What keeps CISOs up at night? Of all the cyberthreats, malware sends chills down a CISO’s spine, according to The CyberEdge Group’s recently released 2016 Cyberthreat Defense Report. Malware bogeymen come in many shapes and sizes. Here are three of the most nefarious in their respective categories:
Ransomware: CryptoWall Ransomware has come a long way since 1989, when the AIDS Trojan first encrypted a user’s hard drive files and demanded money to unlock them. The latest version of CryptoWall, the most significant ransomware threat in the States, not only encrypts the file, it also encrypts the file name—making it a challenge to even find “kidnapped” files.
CryptoWall cost victims more than $18 million in losses in a single year, according to the FBI. While individual ransom fees are typically only $200 to $10,000, additional costs can include loss of productivity, mitigating the network, incorporating security countermeasures, and purchasing credit monitoring services for employees and/or customers.
Banking Trojan: Dyreza Banking Trojans use a man-in-the-browser attack. They infect web browsers, lying in wait for the user to visit his or her online banking site. The Trojan steals the victim’s authentication credentials and sends them to the cyberthief, who transfers money from the victim’s account to another account, usually registered to a money mule.
For nearly a decade, the ZeuS Trojan conducted a reign of terror in the banking world. Even after Europol took down the Ukrainian syndicate suspected of operating ZeuS in 2015, new strains kept appearing. But it seems ZeuS has met its match in Dyreza (aka Dyre, aka Dyzap). More than 40% of banking Trojan attacks in 2015 were by Dyreza, according to Kaspersky Lab’s 2015 Security Bulletin. Dyreza’s one-two punch? It can now attack Windows 10 machines and hook into the Edge browser.
Mutant two-deaded worm: Duqu 2.0 There isn’t an official category yet for the most sophisticated malware seen to date. At a London press conference announcing an attack by the new version of the Duqu worm on its corporate network, Kaspersky Lab founder Eugene Kaspersky described the malware as a “mix of Alien, Terminator and Predator, in terms of Hollywood.”
The original Duqu worm was mysterious enough, being written in an unknown, high-level programming code. Now Duqu 2.0 is further flabbergasting the security experts. Some describe it as a compound sequel of the Duqu worm that assimilates the features of a Trojan horse and a computer worm. Others call it a collection of malware or a malware platform.
I’m dubbing it the Mutant Two-Headed Worm because it has two variants. The first is a basic back door that gives attackers an initial foothold on a victim network. The second variant contains multiple modules that give it multiple superpowers: it can gather system information, steal data, do network discovery, infect other computers and communicate with command-and-control servers. And did I mention Duqu 2.0 has an invisibility Cloak? The malware resides solely in a computer’s memory, with no files written to disk, making it almost impossible to detect.
If Duqu 2.0 attacks increase in 2016, expect malware to be a CISO’s worst nightmare next year too.
We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
The Illusion of Due Diligence: Notes from the CISO Underground introduces the complicated and challenging career experiences of Chief Intelligence Officer and sometime Chief Information Security Officer, Jeffery Bardin. The Illusion of Due Diligence highlights the relationship between executive risk tolerance and its intersection with the professional standards of information security professionals. Bardin suggests that these interactions often intersect in ways that are ethically questionable and even unhealthy for the business.
While I hesitate to advocate The Illusion of Due Diligence as a candidate for the Cybersecurity Canon, the book provides a variety of examples illustrating the complexity of acting as an information security professional. This book provides a powerful reminder that not all of the obstacles to information security reside outside of the organization. Bardin posits that the battle to maintain the confidentiality, integrity, and availability of systems may be lost easily in the day-to-day political contests fought in organizations of all sizes. Bardin’s work reflects an easy style reminiscent of peers commiserating over coffee, trading anecdotes about the internal challenges they face, but, in relying upon what are effectively parables, never quite gets to the lessons that today’s information security professionals require for maximum effectiveness.
Review
The Illusion of Due Diligence confronts the moral, ethical, personal and professional challenges associated with the field of information security. Using a narrative style, Bardin walks us through the day-to-day experiences confronting many security professionals. Beginning with an executive manager who not only failed to understand the role of information security but then actively interfered with the security officer’s function, Bardin relates a story that is common to many information security professionals. Using examples of specific CIO actions to evade compliance, disabling of critical controls to protect revenue, and competing information technology objectives, Bardin illustrates the challenges that leading information security executives are confronted with. Bardin’s treatment of these challenges places a bull’s-eye squarely on the back of the information security executive who is tasked with delivering and maintaining a secure environment at a level that reflects the enterprise’s risk tolerance but where enterprise risk management decisions may either be made informally or in such a way that the success or the failure of the program won’t rest with the executives making the decisions.
Adequate authority, resources, and reporting structures are the challenges Bardin alludes to amid the technical and political adversaries today’s information security professional must confront. And with this observation – that each of these adversaries may be just as daunting as battling nation-state actors – hackers and organized crime represent an important contribution to the literature. Although ultimately, while the explicit articulation that managing up and across represents one of the most pressing challenges in information security today is useful, The Illusion of Due Diligence never quite gets to the techniques and strategies to doing so and is, therefore, likely to leave some readers’ thirst for solutions unsatisfied.
The book is organized into a series of non-fiction, short stories based on actual experiences of the author. While Bardin makes some attempts at masking the sources of his narrative, it remains clear that we are seeing experiences from particular government agencies, contractors, and other personalities. While the tell-all, behind-the-curtain format offers some limitations, Bardin reels in the reader, creating a shared sense of struggle that is quite relatable.
Bardin writes:
“Being a security professional is a formidable career choice. To do it right you must take an oath of allegiance to your craft that is not welcome in the corporate world that ultimately employs you. The very credentials that make you marketable are, in the end, the very thing that can put you in the job market, again, and again. Taking ethical stands to live up to the code of the CISSP and the CISM takes courage, tenacity, thick skin and the willingness to walk away from an employer.”
The challenges facing security executives are nothing new to those who have been in the industry for many years. Bardin, however, creates a narrative that offers an opportunity for many professionals, especially those climbing the corporate ladder, to learn important lessons by observation rather than experience – an opportunity that many would say is the preferred route for those seeking to remain in their position and navigate these challenges.
While the war stories aspect of the book is endearing, the work is sometimes difficult to follow and, like many works featuring technical authors, leaves some room for greater accessibility and clarity. In particular, the level of granularity, coupled with strained attempts to obfuscate the identities of the parties sometimes creates an impression of sour grapes and detracts from the key insight of the book: that managing up and across is among the most important obstacles to success for information security leaders. For example, Bardin relates the story of a wayward business partner, “Ariel,” focusing on character development but never fully embraces or explores the moral, ethical or related challenges confronting the situation or how such issues might be addressed pragmatically. Ultimately, it is this missed opportunity for greater depth and exploration of the lessons growing out of each of these mini-case studies that limits what this book might have been, which is a business school-like series of mini-case studies that could prepare executives for what remains a recurring series of challenges as the security function and profession matures.
While the book highlights the ethical imperatives confronting many organizations, Bardin sometimes seemingly too easily conflates differences of business judgment and risk tolerance with potentially unethical behavior. At its core, information security represents a risk-focused discipline, and accepting the risks remains a very difficult practice for many information security professionals to stomach. That’s okay because our perspective is often juxtaposed with many other competing business needs. In the end, we cannot fire all of the employees, or shut down the enterprise, even thought the result of those efforts would often be near “perfect” security. In this regard, Bardin could have identified additional tools or techniques to address the relationship between policy and reality. For example, developing and maintaining policy exception processes that create executive accountability represents an important tool to drive accountability while maintaining opportunities to manage and accept risk purposefully. Similarly,The Illusion of Due Diligence never quite highlights the importance of drawing distinctions between and organizational consequences of failing to adhere fully to policies or contractual obligations as compared with legal obligations. Complaining about the former can often place the information security professional in the role of Chicken Little or an adult in Charles Schultz’s Peanuts cartoon. Sound the alarm too early or too often and management eventually stops listening.
Conclusion
At the core, Bardin seems to identify one of the most pressing challenges facing information security executives: how and when should issues be escalated when multiple business objectives compete with the enterprise’s security objectives? Unfortunately, the book provides little guidance on structures, tools and techniques that might be utilized or relied upon to confront these challenges. While consistency across the application of policies, procedures, guidelines and technical controls, and the subsequent transparency to management remains critical, perhaps more important is the recognition that many CISOs would benefit from a broader business perspective. Such a perspective would help navigate avoiding being labeled as myopic and obstructionist while remaining true to the role, function and responsibilities within the organization. Although the detail of the narrative provides for some juicy storytelling that keeps the reader’s attention, beyond cataloging many common scenarios that can challenge security professionals, The Illusion of Due Diligence does not quite accomplish Bardin’s objective to help the information security professional forge better outcomes, including securing their existing position.
The Cybersecurity Canon is official, and you can now see our website here. We modeled it after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have 20 books on the initial candidate list but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
Book Review: Winning as a CISO (2005) by Rich Baich
Executive Summary
The latest candidate for the Cybersecurity Canon is Rich Baich’s Winning as a CISO. The roles of the chief information officer (CIO), the chief security officer (CSO), and the chief information security officer (CISO) in the modern enterprise have been constantly changing since we invented the need for such roles in the 1980s and 1990s. By the mid-2000s, the industry had settled on tucking the security function for an organization under the IT function of an organization. In other words, the CISO works for the CIO.
But Baich is an innovative thinker. He has looked at how the CISO role has evolved over the years and makes a pretty good case for where it needs to go next. By asking questions about the appropriate supervisor for a CISO, a CISO’s needed skill set, and ways to approach the CISO job function, Baich breaks new ground on how the industry should views these topics. Our industry will be slow to adopt these new ideas, but with the rash of highly publicized and impactful data breaches to the retail sector in 2014, perhaps the industry is ready to start making a change. Reviewing Baich’s book is a good place to start. It is Cybersecurity Canon-worthy, and you should have read it by now.
Introduction
The roles of the CIO, the CSO, and the CISO in the modern enterprise have been constantly changing since we invented the need for such roles in the 1980s and 1990s. I picked upWinning as a CISO because my boss handed it to me after he met the author, Rich Baich, at a security event. He said that Baich was a smart guy and had some interesting ideas about what modern CISOs in today’s environments about the modern CISO role in today’s environments. In this book, Baich explains some innovative thinking about what today’s CISOs should be responsible for, how they should fit into the organization, and how they might accomplish their tasks once they are established. In order to understand where Baich is coming from, it is useful to review the history of the CIO, CSO, and CISO roles in modern business.
Because of General Motors’ success with this new P&L model, business leaders across the world adopted it for their own organizations. That model lasted some 60 years until the 1980swhen CEOs realized that in order to drive organizational change, they needed executives with technical and functional specialties. CEOs began creating new C-level executive positions like chief marketing officers (CMOs), chief financial officers (CFOs), and, yes, CIOs. The idea of a C-level executive dedicated to security did not really emerge until the late 1990s, 10 years after the CIO position had become firmly established in modern business.
The first practitioners came out of the technical ranks. Vendor solutions to mitigate the cyber threat ran on networks and workstations. In order to manage those solutions, it was helpful to have people who understood that world, but this was a new thing for the techies; trying to translate technical risk to a business leader did not always go very well. Security techies have always been, and still are, passionate about their responsibilities. The early trailblazers tended to say “no” to any new project because of the potential security risk. The business leaders did not want to deal with these people who wanted to make organizational decisions with no thought about the bottom line. It became convenient to tuck these kinds of people underneath the CIO organization. CISOs began working for the CIO because, from the C-suite perspective, all of that technical stuff belonged in one basket, and the security people did not know how to talk to the business people.
As business leaders began applying resources to mitigate cyber risk, other areas of security risk started to emerge: physical security, compliance, fraud prevention, business continuity, safety, ethics, privacy, brand protection, etc. The idea of the CSO role began to gain popularity with business leaders because they needed someone to look at the entire business, not just cybersecurity risk to the business, but general security risk to the business. CSO Magazinelaunched in 2002 to cater to that crowd.
By the mid-2000s, the industry had settled on tucking the security function for an organization under the IT function for an organization. In other words, the CISO works for the CIO. This is not bad, per se, and this arrangement works in many organizations. The IT folks generally handle the daily automation functions while the security teams have more of an oversight role in terms of security architecture, policy, risk assessment, and security operations.
But since then, the industry has been in flux. Not every company is organized the same way. While the CIO role has made its way to the senior executive suite in some companies (Intel Corp. and McAfee to name two), that is by no means the norm. The CSO role is likewise lagging. Both tend to be lodged at the second tier of executives in many companies. And while it is not universal, the CISO tends to work for the CIO.
The Story
All of this history is essential background to the key messages in Baich’s book Winning as a CISO. He published it in 2005 and was quite rightly taking a look at where the CISO role was heading next. He organized the book as a fictional story about an established company in which the CEO had decided to hire his first CISO. His executive leadership team – the CIO, the general counsel, and the chief operating officer (COO) – had to decide what the new CISO’s responsibilities were and where this individual would fit in the organizational structure. Once the CEO made those decisions, the newly hired CISO had to decide how to execute this new role.
The Tech
The book is a quick read, with only 115 pages including the end credits, but it is a primer on what a CISO should do for any organization. In essence, any organization could use Baich’s book as a basic job description for a new CISO hire.
What Are a CISO’s Responsibilities?
When the story’s CEO brought his executive staff together to discuss the new position, he had them develop a list of responsibilities for the new hire. Here is the list:
Security Architecture
Incident Response
Security Awareness
Identity Management
Security Policy Development and Compliance
Due Diligence for Acquisitions and Mergers
Risk Management
I think this is a pretty good list of high-level responsibilities. Anything that comes up later that we might want the CISO to do can be easily shoehorned into one of these broad categories. Once the staff agreed to the responsibilities, the next step was to determine which senior executive should own them. In other words, which senior executive should the CISO work for?
To Whom Does the CISO Report?
All of the senior staff members had their perspectives. The CIO said, “The CISO should report to the IT Department because the focus of information security is related to technology. Information security solves technology related risks.” The general counsel said, “The CISO should report through the legal structure. [The] focus can be placed on compliance.” The COO said, “The CISO will have to collaborate with all departments, and everyone, including the sales team will benefit, but the team member who will need to utilize the resulting information the most will be the COO. A clear understanding of the operational risk factors will enable the successful CISO to present to the COO with a rubric of important options.”
The CEO weighed each of these perspectives and had a few of his own. He said that he did not want the new CISO to have to wrestle with any artificial organizational conflicts because he chose to put the position under one senior executive as opposed to another. He said that putting the CISO under the CIO had a number of problems, but the most important one was that it created a conflict of interest. “Reporting to the CIO would be like putting your boss on report.” The CISO’s job is to make things more secure, and sometimes that job may be in direct conflict with the CIO’s job of making things more efficient. With the CISO under the CIO, the organization automatically weights efficiency needs over security needs, and that obviates the reason to hire the CISO in the first place.
An opposing view comes from Forbes reporter Howard Baldwin. Baldwin complained in March 2014 that he did not like recent changes he was seeing within organizations that had broken out the security function to be a peer to the CIO. He says that these CIOs are highly paid executives who can handle competing priorities. In other words, the CIO can handle making decisions between security and efficiency. In other words, that is what we pay a person in this position to do.
In Baich’s story, the CEO had reservations about putting the CISO under other staff organizations too. He said that putting the CISO under the general counsel “would potentially position the Information Security department as an arm of the audit department.” According to Baich, auditing support is something the new CISO should help with, but based on the responsibilities the executive staff developed, the CISO’s role is much bigger.
The CEO ultimately put the CISO under the COO. To him, it made sense that the CISO position be perfectly positioned to support the entire organization and not one specific staff element. I think this makes sense. If loss associated with security is something that will potentially materially affect the business, it makes total sense to raise the platform of the person in charge of it to have a view of the entire organization and the power to affect change. If that is the case, then what skill sets are needed for the person who takes on that responsibility?
What Skill Sets Does a CISO Need?
Once he decided whom the CISO should work for, the CEO turned again to his senior staff to determine what skill sets would be essential for success. Without fanfare, Baich lists these five attributes:
Must have an MBA
Prior budget or P&L experience
A proven ability to lead an effective information security organization
Experience and skill as a change agent
Ability to serve as an information security expert for the executive team
The last three skills are fairly standard for many senior job positions in any organization. The first two are where Baich is providing some innovative thinking. Requiring an MBA and P&L experience for a CISO, as a mandatory requirement, is not the common thinking in the industry, but it is spot on for where the industry needs to go. As I said earlier, most CISOs have come up through the technical ranks and have little if any business experience. This is probably the main reason that security teams and business teams have a hard time communicating with each other. By requiring a CISO to have business experience first, Baich flips the typical experience equation on its head. Instead of training highly technical employees to be proficient in business concerns at the mid- to latter parts of their careers, he is suggesting that we take traditional business people and train them to be proficient in managing security operations.
“If performing vulnerability assessments, configuring firewalls, and performing network forensics makes you happy then becoming Chief Information Security Officer may not be the right career choice for you.”
Just like a traditional business person might find himself or herself as a general manager, product manager, finance officer, or marketing officer, Baich is suggesting we add security officer to the list, and I agree with him.
How Do You Be a CISO?
In Baich’s story, the CEO placed the CISO under the COO in order to give the position a matrixed view of the business. In that kind of environment, how does a CISO succeed? In spite of all the listed responsibilities this CISO has for the organization, Baich says that the most important implied responsibility for the CISO is running his or her organization like a business. The CISO needs to become the general manager of the security program.
“Ultimately, the success of any business, new or old, depends on a leader’s ability to build a team, market and sell the product, and run the business, still meeting the established measurements necessary to effectively operate the business.”
Although the CISO in this story will bring in no revenue, this individual has to demonstrate to the business leadership the value of the position in other ways. The CISO must become a world-class internal marketing person for every aspect of the security program. It is not enough to make the organization more secure. The CISO’s efforts to do so must demonstrably show how the security program is helping the organization grow.
Conclusion
Baich is an innovative thinker. He has looked at how the CISO role has evolved over the years and makes a pretty good case for where it needs to go next. By asking questions about the appropriate supervisor for a CISO, a CISO’s needed skill set, and ways to approach the CISO job function, Baich breaks new ground on how to think about these topics. Baich published the book in 2005. Back then, there was not a lot of impetus to change the current situation, and I do not see the industry adopting these ideas any time soon. But with the rash of highly publicized and impactful data breaches to the retail sector in 2014, perhaps the industry is ready to make a change. It is obvious that the way we are doing it now is not working. Because of Baich’s innovative thinking about the next step in the evolution of the CISO role, Winning as a CISO is Cybersecurity Canon-worthy, and you should have read it by now.
The man now leading security for a major university first got the security bug when dealing in government secrets about nuclear power.
If you had a broken toy that needed fixing when you were a kid, Quinn Shamblin was the neighborhood boy to take it to. Even as a child, Shamblin was “the guy who liked to know weird, unusual stuff,” and the go-to guy for taking things apart and putting things together.
“Infosec is the first career I really latched onto that uses all those old things that were drivers for me as a kid,” says Shamblin, now the executive director and information security officer at Boston University (which does not use C- titles like CISO).
He did not, however, set out for a career in infosec. He was a physics major, and after school was recruited to teach Naval forces about nuclear power.
It was then, while dealing with so much classified information, that he became interested in security.
He pursued that new fascination by going to work for Proctor & Gamble. At P&G, it wasn’t just the intellectual property confidentiality that was important, it was availability. They required 99.997% uptime, says Shamblin. “Eleven minutes would cost the company $200,000.”
Also at P&G, he met the manager who would be a professional mentor for the rest of his career.
“You need to have people believe in you,” says Shamblin. “Someone has to look at your work and say, yeah, wow, there’s value here.”
For Shamblin, that person was Kevin McLaughlin, a former felony investigator for the Army, who shared some of the same attitudes Shamblin had developed through his tenure in the military.
The two worked well together, so when McLaughlin left the company to go create a new information security department at the University of Cincinati, he invited Shamblin to join that new team.
It was McLaughlin again who recommended Shamblin for the job at Boston University in 2010, while declining the offer to take that job himself.
Shamblin is continuing the tradition by playing the role of mentor himself. Instead of hiring people who’ve done precisely the same job elsewhere, he hires people with promise and trains them up.
“I want people to get better and better at their job,” he says, “and I want them, at some point, to leave.” Shamblin believes that he’s preparing his employees for great careers wherever they decide to go, and in a broader sense, “improving the industry by investing in these people.”
Although most companies hire CISOs from outside the organization, Shamblin wants his successor to be someone he trained, and deliberately prepared to take over.
Most of the lessons he’s passing on to those future CISOs have little to do with technology, and everything to do with business sense and communication skills.
“As a CISO, it’s more important to understand risk and the business than to understand technology,” he says. “Understand that if I do X I won’t have a business.”
Shamblin says that a CISO needs to sound like a CFO. He or she must appreciate the balance of risk and reward, and must be able to comprehend a financial analysis. He did earn an MBA himself while working at the University of Cincinati, but there is something else he gives more credit for his success than his degrees.
“I can talk,” he says. “I’m genuinely interested in [people] and they can see it.”
One key piece of advice he gives to all aspiring CISOs is to improve their communication skills, both written and face-to-face. He urges them to get formal training on this, because the difference between a well-written email or document and a poorly written one is huge — but without training you might not see the difference.
If he weren’t an information security pro, Shamblin says he would pursue another career in emergency response — and isn’t that what a lot of infosecurity is all about?
This is part three of Dark Reading’s “How To Become a CISO” series. Read parts one and two now. Come back next Monday for the next CISO origin story, which is set in a law school.
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law — a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.
Think you’re ready for the top job? Here’s part 1 of a series to help you land that prime chief information security officer position.
So you want to be a CISO, huh? Think you’re ready to lead a small band of white knights into battle against a countless, hidden enemy? Ready to play both savior and scapegoat, depending on what the day brings? Ready to beg, borrow, and steal for the resources you need to protect your company?
Yes? OK, then, you’re ready to do the job… but can you get the job? For the next several weeks, we’re dedicating Mondays to helping you find the path to the big job, which won’t be easy to define.
“There’s not a standard path [to the CISO job] like so many other professions,” says Mark Aiello, president of the Boston cyber security staffing firm Cyber360 Solutions. “We can’t even agree on how to spell cyber security.” (Cybersecurity? Cyber-security?)
Even the words “engineer” and “administrator” don’t mean the same thing from company to company. The bad news, then, is that it is hard to know what career steps to take next.
The good news, though, is that the ladder you’re already climbing could lead you to the CISO seat.
Despite the variety of routes to the top, Aiello does identify a few consistent trends:
Most CISOs are hired from outside the company.
Following the perplexing logic that somebody you don’t know must be smarter than somebody you do know, “the vast majority” of organizations look outside their walls for a CISO, Aiello says. However, they will be more likely to hire an insider for the CISO job if it’s a newly created position.
So being in the right place at the right time may help you get that newly minted CISO gig, but beware…
A company’s first CISO has less power than its subsequent CISOs.
“That first CISO tends to not have as many teeth as the second one,” Aiello says. They’re likely to be a step below the true C-suite and report to the chief information officer.
Aiello thinks the CISO should be separate from the rest of the IT organization, because security not only impacts technology. “Security organizations are still relatively small [in size], in comparison to the IT department, but huge in terms of importance.”
Most companies want to hire a CISO who’s already a CISO somewhere else.
This raises a question: How do you get that first CISO job if you can only get one if you already have one? Aiello says you may convince a new employer to take you on if you’ve reached the highest security position at your current company — like director or vice president of security — as long as you have experience within the appropriate industry vertical: finance, healthcare, etc.
CISOs are more likely to come from a technical background.
Though there are people who rise to the security job from outside the IT department — we’ll hear some of their stories in the course of this series — Aiello says that most of today’s CISOs began their careers in an information techology job of some ilk. As the field matures and more IT functions are outsourced, that may change.
A CISSP certification isn’t necessarily required for a CISO.
In order to have climbed the infosecurity ladder high enough to be eligible for the “chief” title, you probably will have needed a CISSP already. However, if you’ve made it this far without one, you probably won’t need one now, says Aiello. A four-year college degree, however, is something a prospective employer will want.
As the CISO job grows bigger and more important, Aiello says, the key is proactively gathering all the knowledge and experience you can.
“Raise your hand. Volunteer,” he says. If you’ve spent most of your career outside of the nitty-gritty, hard-core IT security world, spend more time learning about the tactical side — the day-to-day tasks of securing a business. If you are from a heavy technical background, learn as much as you can about the business side.
“Understand the problems your technology is there to solve,” he says. “Understand what [the company is] securing and why they’re securing it.”
In the coming weeks, we’ll spin out the origin stories of men and women currently holding the CISO position at a variety of organizations. Come back to Dark Reading next Monday for the first “how I became a CISO” tale.
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law — a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.
