How To Become A CISO, Part 1

Think you’re ready for the top job? Here’s part 1 of a series to help you land that prime chief information security officer position.

So you want to be a CISO, huh? Think you’re ready to lead a small band of white knights into battle against a countless, hidden enemy? Ready to play both savior and scapegoat, depending on what the day brings? Ready to beg, borrow, and steal for the resources you need to protect your company?

Yes? OK, then, you’re ready to do the job… but can you get the job? For the next several weeks, we’re dedicating Mondays to helping you find the path to the big job, which won’t be easy to define.

“There’s not a standard path [to the CISO job] like so many other professions,” says Mark Aiello, president of the Boston cyber security staffing firm Cyber360 Solutions. “We can’t even agree on how to spell cyber security.” (Cybersecurity? Cyber-security?)

Even the words “engineer” and “administrator” don’t mean the same thing from company to company. The bad news, then, is that it is hard to know what career steps to take next.

The good news, though, is that the ladder you’re already climbing could lead you to the CISO seat.

Despite the variety of routes to the top, Aiello does identify a few consistent trends:

Most CISOs are hired from outside the company.
Following the perplexing logic that somebody you don’t know must be smarter than somebody you do know, “the vast majority” of organizations look outside their walls for a CISO, Aiello says. However, they will be more likely to hire an insider for the CISO job if it’s a newly created position.

So being in the right place at the right time may help you get that newly minted CISO gig, but beware…

A company’s first CISO has less power than its subsequent CISOs.
“That first CISO tends to not have as many teeth as the second one,” Aiello says. They’re likely to be a step below the true C-suite and report to the chief information officer.

Aiello thinks the CISO should be separate from the rest of the IT organization, because security not only impacts technology. “Security organizations are still relatively small [in size], in comparison to the IT department, but huge in terms of importance.”

Most companies want to hire a CISO who’s already a CISO somewhere else.
This raises a question: How do you get that first CISO job if you can only get one if you already have one? Aiello says you may convince a new employer to take you on if you’ve reached the highest security position at your current company — like director or vice president of security — as long as you have experience within the appropriate industry vertical: finance, healthcare, etc.

CISOs are more likely to come from a technical background.
Though there are people who rise to the security job from outside the IT department — we’ll hear some of their stories in the course of this series — Aiello says that most of today’s CISOs began their careers in an information techology job of some ilk. As the field matures and more IT functions are outsourced, that may change.

A CISSP certification isn’t necessarily required for a CISO.
In order to have climbed the infosecurity ladder high enough to be eligible for the “chief” title, you probably will have needed a CISSP already. However, if you’ve made it this far without one, you probably won’t need one now, says Aiello. A four-year college degree, however, is something a prospective employer will want.

[Is there a cyber security skills shortage? Hear what Mark Aiello and Julie Peeler of ISC(2) said on Dark Reading Radio.]

As the CISO job grows bigger and more important, Aiello says, the key is proactively gathering all the knowledge and experience you can.

“Raise your hand. Volunteer,” he says. If you’ve spent most of your career outside of the nitty-gritty, hard-core IT security world, spend more time learning about the tactical side — the day-to-day tasks of securing a business. If you are from a heavy technical background, learn as much as you can about the business side.

“Understand the problems your technology is there to solve,” he says. “Understand what [the company is] securing and why they’re securing it.”

In the coming weeks, we’ll spin out the origin stories of men and women currently holding the CISO position at a variety of organizations. Come back to Dark Reading next Monday for the first “how I became a CISO” tale.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law — a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.

[Source: Dark Reading]

Insider Threats: Breaching The Human Barrier

A company can spend all the money it has on technical solutions to protect the perimeter and still not prevent the attack that comes from within.

Undoubtedly, every InfoSec professional has heard the argument that the perimeter was broken. That was so 1995. The new rage is to break the “human barrier.” You know, those things that run the companies. Increasingly, attackers are using social engineering to target a corporation’s most vulnerable asset: the human. From there attackers hack the systems and completely own the company from the inside out.

A while back, WHMCS, an online banking and bill paying company, was attacked by an outsider with real access credentials pretending to be an insider.  It turns out, the data base administrator for the organization was pretty active on social media. From basic profiling of his public information, attackers were able to garner the answers to his security questions. After a quick phone call and password reset, attackers were able to download 1.1 Gigabytes of credit card numbers and subsequently erased the servers just for kicks. A five-minute phone call opened the window of opportunity for a dox, which turned into total ownership.

That is just an outsider acting as an insider. What about an actual insider that has ill intent towards your company?

According to the “CERT: Common Sense Guide to Prevention and Detection of Insider Threats,” 65% of all IT sabotage attacks are non technical and 84% of all attacks for financial gain were also non-technical. One call, that’s all. If organizations are unable to keep their own data safe, how can we as customers expect them to keep our data safe?

I see this highlighted daily in the work we do for clients. In a single 10-minute phone call to an enterprise chain store, a non-technical employee can provide my team with enough data to execute a virtual attack or onsite impersonation. The one vector that seems to always work is another insider, a fellow employee. Insiders are automatically trusted and automatically given answers to things that an outsider would never get. Therein lies the danger with insider attack. That trust can be exploited, that automatic authentication can be used to compromise.

Now that we’ve talked a bit about the scope of damage from insider threats it’s important for organizations to clearly understand how these threats manifest.AT&T recently disclosed that an employee was able to access and exfiltrate confidential and personal user information including social security and driver’s license numbers of thousands of customers. This is an example of a malicious insider attack, one in which the employees purposefully expose data.

Angry and disgruntled
In situations with malicious insiders, employees are either angry, disgruntled, or rogue. They are either on the way out or have already been fired and still have access to corporate logins. These attackers are extremely dangerous because they already know their way around the network and can easily access copious amounts of information, without raising a brow. While it seems little can be done about this type of insider attack, the 2014 Verizon Data Breach Report indicates that 85% of insider privilege misuse attacks used the corporate LAN. With the implementation and enforcement of access controls, network behavioral analysis, and security awareness training that encourages employees to report suspicious activity, these types of attacks can be limited.

The second type of insider threat stems from accidental data uploads, failure to dispose of documents securely, and complex interactions with unintended consequences. Regardless of how it happens, negligent insider attacks occur when employees accidentally expose data.

A negligent insider can also take the form of a partner or third-party that has been granted access and accidentally exposes data. How many breaches do we read about that were the results of a laptop, USB key, or file thrown away improperly, and that it contained thousands of records of sensitive data? These breaches are not malicious insiders, but an uneducated and thoughtless insider that causes harm to your company and to your clients.

I believe the only way for an organization to be successful in preventing insider attacks is to progress beyond the thought process that IT is responsible for all information security issues. In every case above, user education along with proper technical solutions can help reduce the results of insider threat.

You can start by asking yourself the following questions:

  • Are policies in place?
  • Does legal and senior management support IT practices?
  • Do these type of programs reward employees instead of scare them?
  • Do we conduct regular audits?

While this approach may seem unrealistic at first, I’ve seen first hand how global organizations can reduce the number of malware related incidents and shut down both insider and outsider threat with simple modifications to process and employee awareness. Organizations are only as strong as the weakest link — the humans. And as long as that simple fact remains true, attackers will always go after this low-hanging fruit. Make yourself, your employees, and your company not the easy pickings, and you might just have a chance of not being the next headline on Dark Reading.

Chris Hadnagy has over 16 years’ experience as a practitioner and researcher in the security field. His efforts in training, education, and awareness have helped to expose social engineering as the top threat to the security of organizations today. He established the world’s first social engineering framework at http://www.social-engineer.org/, providing an invaluable repository of information for security professionals and enthusiasts. That site grew into a dynamic web resource including a podcast and newsletter, which have become staples in the security industry and are referenced by large organizations around the world. Chris also created the first hands-on social engineering training course and certification, Advanced Practical Social Engineering, attended by law enforcement, military, and private sector professionals. A sought-after writer and speaker, he has spoken and trained at events such as RSA and Black Hat. He is also the best-selling author of two books: Social Engineering: The Art of Human Hacking and Unmasking the Social Engineer: The Human Element of Security.

[Source: DarkReading]

Cybersecurity Month is here—and so is ISACA’s new cybersecurity certificate

October is Cybersecurity Month, and ISACA is proud to be a champion of two of these initiatives:

Cybersecurity Month—along with the latest breach headlines dominating the news—reminds us how critical it is for our enterprises and individuals to be at the top of their games when it comes to security. We all have important roles to play, regardless of whether the word “security” is in our job titles. For some ideas on how to get involved this month, view this video.

Many exciting things are happening at ISACA during Cybersecurity Month. For instance, last Monday marked the launch of the new Cybersecurity Fundamentals Certificate. Intended for university students and recent graduates, entry-level security professionals, and those seeking a career change, the certificate is knowledge-based and requires passing a proctored online exam.

The Cybersecurity Fundamentals Certificate is aligned with the NICE framework and tests for foundational cybersecurity knowledge in four areas:

  • Cybersecurity architecture principles
  • Cybersecurity of networks, systems, applications and data
  • The security implications of emerging technology adoption
  • Incident response

Candidates with a proven level of cybersecurity knowledge are in strong demand worldwide, given today’s global cybersecurity skills crisis. This certificate will help organizations quickly identify candidates with a foundational level of cybersecurity knowledge, while helping the most qualified job seekers distinguish themselves.

The Cybersecurity Fundamentals Certificate is the latest resource from ISACA’s Cybersecurity Nexus (CSX). Through CSX, our mission is to offer cybersecurity resources for professionals at every level of their careers.

Among the resources also coming this month are:

  • Two free webinars:
    • Why Implement the NICE Cybersecurity Workforce Framework? (View archive here).
    • Data-centric Audit and Protection: Reducing Risk and Improving Security Posture (Register here for the 28 October event).
  • A cybersecurity Twitter chat on 22 October with ISACA International Vice President Ramsés Gallego (@RamsesGallego) and me (@RobertEStroud), along with @ISACANews.
  • Two cybersecurity training courses:
    • Implementing the NIST Cybersecurity Framework Using COBIT 5
    • COBIT 5 for Security Assessors
  • Cybersecurity Teaching Materials
  • Cybersecurity Student Handbook

And our cybersecurity plans don’t end in October. In November, we’ll host the Information Security and Risk Management Conference in Las Vegas. In 2015, we’ll launch a cybersecurity certification.

I encourage you to take advantage of these opportunities, and I also encourage you to make a commitment to choose one thing to do to commemorate Cybersecurity Month. Will you review your security policies at work? Give a talk to a local university class? Read a security publication? Begin studying for a security credential?

Knowledge is power—and we need as much of it as we can get to stay ahead of the increasingly complex cybersecurity threats.

Robert E Stroud, CGEIT, CRISC
2014-2015 ISACA International President

[Source: ISACA]

Designing a Quality Management Approach to Cybersecurity

Designing a quality management approach to cybersecurity starts with two sets of security standards, (1) the manufacturer and (2) the organization.

The manufacturer standards should include the mitigation of security vulnerabilities, (OWASP, CVE), based on a specific configuration within a defined architecture. There are only so many situations in which a network device firewall, router, switch, server, desktop, laptop, handheld can be deployed. The software, enterprise resource planning (ERP), utilities, apps, etc., should also be tested for security vulnerabilities before they are released.

We need to weed out the technologists who insist on flying by the seat of their pants. They can expose the organization to unnecessary reputational risks and potential financial and strategic risks. By not documenting security standards, the organization will be not be able to produce consistent outputs. It is impossible to manage quality when nothing is documented; it cannot be validated or verified.

The organization’s security standards need to define how a network device will be implemented. This usually means that only a select list of manufacturers and products that have been tested and meet the organization’s requirements can be purchased. This also means that the security architecture needs to be documented based on those specifications and business requirements. These specifications need to be meaningful, because they will be tested, verified and validated.

Each device or software product needs to have its security standards documented—again, these need to be meaningful. A risk assessment could help to identify what needs to be documented. I also recommend adopting the ISO 9001 approach to product realization. To be effective, security standards need to be consistently documented in a manner that includes specifications. These specifications are grouped as follows:

  • Design—how the device or software fits into the architecture; i.e., internal facing
  • Installation—how the device or software will be installed; i.e., configuration
  • Operations—how the device or software will be used; i.e., standard operating procedure
  • Performance—how should the device or software function; i.e., response times, look, feel, etc.

In quality management, we refer to these specifications as qualifications because they get tested and verified before release. We also call them design qualification (DQ), installation qualification (IQ), operations qualification (OQ) and performance qualification (PQ). These specifications need to be considered as part of the enterprise security architecture during any custom software development or major changes. Rule number one is “No surprises!” The secure software development methodology needs to include specifications for design that eliminate all known vulnerabilities and any organizational attack vectors that are unique to the organization. Any changes need to be retested during the quality assurance (QA) and user acceptance testing phase of development. The QA team needs to include a member from the software side and the technology side.

The results are a fully integrated, seamless approach to managing security vulnerabilities and shutting down those attack vectors. The time spent upfront will save time on the back end, so that management can focus resources on problem management and security events and incidents to gather additional intelligence. The additional benefit is that the security team can more easily detect potential security events and incidents more rapidly.

Organizations should not have to pay out of their own pockets to fix security defects that the manufacturer could have fixed for everyone by adopting a similar quality management approach. If the developer or manufacturer was facilitating this level of testing, it should be able to provide the security standards.
Organizations that purchase products that have known vulnerabilities/defects, nullify their warranties. This increases the organizations’ exposure and liabilities, which means that they will need to carry more insurance and pay for it out of their pockets, further increasing operational costs and lowering revenue because the cost of doing business just got more expensive.

Mark E.S. Bernard, CGEIT, CISA, CISM, CRISC, CISSP, ISO 27001 Lead Auditor

[Source: ISACA]

What Can We Learn from New Data On Advanced Persistent Threats?

ISMG’s recent Advanced Persistent Threats Survey, sponsored by Palo Alto Networks, reviews the current advanced threat and APT landscape as well as where traditional security solutions fall short.

Here is what jumps out about APT findings based on ISMG data:

It’s Time to Target the Kill Chain

ISMG’s report covers key trends informing those results as well as how to put those results to work. Our CSO Rick Howard is also interviewed about how organizations should approach 2015 survey investments.

Background on the Survey

The survey was developed by the editorial staff of Information Security Media Group, with the assistance of members of ISMG’s boards of advisers, which include leading information security, IT and risk experts.

This survey was conducted online during the spring of 2014. Key characteristics of the respondent base:

  • 64 percent are from the U.S.
  • 56 percent of respondent organizations employ 500 or fewer employees
  • 44 percent employ between 500 and 10,000+ employees

Top responding industries are:

  • Banking/financial services – 57 percent
  • Technology – 8 percent
  • Professional services – 7 percent

Learn more about APTs and threat prevention

[Source: Palo Alto Networks Research Center]

English
Exit mobile version