The CISO Role Is Technical
Recently there has been a bit of discussion about information security leadership. The other night I was put on the spot when I made a comment and the response was, “so if you’re not technical, you cannot do security work?” Or, something like that.
I didn’t want to be rude and do understand that there is a whole domain of IT, information and security governance that focuses on policy, procedures, and resilience. That was the focus of the first five years of my career at EY and KPMG. However, larger organizations that have a lot to leak, already have have risk and control departments to focus on policy and procedure review, while having a department that focuses on disaster recovery. Even when that falls into the information security department directly, it is a supporting function to the role of actively securing the environment.
The CISO roles needs to be a cyber security expert with solid penetration, vulnerability testing, and incident management skills. Hard skills and experience that should at least include exposure during a career with one of those areas, or some kind of security-focused technical knowledge, such as security operations. There are softer skills, such as people management, budgeting, planning, and other secondary requirements; but it is secondary to the ability to address various issues related to information and cyber security. When we go to the dentist, we we don’t look for a plumber’s certificate on the wall. Or, if we asked about her training and education, and she replied that she was transferred from the accounting department a couple months ago, we are not at all comfortable with her well-trained assistants! We should not feel comfortable with security managed by an executive that actually has not cyber or information security experience, certifications, nor technical capability!
Yes, I am going there, since it is time that we recognize security experts for the technical skill that is required to do the job. We don’t hire an accountant with soldering skills because we think he will be good at fixing the computer, just like we should not have a CISO that is really good at doing inventory management on the SAP system. The title says it, and their is a skill set that comes with the role. This takes us to the next topic.
Consistent recent leakages and the associated response should be a wake-up call. We all know a certain crypto currency exchange leaked volumes that resulted in major losses for clients. During a couple of workshops and discussions that I was a part of hosting, over half of the security chiefs openly admit personal lack of technical skill and lack of job preparation! The author personally was involved with numerous organizations and consultancies where the so-called security lead could not even begin to triage an incident scenario. The months that I was contracted with a certain manufacturing conglomerate consisted of continuous excuse-making about annual April rotation of management, and not having anybody technically capable for the chief security role.
This takes us to the next topic where many global roles openly advertised are way under-budgeted. For example, a close colleague and myself interviewed (unbeknownst that both of us were interviewing at the time) for a role at a major national insurance company. I did not progress beyond third interview because I was “too technical”. My counterpart that is just as technical turned down the position. I asked him why and he said, ‘No way! In charge of 70 countries all with at least one legal entity and doing it all with a team of three or four from global! That’s at least a one million dollar job annually to begin with, just for the taking the risk of eminent failure.’
That is the double-edged sword - your damned if you leak data, but your damned for pointing out the weaknesses. It’s probably a good time to quit blaming third-parties, and time to man up and put an expert in charge of cyber security. While the Benesse incident response was good since regulators and standards subsequently required many organizations to perform long overdue third-party scrutiny, it is still a band aid applied to a compound fracture. Time is high to hold management accountable by having a CISO that is a voting member of the board. Giving security experts a say in the corporate culture, and driving the tone at the top. Anything short of that gives the attackers an even greater advantage, over and above the current advantage. They leverage what every security vendor out there uses to make you buy their solutions and services - fear, uncertainty, and doubt (FUD). The solutions do not secure your company. Talent using the tools is what secures your company.
We still visit clients and they brag about the new intrusion detection system (IDS), or the new security information and event monitoring (SIEM) system that they’ve purchased recently. They say it to a penetration tester like he can probably move on and test another part of the environment. The sad part is the CISO that purchased the solution actually thinks that he just bought more security. That somehow the money he spent on a tool gives some level of assurance that the company is more secure. The reality is that by having such tools in your environment without the leadership to know that it is properly implemented and the talent to maintain the tools, that you may actually be less secure than you were without the tools…
Just my two cents. It’s time that we make sure our security chiefs are experienced or certified, or both. Furthermore, my point is also that certification and having the paper is not enough. People management skills are not just enough either. Applying the proper vigilance from the proper angles toward the correct areas of technology and human activity is a craft built from experience, skills, and talent. A craft that is largely founded on technical capability.
Sarbanes-Oxley requires that financial chiefs are certified and qualified for the role they fill. It’s time to start holding management to the same level of accountability for the people they put in charge of cyber and information security.