Author: Dr. Philip Cao

Dr. Philip Cao (aka #DrPC), EDBA, MSCS, ZTX-I, CCISO, CISM, CMSC, CCSP, CCSK, CASP, GICSP, PCSPI is a Strategist, Advisor, Educator, Contributor and Motivator. He’s also a Cyber | Zero Trust Strategist & Evangelist and Chief Trust Officer. He has 24 years’ experience in IT/Cybersecurity industry in various sectors & positions.
Posted on

How the Role of the CSO is Fundamentally Changing, Part 2

In Part 1 of this series I talked about the evolution of the CSO role and how security shouldn’t be subservient to all other operations in all cases. Let’s dig a little deeper into why this is so.

Should Physical and Digital Security Merge or Be Kept Separate?

I understand why organizations have these two separate security groups. Before the Internet days, the CISO function didn’t really exist, and the physical security function was usually relegated to the bottom of the leadership chain. You needed guards and fences and things like that, but those kinds of operations were more like commodity items, like power to the building, trash pickup or other maintenance roles. You needed them but once you established them, they did not materially affect the business even if they failed for a day or two (in most cases). Because of this, Physical Security tended to fall under the Facilities Management groups.

We’ve talked about the Internet of Things, though, and boy, does that change the situation. Everything is interconnected. Just like every other organization in the business, the physical security groups have a lot of IT security components, from badges to IP-enabled surveillance cameras. These groups and their electronic tools could still operate by themselves, but it makes sense that business leadership tasks somebody in the company to make sure that these tools are compatible with the approved security architecture plan. In my mind, that is the CSO organization.

Just like the idea that there is no such thing as cyber risk to the business, only risk to the business, I don’t think there is a need for separate cyber security and physical security teams. In this day and age, it is all security. Just for ease of management, it makes sense to keep it all under one umbrella.  My perfect organization would have a CSO in charge of all security of the company, with the CISO under that person with a dotted line to the CIO.  The Physical Security Director would also work for the CSO but by design would have a close working relationship with the CISO.

CSO and IT: A Healthy Tension

There has always been a healthy tension between the IT people in an organization and the security people in an organization. The IT folks are concerned about security for sure, but they are often more concerned with keeping the systems running and squeezing as much cost out of any particular project that they can. And that is what they should be doing. Meanwhile, the security people are more focused on business risk, not just for IT projects but for every aspect of the business: HR, Legal, Operations, Finance, Strategy, Marketing, and Sales.  Most of these other business functions have an IT-Security component, but cyber risk is not the only risk that leaders have to monitor.

Sometime in the mid-2000s, it became convenient to tuck the security function for an organization under the IT function of the organization. In other words, the CISO works for the CIO. This is not a bad idea, per se, and is an arrangement that works in many organizations. The IT folks generally handle the day-to-day automation functions while the security teams perform more of an oversight role in terms of security architecture, policy, risk assessment and SOC Operations. But to me, that kind of organization shows that company leadership does not fully understand the larger problem. We are not talking about only Cyber Risk to the business. We are talking about risk to the business.

Forbes’ Howard Baldwin back in March complained that he did not like recent changes he was seeing within organizations that have broken out the security function to be a peer to the CIO. He says that these CIOs are highly paid executives that can handle competing priorities. But that is not the point – something that was really underscored in the investigation following the Target breach.

In an interview by Jack Rosenberger, Eric Cole, founder and Chief Scientist at Secure Anchor Consulting, speculated on one of the reasons that may have contributed to the Target breach:

“It is almost a guarantee that Target had an amazing security team, and they were screaming and yelling about all of the security issues, but there was no advocate who was listening to them and fighting for their cause with the executives.”

Cole is pointing out that in all of the priorities that the Target CIO had to juggle, security lost out. And as Brian Krebs reported in the Guardian in May,

“Virtually all aspects of retail operations are connected to the Internet these days: when the security breaks down, the technology breaks down – and if the technology breaks down, the business grinds to a halt.”

Before the breach, the pressure to keep the IT infrastructure up and running must have been immense for both the former CIO and CEO. Krebs suggests that in hindsight, because of the devastating impact to the business, the Target CISO should not have worked for the CIO – that it should have been the other way around.

Check back for Part 3 of this series, where we’ll talk about the role of the CSO in relation to the rest of the C-suite.

Posted on

How the Role of the CSO is Fundamentally Changing, Part 1

The job description for the people that are responsible for IT security within an organization has been in a state of flux for over a decade. Since Steve Katz became the first CISO back in 1995, both business leaders and the security industry in general have been thinking and rethinking the need for such a person and the responsibilities that he or she should have.

The Evolution of the CSO

Citigroup became the first commercial company to recognize the need for the brand new corporate CISO role when they responded to a highly publicized Russian malware incident. As cyber threats continued to grow in terms of real risk to the business and in the minds of the general public, business leaders recognized the need to dedicate resources to manage that risk.

The first practitioners came out of the technical ranks — the IT shops. Vendor solutions to mitigate the cyber threat ran on networks and workstations. In order to manage those solutions, it was helpful to have people who understood that world. But this was a new thing for the techies: trying to translate technical risk to a business leader not versed in IT security did not always go very well. That’s when it became convenient to tuck these kinds of people underneath the Chief Information Officer (CIO) reporting organization. CISOs began working for the CIO because, from the C-Suite perspective, all of that “technical stuff” belonged in one basket.

But as business leaders began applying resources to mitigate cyber risk, other areas of security risk started to emerge: physical security, compliance, fraud prevention, business continuity, safety, ethics, privacy, brand protection, etc. The idea of the Chief Security Officer role began to get popular with business leaders because they needed somebody to look at the entire business — not just the cyber security risk to the business but the general security risk presented by any one or a combination of those challenges. CSO Magazine launched in 2002 to cater to that crowd. [21], and in 2004, American National Standards Institute accredited the Certified Information Systems Security Professional (CISSP) program where Information Assurance practitioners could get certified in a recognized, agreed-upon set of skills.

Since then, the industry has been in flux. Not every company organizes the same way. While the CIO has made its way to the executive suite in some companies (Intel, for example), that is by no means the norm. The Chief Security Officer is likewise not yet a fixture, but I suspect that situation is changing. Let’s talk about why.

CSO/CISO As A Distinct Role

The CISO role has emerged in the last five years as the de facto role to manage cyber security. If there isn’t somebody in the organization with the title of CISO, there is somebody in charge of IT security. This person generally works for the CIO but not in all cases. I do a lot traveling around the world talking to customers and speaking at security events. From speaking with many CISOs, CSOs and CIOs, the community has decided that the IT groups handle the day-to-day IT operations while the security groups have much more of an oversight role: risk assessment, incident response, policy controls, etc. This means that the IT groups keep the firewalls up and running while the security groups are monitoring the logs and advising the CIO on security architecture and policy.

I don’t think this is the right model, either. In this modern world, I do not believe that security should be subservient to operations in all cases. Yes, the company has to keep its servers operational, but that does not imply that if push comes to shove, security is the first thing that we turn off in order to maintain operations.

For companies that understand risk to the business, security and operations are peers. Over Parts 2 and 3 of this series, I’ll explain why this is so important.

Posted on

Palo Alto Networks has just received the “2014 Asia Pacific Network Security Vendor of the Year” award from Frost & Sullivan

Singapore, 26 June 2014 – The shining stars in Asia’s ICT industry received due recognition at the 11th annual Frost & Sullivan Asia Pacific ICT Awards held at the Alkaff Mansion earlier this evening.

In its 11th consecutive year, the Frost & Sullivan Asia Pacific ICT Awards program seeks to recognize companies and individuals that have demonstrated best practices in their industry, commending the diligence, commitment, and innovative business strategies required to advance in the global marketplace.

At the Frost & Sullivan Asia Pacific ICT Awards, a total of 37 awards across 4 categories were presented. Esteemed award recipients include BT, Managed Service Provider of the Year; Huawei, Telecom Equipment Vendor of the Year and Masayoshi Son, SoftBank Chief Executive Officer as Service Provider CEO of the Year.

“Against the background of the ever changing ICT industry, these leading companies have demonstrated a commitment to best practices, be it through customer appreciation, product and service innovation. These factors, together with sound business strategies and a robust business model have made them worthy industry leaders in Asia Pacific as they shape the ICT landscape of this region,” said Manoj Menon, Senior Partner and Managing Director at Frost & Sullivan Asia Pacific.

Frost & Sullivan identifies outstanding industry achievements in the past year by companies in regional and global markets, through in-depth interviews, market analysis, performance measurements, and benchmarking of market participants to bring unique best practices to the forefront.

Award recipients are evaluated based on their revenue growth, market share gains, leadership in new product introduction and innovation, breadth of products and solutions, major customer acquisition, and business and market strategy.

The results are then presented to an independent panel of judges, comprising of influential personalities, decision-makers and thought leaders from the ICT sector across Asia Pacific. To view the complete list of judges on the 2014 ICT Awards judging panel, please visit http://ict-awards.com/judges.shtml

For more details on the 2014 Asia Pacific ICT Awards log-on to http://www.ict-awards.com/or follow #apictawards on Twitter. You can also connect with Frost & Sullivan on social media, including TwitterFacebookSlideShare, and LinkedIn, for the latest news and updates.

Media partners for the Frost & Sullivan Asia Pacific ICT Awards include CIO Asia, Top 10 of Asia, Telecoms Watch and Asia Pacific Broadcasting magazine.

About Frost & Sullivan

Frost & Sullivan, the Growth Partnership Company, works in collaboration with clients to leverage visionary innovation that addresses the global challenges and related growth opportunities that will make or break today’s market participants.

Our “Growth Partnership” supports clients by addressing these opportunities and incorporating two key elements driving visionary innovation: The Integrated Value Proposition and The Partnership Infrastructure.

  • The Integrated Value Proposition provides support to our clients throughout all phases of their journey to visionary innovation including: research, analysis, strategy, vision, innovation and implementation.
  • The Partnership Infrastructure is entirely unique as it constructs the foundation upon which visionary innovation becomes possible. This includes our 360 degree research, comprehensive industry coverage, career best practices as well as our global footprint of more than 40 offices.

For more than 50 years, we have been developing growth strategies for the global 1000, emerging businesses, the public sector and the investment community. Is your organization prepared for the next profound wave of industry convergence, disruptive technologies, increasing competitive intensity, Mega Trends, breakthrough best practices, changing customer dynamics and emerging economies?

Contact Us: Start the discussion
Join Us: Join our community
Subscribe: Newsletter on “the next big thing”
Register: Gain access to visionary innovation

Media Contact:

Melissa Tan
Corporate Communications, Asia Pacific
P: +65 6890 0926
E: melissa.tan@frost.com

http://www.frost.com

2014 Frost & Sullivan Asia Pacific ICT Awards Recipients

ENTERPRISE VENDORS
Network Security Vendor of the Year PALO ALTO NETWORKS
Web Security Vendor of the Year BLUE COAT
Web Application Firewall Vendor of the Year IMPERVA
Advanced Persistent Threat Solution Vendor of the Year FIREEYE
Application Delivery Controller Vendor of the Year F5 NETWORKS
Unified Communications Vendor of the Year MICROSOFT
UC as a Service Vendor of the Year BT
Enterprise Video Vendor of the Year POLYCOM
Collaboration Service Provider of the Year ARKADIN
Contact Center Applications Vendor of the Year VERINT
Contact Center Outsourcing Service Provider of the Year TELEPERFORMANCE
Business Process Outsourcing Service Provider of the Year TATA CONSULTANCY SERVICES
Data Communications Service Provider of the Year TATA COMMUNICATIONS
Data Center Service Provider of the Year NTT COMMUNICATIONS CORPORATION
Software as a Service Provider of the Year SALESFORCE.COM
Infrastructure as a Service Provider of the Year AMAZON WEB SERVICES
Telecom Cloud Service Provider of the Year TELSTRA
Managed Service Provider of the Year BT
TELECOMS VENDORS
Telecom Carrier Data Infrastructure Vendor of the Year HUAWEI
Telecom Optical Vendor of the Year ALCATEL-LUCENT
Fixed Broadband Equipment Vendor of the Year HUAWEI
Telecom OSS Specialist Vendor of the Year NETCRACKER
Telecom BSS Specialist Vendor of the Year NETCRACKER
Telecom OSS/BSS Vendor of the Year HUAWEI
Mobile Social Network of the Year LINE CORPORATION
eCommerce Provider of the Year ALIBABA
Telecom Equipment Vendor of the Year HUAWEI
SERVICE PROVIDERS
LTE Service Provider of the Year NTT DOCOMO, INC.
M2M Service Provider of the Year TELSTRA
Emerging Market Telecom Service Provider of the Year DIALOG AXIATA PLC
Most Innovative Telecom Service Provider of the Year PT XL AXIATA TBK
Fixed Broadband Service Provider of the Year TELEKOM MALAYSIA BERHAD
Wireless Service Provider of the Year TELSTRA
BEST OF THE BEST
Telecom Service Provider of the Year SOFTBANK TELECOM CORP.
Telecom Group of the Year AXIATA GROUP BERHAD
Telecom Service Provider CEO of the Year MASAYOSHI SON,
SOFTBANK TELECOM CORP.

[Source: Frost & Sullivan] – http://www.frost.com/prod/servlet/press-release.pag?docid=291223374

Posted on

ISACA International President: Teamwork is the goal for 2014-2015

Hundreds of millions of people around the world, including me, are cheering on the football games that comprise the 2014 FIFA World Cup, which bills itself as the biggest single-event sporting competition in the world. This is truly a global force of an event, with 204 entries across six continents competing for 31 available spots in the finals.

As I watched a recent close football match, it was clear that no matter what a sports organization (or governmental agency or enterprise) does as its core business, its relevance, value and reach depend on the team members driving strategy and activities forward. This is true for ISACA as well, and it is one more reason I am so honored to be elected international president and work with an excellent board of directors. The time and expertise they volunteer for the benefit of ISACA members is truly amazing. We recently installed our 2014-2015 ISACA Board of Directors and I would like to recognize them individually.

Reelected vice president are:

  • Ramsés Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, security strategist and evangelist at Dell Software, Spain
  • Theresa Grafenstine, CISA, CGEIT, CRISC, CIA, CGAP, CGMA, CPA, inspector general of the US House of Representatives, USA
  • Vittal Raj, CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, partner of M/s. Kumar & Raj and director at Pristine Consulting Private Limited, India

Newly elected vice presidents are:

  • Steven Babb, CGEIT, CRISC, ITIL, technology risk management, compliance and assurance leader at Vodafone, UK
  • Garry Barnes, CISA, CISM, CGEIT, CRISC, MAICD, managing consultant at BAE Systems, Australia
  • Rob Clyde, CISM, CEO of Adaptive Computing, USA

Directors are:

  • Debbie Lew, CISA, CRISC, executive director within Ernst & Young LLP Advisory practice, USA
  • Frank Yam, CISA, CCP, CFE, CFSA, CIA, FFA, FHKCS, FHKIoD, FHKITJC, CEO of Focus Strategic Group Inc., Hong Kong
  • Alexander Zapata Lenis, CISA, CGEIT, CRISC, COBIT Certified Assessor, COBIT 5 Implementation, PMP, ISO 22301 Lead Implementer, ITIL, ISO 27001, IT consultant in Latin America, Mexico

These ISACA leaders represent a diverse cross-section of geographies, industries and expertise, and I am confident that together we will serve our members and other constituents with drive, dedication and direction throughout the year.

As a team, we will accomplish several key activities this year:

  • We will continue to focus on cybersecurity. Through the Cybersecurity Nexus, we will do for the cybersecurity profession what we’ve done (and will continue to do) for assurance and governance.
  • We will also focus on providing tools and guidance on privacy, full-spectrum career development, expanded COBIT, and emerging business and technology.
  • We will serve our assurance base. Audit and assurance professionals founded ISACA 45 years ago and are still central to our mission to create trust and value through information and technology.
  • And, above all, we will provide more value to our members than ever before. We exist for you—to help you drive your careers and serve your enterprises. Be assured that you are at the forefront of every decision we make.

This is an era of incredible change and strategic advancement for ISACA, especially as our new CEO, Matthew Loeb, takes the helm of the ever-growing and evolving association in early September. I look forward to Matt’s business acumen and eye for global service and growth. I also want to give a sincere thank you to Ron Hale, who stepped up and has served as ISACA’s acting CEO after the retirement of former CEO Susan Caldwell in 2013. Ron provided guidance and oversight for ISACA’s momentum over the past year and we deeply appreciate his contributions. I also want to thank our prior board members, who have shared so much of their knowledge, other global leaders, and all members, no matter your level of involvement, because you embody the spirit of ISACA.

I want to hear from you. Please follow me on Twitter at @RobertEStroud and share your comments below. This is going to be an exciting year for all of us. Together, just like the World Cup champion, we can achieve great things.

Robert E Stroud, CGEIT, CRISC
International President, ISACA and the IT Governance Institute

[Source: ISACA]

English
English
Exit mobile version