Last week I was interviewed by the world renown Cyber Security reporter Brian Krebs regarding how I viewed the cyber maturity of one of the worlds largest Data Brokers in operation. At the surface the writeup may be digested as just another failed attempt by a major company to secure its borders and protect its data from the evil grips of whichever hacker, data thief or APT that had its sights on it. But there is another perspective I believe needs to be drawn. Easy as it may be to draw a conclusion that these large organizations just don’t care, the “notion” less traveled is one that very few have the perceptual faculty to comprehend. While there is a new budding pool of Cyber Security professionals, fresh out of an institutions latest and greatest Information Security program laced with the alphabet soup of certifications and accolades a commonality still remains amongst them. Battle Tested they are not.
Having a career beginning in 1998 I do not profess, proclaim or infer for that matter my vantage point is more seasoned than anyone else in the field. What I dare illuminate however is the amorphous landscape a large organization has to negotiate in order to achieve what I would consider “Adequate” with regards to its Information Security / Data Protection framework. Adequate for the intents of this article I suggest be defined by a reasonable implementation of Information Security policy that aligns with industry standards and measured in accordance with compliance of said standards based on cumulative criticality, impact, and fiscal penalty incurred if the institution were to be inspected or audited by its governing agency. Now, for the intents of this article I ask the reader to join me as we try to navigate the waters of securing an organization from the consultants view, internal audits paradigm, and a CISOs lens.
The 101 of this entire operation in my opinion is to fully digest the multiple facets an organization maintains in order to fully appreciate the gravity of such an operation. By this i mean lets take the physical landscape of your typical organization lets say for the intents of this article one similar to um-lets do a financial services company. Said company has been in operation for the last 30 years. A safe and reasonable assumption is that most of its employees are of the baby-boomer era top to bottom. Keeping in mind the various silos that are typically present in a company. Finance, Operations, IT, Administration and Leadership to keep things simple. Of these departments truly only 2 are really cognizant of the laws, provisions and guidelines that direct the organizations information security / cyber policy adherence . IT and Leadership, sometimes the Administration team will have an awareness of what needs to be done only because they encompass Legal Counsel and typically compliance is part of this tryst. Moving Forward…
Now that we have identified that besides IT and Administration the remainder of this organization does NOT hold a significant allegiance (inherent to their respective positional obligation) to the corporations IT Security plan or compliance objectives. This is not an atypical scenario, and now that we try to position our paradigm from the vantage point of the CISO Cockpit you have a large portion of an organization that has its own marching papers. Primarily to facilitate the operations that their respective silos set. You (as the CISO) have the task of ensuring the social, technological and political landscape of the organization are in tune with the Cyber Threats that present significant risks to the company. You have a small army of people that understand your mission. From ensuring that all of the machines are protected with technologies to ensure that not only the boarders are protected but that the actions of each one of the users within the organization does not significantly present risks that permeate and expand into a crisis that ends up in the headlines of your garden variety style Cyber Security News outlets. Not for the faint of heart, not for the unseasoned army of digital warriors either.
Whipping The Caucus
In conclusion, I hope the reader has a better understanding of the many dynamics associated with maintaining, establishing and perpetuating an organizations Information Security framework. Specifically focused around the challenges that many do not see from a CISOs perspective. But before we lend too much empathy to the role, understand this. This is what they sign up for. The last breach you read about in your favorite news outlet, the responsibility still points to a failure presented at the CISO/CIO/CSO level. As a member or leader of your organizations Information Security party you have joined the league of distinguished whips. A unique charter that if failed in execution lends you to the wolves if you are not prepared to navigate the technical, political, social and organizational landscapes that encompass the field. Understanding the companies risks from Patch, Configuration , and Change Management all the way to safeguarding the data its processed adequately and in accordance with State and Federal Regulatory Compliance statures. Working as a CISO for an Insurance company and not understanding GLBA is unacceptable, or working for a HealthCare organization and championing a HIPAA compliance program without fully digesting Data-At-Rest Encryption requirements is a No-No as well.
Our jobs in this field takes technical prowess, along with having modest notes of political suave to encourage the organization top-to-bottom to shift their savvy, acumen and perspective as it relates to Data Security. Every employee who does not know what Phishing is, every laptop that contains Electronic Personal HealthCare Information that is not encrypted, and every violation or Information Security Risk that is not effectively communicated to leadership and guided to remediation is ultimately the fault of the CISO or its delegates if not addressed. Fin.