We are somehow hearing about what the Equifax CISO studied in college and not about when the firm’s last pen test was. We are hearing about how heads rolled at Equifax but not if the reporting relationship between IT and Security has been revised. Since the interim CISO seems to be reporting to the interim CIO, I am guessing not.
- Someone’s college degree is the last thing anyone should care about. The last Secretary of Defense had a PhD in Medieval History. It’s how you think, how you motivate the organization to focus on security and what experience you bring to the table that matters in being a successful CISO. Hackers are not deterred by anyone’s degree. I like to quote the poet Frank O’Hara on this subject:
- If someone’s chasing you down the street with a knife you just run, you don’t turn around and shout, “Give it up! I was a track star for Mineola Prep.”
- Control effectiveness testing and vulnerability detection are essential. With the constant mantra of “it’s not a matter of if but when you will be hacked,” vendors are adept at selling protective controls and response solutions. Detective controls are harder to sell and so we hear less about them in the marketplace. But just because we don’t hear as much about the tools, doesn’t mean the function, DETECT, isn’t essential. And an effective program of detective controls is like awareness, you need more than a product; you need the right attitude.
- Think an interim CISO promoted from the ranks of IT Ops has the right attitude? They might. But everyone who draws their CISO directly from IT Ops and keeps the CISO reporting into IT Ops needs to accept the risk that IT Operational priorities will overshadow Security and leave the organization unknowingly at risk. Think the CEO who told the CIO to get that credit protection website up and running at Equifax ASAP a week ago meant “and I don’t care if it can be hacked with a cross-site scripting attack, just get it up.” Think the CIO mentioned that they were not taking time to pen test the site before launching it; do you think the CISO was even asked? I don’t know but my guess is it never came up. For that matter, do you think the CIO or CISO even had visibility into the launching of that site or are there areas of the organization that can put up a website without IT, Security or proper change control?
- Your org chart and/or your governance structure had better reflect the role of Security in the organization. Is it just an IT function or something that everyone needs to care about?