, at 11 a.m. (CDT), click here.
Frank Schettini, Chief Innovation Officer, ISACA
[ISACA Now Blog]
CISA, Audit Thyself
Oh, did I mention that I am a home-based worker? If I have technology issues, I am 1,900 miles away from my office, so I can’t just hop in the car and get somebody else to fix my problems.
By now you might be wondering why, as an IS auditor, do I not practice what I preach?
I know that my problem, if not caused by my own ignorance, was at least exacerbated by not following the best practice of creating a restoration point. If creating backups of data is a prerequisite for recovery,1 then the corresponding code and system configuration should also be required for successful recovery. However, lest you think I am a complete Luddite, please know that I do back up my confidential data to a separate hard disk not connected to the Internet and use a personal cloud as back up for non-confidential data. I also have a UPS, several extra modems and routers, and a backup laptop. In case my Internet goes down, I even have a nifty business resumption plan (e.g., go to Starbucks, enjoy a latte, and use their free Wi-Fi). Yet why, despite my education, certification and years of experience in IS auditing, do I place my systems at risk by employing some best practices while blatantly ignoring others?
Cost was obviously not a factor as creating a restore point is a built-in Windows OS function. Nor is lack of understanding the ramifications of failing to employ restoration points. As far as I can tell, my only excuse for failing to create a restoration point was my perception of the risk of OS failure being low compared to other types of risk, such as loss of connectivity or data loss.
An individual’s willingness to adopt or to reject an IT control is reliant not only upon the real security risk, but also the perceived risk.2Perception plays a far more important role in decision making than we realize. This means that some people (and organizations) will accept the possibility that something might happen rather than use precious resources to implement controls to prevent it. This false optimism is simply human nature,3 and sometimes it is only after experiencing the pain of one’s actions (or lack thereof) that individuals and organizations change.
How can we, as CISAs, ensure our clients perceive the real risk? As IS auditors, it is important that we understand why our clients might be resistant to change and reluctant to employ controls. If we can relate to them, then perhaps we can more effectively communicate our recommendations. After all, isn’t auditing another method of education?
At the very least…I might start taking my own advice.
Editor’s note: The ISACA Now Blog section is celebrating Women in Technology Month throughout June by featuring female bloggers. If you are a female blogger and would like to contribute a blog, please contact us at news@isaca.org.
1 ISACA, CISA Review Manual, USA, 2009
2 Huang, Ding Long, Pei-Luen Patrick Rau, Gavriel Salvendy, “Perception of information security,” Behaviour & Information Technology 29 (3): 221-232, May 2010
3 University of Kansas, “People By Nature Are Universally Optimistic, Study Shows,” Science Daily, 5 May 2009,www.sciencedaily.com/releases/2009/05/090524122539.htm
Stephanie Mahlig, CISA, MIS, Information Risk Management Technician, Allstate Insurance Company, Northbrook, IL
[ISACA Now Blog]
Cybersecurity Is Not a Cost – Leverage the Fourth Industrial Revolution for Economic Growth
On June 7, 2016, Palo Alto Networks held an international cybersecurity conference in Tokyo called Palo Alto Networks Day. Over 1,200 participants from government organizations and industry came together to learn about the latest global trends in cybersecurity, threat intelligence, legal and policy issues as well as to look for networking opportunities with each other. Compared to last year, the size of this year’s conference almost tripled – highlighting the ongoing importance of and interest in cybersecurity.
Multiple participants shared challenges they face in getting their leadership and management teams’ buy-in to invest in and commit to cybersecurity technology and the people and processes needed to defend their organization against cyberattacks. Some struggle with keeping their executives up to date on new cyberthreats that are attacking today’s organizations. Until recently, most executives didn’t often consider cybersecurity in the context of their most common concerns, such as managing risk, preserving business operations and hitting sales targets. Because new threats are “unknown,” they often cannot attract enough attention from executives to take any immediate action to pay for “unknown costs.”
This is understandable. It is hard to invest resources in something not easily measurable when we have multiple things to worry about in today’s complicated and interconnected world. Nonetheless, it is also true that cyberattackers take advantage of such a mindset. This means culprits can keep winning as long as they adjust the ways they mount successful cyberattacks for the purpose of stealing proprietary information, customers’ personal data, sensitive government intelligence, or even crippling the operations of critical infrastructure to harm people.
During Palo Alto Networks Day, Mark McLaughlin, our chairman, president and CEO, reiterated the importance of automated prevention and the sharing of threat intelligence, saying that it is crucial to take unknown threats, turn them into known threats, and share the threat intelligence as openly and quickly as possible to bring greater security to the world. The Cyber Threat Alliance and Financial Services – Information Sharing and Analysis Center (FS-ISAC) are two good examples of organizations that use sharing frameworks to provide threat intelligence among member companies in the same industry. Their efforts jointly raise awareness at the global cybersecurity level and bring greater value to their customers in the form of protection from advanced cyberattacks.
William H. Saito, Special Advisor to the Japanese Cabinet Office and vice chairman of Palo Alto Networks K.K. pointed out that this kind of framework may sound odd to traditional business minds; some businesses would rather keep what they know than give it up for free, because information can be a source of power. However, that action may lead to the loss of an opportunity to utilize the information to protect other companies within the same industry against similar cyberattacks. The global threat of cyberattacks is too great not to share threat information among peers.
The U.S. defense and intelligence communities learned this the hard way during the 9/11 terror attacks, which prompted the paradigm shift from “need-to-know” to “need-to-share” to make relevant threat intelligence available to all stakeholders as soon as possible. Such a revolutionary change is needed for cybersecurity as well. Bad guys – whether cybercriminals, hacktivists, terrorists or state actors – work organizationally, tactically and strategically to achieve their adverse goals by cyber means. Defenders also need to collaborate in the same manner to increase the cost of successful cyberattacks – and make that cost prohibitive for attackers.
Second, organizations must switch from reactive defense to proactive and automated prevention. This does not mean denying the importance of incident response. Since there is no 100 percent effective security, incident response is an indispensable part of cyber resiliency. Automation allows defenders to compress the time for incident response, which involves time-consuming manual work and eventually reduces costs for cyber defenses.
The World Economic Forum argues that the Fourth Industrial Revolution relies on digital technology to push global economy and quality of life. The concept is dependent on people’s trust in the Internet. In his keynote speech, former Internal Affairs and Communications Minister Heizo Takenaka analyzed that economies are increasingly connected and only security can make them robust and successful. If people lose confidence in Internet security and use it less, the strength of the global economy will be diminished. In the 21st century, cybersecurity is not simply a cost as some people believe. Cybersecurity is, in fact, leverage to drive the Fourth Industrial Revolution.
See photos and read more details from Palo Alto Networks Day in Tokyo.
[Palo Alto Networks Research Center]
