Category: #CISO CORNER

Chief information security officers and their teams must lead their organizations into adopting safe business practices. In our increasingly connected world, this goal is more important than ever. Speaking the language of the C-suite and the board, and translating information security into business terms is key for CISO success.

The General Session at this year’s (ISC)² Security Congress will help CISOs chart their paths to successful leadership and cybersecurity practices. “CISO Impact: Driving Security Into the Business” will be presented by Phil Gardner and Stan Dolberg. Both speakers are executives at IANS, an information security advisory and consulting firm: Gardner is founder and chief executive officer, and Dolberg is chief research officer.

The session is based on IANS’s data-driven leadership framework, CISO Impact^TM, based on research with more than 1,000 information security teams, including many (ISC)² members. The session will take place on Thursday, September 15 from 8:00-9:00 a.m.

Gardner founded IANS in 2001 and currently oversees strategic and operational decisions. He has seven years of service in security with the U.S. Navy as a strike fighter pilot and ordnance requirements officer. He received his B.A. from Harvard University, as well as his MBA from Harvard Business School.

Dolberg has been the chief research officer at IANS since 2015. Before joining the organization, he ran his own consulting firm working with CEOs and boards of technology companies, addressing key questions about markets that affect sales velocity. He received his B.A. from Harvard University and his MBA from the Carroll Graduate School of Management at Boston College.

Along with the General Session, full-conference attendees will have access to more than 90 educational sessions, as well as the exhibit floor, Career Pavilion, and Solutions Theater. This year’s Security Congress event has 11 tracks:

• Application Security/Software Assurance
• Cloud Security
• Forensics
• Governance, Regulation and Compliance
• Incident Response
• Malware
• Mobile
• People Centric Security
• Professional Development
• Swiss Army Knife
• Threats: Inside & Out
• Threat Intelligence

While the first session takes place Monday morning, September 12, (ISC)² members are invited to attend the annual Town Hall meeting the day before, Sunday, September 11. (ISC)² leadership, including CEO David Shearer and board members, will be available to answer questions about membership, certifications and more. Questions may be submitted to the panel via email at congress@isc2.org or tweet them to us on Twitter @ISC2Congress (Use #Congress16TownHall).

This year’s (ISC)² Security Congress will take place in Orlando, Florida at the Orange County Convention Center from September 12-15, 2016. The event will be co-located with the ASIS International 62^nd Annual Seminar and Exhibits, once again bringing together operational security and cybersecurity professionals. As the best-value and largest industry event of the year, more than 20,000 professionals from around the world are expected to attend. For more information, or to register to attend, please visit http://congress.isc2.org/.

(ISC)² Management

[(ISC)² Blog]

ISACA Now recently talked to Joyce Brocaglia, founder and CEO of Alta Associates, an executive search firm specializing in Information Security, IT Risk Management and Privacy. Brocaglia shared her insider views on the process of hiring a first Chief Information Security Officer (CISO).

What are the top considerations when hiring an organization’s first CISO?
The most important thing companies must understand is why they have made the decision to hire a CISO in the first place. Clients frequently see the following scenarios:  1) They currently have someone managing security who is incapable of creating a comprehensive strategy. 2) They have a decentralized organization and want a CISO to develop a centralized organization. 3) Their board of directors or audit committee has concerns and recommends they install a CISO.

Each scenario influences the skills a successful candidate should possess. After understanding why they are hiring a CISO, they must determine where the role sits in the organizational chart, its budget, team makeup and compensation.

What should an organization look for in CISO candidates?
First-time CISOs must have immediate credibility within the organization. That means they should hit the ground running, assess the current state of the information security program, and create a roadmap for moving forward. Typically their initial 90-day goals are to meet key stakeholders, understand organizational needs and identify low-hanging fruit. That means the candidate must be client-facing and collaborative, while also possessing the requisite technical skills. Many successful first-time CISO candidates are currently second in command at larger, more mature organizations. Candidates interested in building an organization, have a holistic approach to risk and can articulate technical issues in business terms, are best suited for this role.

What is the process for a best-in-class CISO search?
Although many companies consider doing the search themselves, given the demand for CISOs and the complexity of the role, they are best served by retaining an executive search firm specializing in information security. Many firms have recently recognized the potential revenue in cybersecurity recruiting and claim to be specialists, so buyers beware. Hiring managers and talent acquisition executives should thoroughly interview search firms and ask for examples of recent similar successful searches and references.

A track record and trusted network of industry relationships are keys to successful CISO searches. The hiring company should be confident in the recruiting firm’s knowledge of market data on compensation, its ability to understand their culture and its network to provide a diverse slate of qualified candidates. With extreme demand for well-qualified candidates, an inverse relationship exists between the length of the interview process and likelihood of acceptance. Organizations should streamline the process by ensuring interviewers understand the CISO role and responsibilities, and remember to sell the benefits of joining the team. Our firm sets up a launch call with the hiring manager and key stakeholders, provides a slate of spot-on candidates within the first 15 days, has biweekly update calls and partners to find the best possible candidate in a timely manner.

How is the CISO position established in an organization?
The decision to hire a CISO usually comes from the board of directors or C-suite executives. Some become uncomfortable with their organization’s risk level. Others respond to a breach, an audit or consulting firm recommendation. Some recognize the need to be proactive about security and keep their company out of the headlines. The executive team must ensure the new CISO is positioned high enough in the organizational chart. Most companies have the CISO report directly to the CIO. They also need to provide the CISO executive sponsorship and support in an active, public way internally and externally to demonstrate the company has prioritized cybersecurity and the CISO role. This supports the CISO’s efforts to influence the culture changes often required in organizations that had not previously considered information security an important differentiator and contributor to success.

Editor’s note: The ISACA Now Blog section is celebrating Women in Technology Month throughout June by featuring female bloggers. If you are a female blogger and would like to contribute a blog, please contact us at news@isaca.org.

Joyce Brocaglia, Founder/CEO, Alta Associates

[ISACA Now Blog]

In a large organization, leaders create a vision and strategy for the business and employees work to achieve the vision. At the business unit level in information technology, CIOs, CSOs and CISOs define their strategies while other IT decision makers work to implement it. The key to success is a team working in unison with effective strategies and KPI’s. But this might be a case of “theory vs practice.”

When we surveyed 400 IT decision makers (ITDMs) for our 2016 Datastrophe Study, we discovered that CISOs, CIOs and other IT decision makers often diverge in the real world in terms of everyday data security implementation and addressing real-world issues such as BYOD policy administration, reputation management and insider threats. That’s the scary reality of the unseen divide: when the people who are meant to protect the enterprise do not agree, then the CXO’s need to step up and lead.

The Datastrophe Study reveals several specific drivers contributing to the disconnect between C-level and other IT decision makers and ways in which businesses can bridge the gap.

Image issues
Data breaches are hitting organizations left, right and center, and there is little doubt that brands’ reputations are at stake. CISOs, with their executive hats on, spend their time on risk mitigation: more than half of CISO/CIOs (53%) say their ability to protect corporate and customer data is vital to their company’s brand and reputation. However, only two fifths (43%) of ITDMs share that focus.

While the Datastrophe Study reveals a 10% difference between leaders and decision makers, when it comes to sensitive data, even a little complacency can lead to security failures. This may be an issue of operational efficiencies being developed without using a secure framework. Data security needs to be part of the design starting with strategy at the CXO (horizontal) level and vertically with tactical execution.

In order to ensure that risk and the potential of reputational damage is reasonably mitigated, C-level and ITDMs need to work in concert. ITDMs have the clearest view of incumbent systems and employee behaviors—and should not be afraid to speak up. Equally, C-level executives need to take this information on board, if not back to the Board, in order to help ITDMs fulfill the vision of building a secure enterprise.

The insider threat is very real
All security professionals will agree that the insider threat is a reality in any business. But it seems that CISOs, CIOs and other ITDMs have not aligned on the scope and magnitude of the threat or the threat vectors. Sixty-four percent of CISOs and CIOs believe that insider data security threats will increase in the next twelve months. Only 50% of other ITDMs agree with them.

Is the view from the top—with a focus on protecting the organization and brand—skewing reality? Or, with the day-to-day liaison between ITDMs and employees, could it simply be that ITDMs lack the proactive (instead of traditional detective) tools required to provide real-time situational awareness? Even so, if they haven’t aligned on the threat vectors, the probability is very high that ITDM’s aren’t aligned on what to measure or monitor. There is, today, a potential tendency for both parties to underestimate threats. A study by Forrester reported that 70% of data breaches could be traced to employee negligence. In order to overcome the insider threat, the C-level and all other ITDMs have to agree on the best strategic course forward. More importantly, both parties need to engage employees and help to educate them on behaviors that could lead to data breach. For example, C-level execs could use a workshop format to explain to employees the costs and damages caused by employee negligence, while ITDMs can provide practical tips and examples of how to actively avoid behaviors that put data at risk.

Anomaly at the endpoint
In an increasingly mobile workplace, BYOD is a key driver for adoption of policies to manage employee-owned devices connected to organizational networks. But things are never as simple as they seem. Among the normally skeptical CISO/CIOs, 87% believe their companies have clearly defined BYOD policies in place. Meanwhile, only 65% of ITDMs say their organizations have defined BYOD policies. To add more contention to the mix, 67% of knowledge workers (employees who think for a living and engage with mobile devices daily), believe their companies have no apparent BYOD policies.

This disconnect is a major cause for concern: CISOs/CIOs believe that 47% of corporate data is held on endpoint devices, as opposed to the more moderate estimation of 43% by other ITDMs. It’s clear that C-level and ITDMs need to work collaboratively to clarify, communicate and implement well-defined BYOD policies.

Ultimately
The simple solution to bridging the gap? Better communication. CISO/CIOs need to talk to their teams and their teams need to talk back. Better alignment and integration between the vision and the reality will go a long way to building more secure enterprises.

Rick Orloff, Chief Security Officer, Code42

[Cloud Security Alliance Blog]

Businesses of various sizes are extremely worried about information security. On a daily basis, we hear news of banks and financial institutions losing customer records, confidential information and money due to cyberattacks. Cyberattacks have increased exponentially over the last 5 years, and attack methods are becoming more sophisticated each day. On average, enterprises take about 100 days to identify an attack. It takes even more time to investigate, plug the gaps and prevent similar incidents. The goal of my recent Journal article is to help enterprises and security leaders realign the strategy of their information security teams by empowering the chief information officer (CIO) and the chief information security officer (CISO).

Effective strategies by information security drivers, such as the CIO and CISO, can fine-tune information security and the compliance needs of an organization. Many industries have invested heavily in order to meet regulatory requirements, but being compliant and being secure are 2 different things. Many compliant enterprises have been breached.

Information security needs to be a priority at the board level. CEOs should take active roles in promoting information security, as most valuable information is stored electronically, all systems and databases are online, and mobile transactions occur every minute.

CIOs’ and CISOs’ priority is to identify where sensitive information resides and how can it be protected effectively at the lowest possible cost. The security team, guided by the CISO, should approach problems in a consulting mode to solve security-related challenges in the best way for the business. Outsourcing security operations is still one of the easiest options to reduce cost and reduce risk. These decisions should always be undertaken consciously, evaluating the risk and fallback options.

Information security teams are the walls of every enterprise. An empowered CIO and CISO can create a cost effective, consistent security culture across the enterprise with the right strategies.

Read Devassy Jose Tharakan’s recent Journal article:
“Protecting Information—Practical Strategies for CIOs and CISOs,” ISACA Journal, volume 3, 2016.

Devassy Jose Tharakan, CISA, ISO 27001 LA, ITIL, PMP

[ISACA Journal Author Blog]

Privacy is constantly in the news these days. Should Apple create a “back door” to unlock a terrorist’s iPhone for the FBI? Should Microsoft provide European citizen’s information stored on servers in Ireland in response to a US subpoena? Should data be allowed to be stored outside of Germany, France, Sweden and Russia for cloud services? Should we store information in the cloud without retaining the keys? Should commerce between the US and EU flow under the proposed replacement for Safe Harbor (Privacy Shield)? Or maybe the question is should someone be awarded tens of millions of dollars for having their privacy violated for filming them naked in a hotel room without their consent, or for filming someone’s engagement in a sex tape and releasing it to the Internet?

The Issue is Clear:  Why Should Anyone Trust Anyone?
We could leave this issue to privacy officers, internal and external legal counsel, governments, data protection authorities, politicians, regulators, and technology companies to sort out. We could wait for the ultimate answer to solve the privacy question once and for all. And wait. And wait some more. And wait for another review, debate, newsworthy event (such as needing information from another critical terrorist phone). Or wait for the next cloud service to be hacked, exposing photos that violate an individual’s right to privacy.

The reality is we just don’t trust each other—person to person or country to country. The reality is also, we have to trust each other at some level to interact personally or conduct business with each other.

As we grow up, we implicitly trust our parents to protect and lead us in the right direction. We have temporary moments of insanity during the ages of 5-6 and 13-17, where we don’t trust what they are telling us (because we just know better), and our parents all of a sudden get smarter when we turn about 22! In other words, we have temporary moments of disbelief, or a lack of trust in what they are telling us. It is the receiver of the message (in this case the child), that does not believe the sender (parents), even though thesender of the message was telling the truth and had good intentions all along. Trust is earned by delivering a consistent message that matches the real environment.

So what does this have to do with privacy in our organizations? Everything. We are currently in a state where people and governments are challenging the trust model. However, we cannot stop and wait for resolution of this temporary insanity and total lack of trust to figure out how to enable others to trust our assertions.

We Will Lose Valuable Time
We must, as “parents of our own organizational destiny,” continue to refine the controls on our systems and enhance how we protect information privacy. As we promote our message of information protection, those who make the rules will recognize that the organizations performing fundamental security work, building in privacy considerations and protecting rights through followed processes, will be able to be “trusted” and interact with other people and countries.

Privacy is much more than publishing a privacy notice on the company web site or sending out notices. Privacy is an organizational commitment to build trust by securing information and limiting access to accurate information to only those who have a right to it. Security officers are at the core of this issue and must be literate in the language to be effective.

At the 2016 North America CACS conference in New Orleans May 2-4, 2016, Todd Fitzgerald’s “One-Hour Privacy Primer” session will explore privacy concepts every security officer, privacy officer, auditor, lawyer, and governance professional should know:

• The role of the CISO with respect to Privacy
• 8 Universal (OECD) privacy principles
• Global laws impacting privacy
• Privacy by Design principles
• Understanding data elements and the language of privacy

Todd Fitzgerald, CISA, CISM, CRISC, CISSP, CIPP/US, CIPP/E, CIPM, PMP, CGEIT, ISO27000, ITILv3f, Global Director Information Security, Grant Thornton International, Ltd.

[ISACA Now Blog]