Hire a Team of Hackers to Identify Vulnerabilities

Published on Securityintelligence.com

It’s common to hear the phrase “never leave security to chance” in business. Given the rapid advancement and persistence of cybercrime, chief information security officers (CISOs) need the ability to deploy offensive security measures to protect their networks. One way to do this is to employ a team of hackers to proactively protect the organization’s data and infrastructure.

A capable offensive hacking team can conduct advanced penetration testing and bug discovery within the organization and deliver technical leadership when executing tactical, comprehensive assessments. Members of this team of hackers should have an affinity for advanced attack techniques and a passion for spotting vulnerabilities.

Encouraging Information Sharing

In organizations that have a security operations center (SOC), a red team is deployed to continually prod the organization’s security posture. This can also be a specialized third-party entity tasked to emulate cybercriminal behaviors and techniques as realistically as possible. In return, the red team shares intelligence with the blue team, which defends against these mock attacks.

Due to the attitudes and practices inherent to each role, there are many challenges surrounding the relationship between red and blue teams. Here are a few examples:

  • Red and blue teams have ideological differences. Often, neither team is properly trained to share information with the other, thus defeating the purpose of the exercise. Moreover, blue teams tend to be risk-averse, while red teams are typically more reckless.
  • Red teams are absorbed within the organization and limited in their ability to conduct assessments, which diminishes their charter and value considerably.
  • Red on blue exercises are not always seen as integral to the organization’s ability to combat vulnerabilities. As a result, metrics are commonly not shared between the teams and management.

To address these challenges, security leaders should consider installing a purple team to act as a crucial bridge and facilitate information sharing between the red and blue teams.

Assembling the Right Team of Hackers

When building red and blue teams, it’s important to ensure that candidates are willing to work in harmony and share ongoing metrics related to their activities. It is not enough to simply conduct routine penetration testing in lieu of hiring a red team to go against your blue team defenses. CISOs should take the following steps to overcome these obstacles:

  1. Chose teams members carefully. Candidates should be highly skilled in discovering vulnerabilities and defending against attacks. Above all, these team members must be willing to share information with their counterparts.
  2. Get the teams together. At the onset, gather the team members to get consensus and buy into the overarching strategy. Instruct them to conduct a thorough analysis of risks and vulnerabilities and then devise a response plan. The overall goal is for the teams to practice discovering vulnerabilities and reporting metrics to management.
  3. Spread awareness. People are the weakest links in any security program. Even with the strictest controls over your data, adversaries can exploit employees’ behaviors. Red teams should conduct unannounced exercises, such as staging phishing email campaigns to determine which users might click on a malicious link or open a malware-laden document.
  4. Go beyond your perimeter. Cloud solutions introduce additional security challenges. It’s important to consider all the legal implications, such as service-level agreements (SLAs), to determine whether the red team has the right to test against the provider’s defenses.

Seasoned CISOs understand that information security is always a moving target. Adversaries are extremely sophisticated and will stop at nothing to breach your organization. Moreover, the organization’s network infrastructure, applications and employees are always changing and adding complexities to your security program. Each one of those changes presents a far different attack footprint, and teams of hackers are well-equipped to discover those vulnerabilities and predict unintended consequences before they can damage the organization.

Is Cloud Security a Safe Bet for Highly Sensitive Government Data?

Published on Securityintelligence.com

Security is the primary focus of any government agency. One of the most obvious pitfalls of these agencies moving highly sensitive data to the cloud is that they surrender control to a third party. Moreover, nothing on the internet is truly secure, and all data is vulnerable to attacks and threats.

The exposure footprint to those threats is staggering under the best of circumstances. For example, the complexity of mobile devices poses a significant challenge when it comes to cloud security. In addition, data commonly flows from one cloud provider to the next and between national boundaries, which runs counter to the physical security measures every government agency should have in place.

Securing Government Data in the Cloud

A Cloud Security Alliance (CSA) survey found that many executives and IT managers have serious concerns about data security. According to the report, 73 percent of respondents indicated that these concerns were holding them back from adopting cloud computing. Additionally, 38 percent cited regulatory compliance as a major barrier to cloud adoption, and the same percentage of respondents expressed anxiety about the loss of control over IT services.

To help alleviate some of these concerns, the U.S. Department of Defense (DoD) released an unclassified document titled “Cloud Computing Security Requirements Guide (SRG)” that outlined essential components for secure cloud computing. The document is intended to simplify the security requirements for the DoD and cloud providers, who must attest, control, monitor and provide evidence of data separation.

This approach to cloud computing is based on “impact levels” that consolidate data records in accordance to their sensitivity. At the lowest level, nonsensitive, unclassified data, such as information available through the Freedom of Information Act or hosted on public-facing websites, can be stored in commercial clouds that meet the strict baseline standards under the Federal Risk and Authorization Management Program (FedRAMP), a system designed to protect cloud-based government data.

When the impact level is increased, the physical requirements for data security come into play. The rub is that once the data reaches a secret classification, a public cloud is not the right place. It must be on-premises or in private clouds that are not commercial but government owned.

Enclaves that transact sensitive data must also be a part of the security architecture. Personnel must be cleared by the government and restricted by tight physical access controls. These enclaves are physically separated within a data center that does not share hardware, applications or other resources the cloud provider would otherwise share with its tenants.

Physical Cloud Security

Most governments are risk averse when it comes cloud security and safeguarding highly confidential data within their networks. Some agencies air gap their computer systems, which physically separates a secured network from an unsecured one. Air-gapped systems can also be found in major financial institutions, stock exchanges and industrial control systems within nuclear power plants. These are all examples of physical security controls that prevent access from the outside world. However, they also complicate the transfer of data between unsecured and secured networks, requiring human intervention that is prone to errors.

Data diodes are common in environments. They provide a secure, one-way channel where data can pass in only one direction. This assures that secure data cannot be leaked back to the unsecured network. Data diodes are specialized, unidirectional devices that convert Transmission Control Protocol (TCP) connections to User Datagram Protocol (UDP). They then convert the connections back on the other side. This tells applications using the File Transfer Protocol (FTP) that a connection has been established, allowing users to transfer a file from the unsecured network to the secured one, but not in reverse.

The Road Ahead

The government sets regulations as a baseline, which is problematic because the security threat landscape constantly evolves. Government standards must be flexible to keep pace with emerging cyberthreats.

Major commercial cloud providers may not fully adhere to strict data security requirements. For example, identity and access management (IAM) in the cloud should be able to authenticate government users from one online location. In addition, the authentication credentials should seamlessly pass from one provider to the next.

Obviously, for the sake of national security, highly sensitive information will not be available in the cloud. Still, the overwhelming volume of attacks and threats across the globe takes a significant toll on the intelligence and military communities. This technology may provide a useful platform for intelligence sharing between nations with private, government-owned cloud storage solutions.

Succession Planning: The Importance of a Deputy CISO

Published at Securityintelligence.com

Given today’s unrelenting threat landscape, the chief information security officer (CISO) and his or her deputy CISO have arguably the toughest jobs on the organizational chart. Although it is a well-paid, respectable role, the CISO must be available to many different departments and remain savvy in all areas of cybersecurity due to the current IT skills shortage. Indeed, this professional’s role is extremely stressful and demands standards of security that are nearly impossible to deliver with 100 percent assurance.

The average security leader’s tenure is a mere two years. The CISO can be dismissed for a wide variety of reasons, such as an overlooked vulnerability, an insider attack or another type of data compromise. Furthermore, like any professional, a security leader may need to take temporary leave due to medical reasons or other unforeseen circumstances. To prepare for these events, organizations should appoint a deputy CISO and establish a clear succession plan to maintain smooth operations during a transition in security leadership.

Grooming the Deputy CISO

There is no question that high turnover rates constitute grave threats to organizations. Without a security leader, companies cannot withstand the continuous onslaught of cyberattacks. In many organizations, the CISO’s main role is to keep the company out of hot water — and that means dealing with the constant barrage of threats and maintaining compliance. However, the role is much more ambiguous than that. Candidates for the deputy CISO position should be evaluated based on their ability to navigate this complexity and juggle the CISO’s many responsibilities.

A deputy CISO must be able to:

  • Develop and cross-train future leaders in the department.
  • Ascertain the costs of developing future leaders.
  • Execute the security strategy consistently among all associates in the department.
  • Identify associates’ skills, capitalize on their strengths and improve upon weaknesses.

Planning a CISO Succession Strategy

An effective CISO succession plan should include four key elements to ensure a seamless transfer of authority.

1. Stakeholder Engagement

The succession plan should be presented to executives and board members on an annual basis. It’s critical to engage senior leadership in this process, and to empower the deputy CISO to develop the necessary skills and experience he or she need to be successful. This succession plan must be a living document and part of the overall security program.

2. Evaluation of Internal Staff

Favoritism should never be a criterion, so it is wise to hire an outside firm to evaluate deputy CISO candidates within your department. A third-party assessment could unearth a diamond in the rough from several layers down on your organizational chart. At the very least, it would help executives gauge the depth of the company’s talent pool.

3. Simulations and Stress Tests

Like any disaster recovery strategy, business continuity testing is an integral part a CISO succession plan. A security leader’s planned vacation, for example, can be a great opportunity to test the deputy CISO’s capabilities. However, impromptu, unannounced drills are also essential to develop an aspiring CISO’s ability to work under pressure.

4. Elevate the Deputy CISO

It takes many years to become a well-rounded security leader, and the incoming CISO must never be left to sink or swim. Instead, all senior executives and staff members should support the new CISO as he or she transitions into the role. The organization should also make other leaders, mentors and coaches available to help the security team adjust. A rich feedback environment is crucial to develop the executive presence that is lacking in many candidates.

Passing the Baton

A deputy CISO must be prepared to take over when the CISO passes the baton. He or she should also be comfortable being held accountable for security. The leader must be ready, capable and confident to lead the security team in dealing with challenges such as the cybersecurity skills gap and the increasing sophistication of threats. More importantly, this individual must possess the executive presence required to work with senior executives and facilitate a smooth transition of authority in the security space.

Information Security in the Age of Disinformation

Published at Securityintelligence.com

Depending on their specific goals and motivations, malicious external actors seek to blackmail individuals, organizations or security vendors to disrupt breach defenses or otherwise wreak havoc on IT operations. For security leaders tasked with defending against these threats, it’s hard to know who or what to believe. That challenge has only gotten worse as the spread of false information has become more prevalent.

Data Security in the Disinformation Era

Because of the vastness and anonymity of the internet, individuals can employ a variety of tools and techniques to manipulate the media and spread disinformation. Below are just a few of these methods.

The Social Subculture

Many special interest groups are highly networked, agile and able to assemble on the ground quickly for campaigns as needed. In many cases, participants on one side of an issue work together to gather and disseminate information to support their cause.

These actors are often recruited through online communities such as Reddit, Twitter, Facebook, Instagram and LinkedIn. On Twitter, users commonly collaborate to establish trending hashtags to support their causes and may create vast networks of fake accounts to spread it. Others hijack existing hashtags to prevent members of opposing groups from organizing.

Bad Bots

Social bots are automated software that create content on social media sites and interact with people. Bots are commonly used to inflate the number of followers a public figure has, for example. State-sponsored adversaries from around the world use bots to spread propaganda, influence political discourse and collectively aggregate content. Governments and political elites also use bots to attack dissidents or encourage their constituents to manipulate news and support a certain ideology.

Multiplying Memes

A meme is cultural idea or symbol that spreads rapidly over the internet. According to The New York Times, memes are designed to irritate the media, elicit negative reactions from public figures or comment on cultural topics, usually in a humorous way. Users post hundreds of memes on Twitter, Facebook and other social media to see what sticks and what doesn’t.

Memes often contain image macros that are used and shared on social media. These images can serve as propaganda for special interest groups to spread their ideologies or degrade others.

Motivating Factors

Actors are motivated to spread disinformation to express their views, perpetuate false news, garner support for specific ideologies or otherwise affect public opinion. Then again, some are merely trolls looking to create chaos.

Ideology is one of the most common factors that motivate individuals to disseminate disinformation. These actors transmit one-sided messages to influence the emotions, attitudes, opinions and actions of a specified target audience for their own political or commercial purposes. Ideological groups often hold contempt for opposing views. They typically use social media as their primary platform and sometimes even use those channels to spread conspiracy theories.

Another common motivator is money. Actors seeking to maintain their financial interests, for example, might launch advertisements designed to perpetuate inaccurate information about a competing entity. Similarly, some actors distribute false information to garner likes and shares and gain status within online communities. Finally, some actors spread skewed information to radicalize members of online communities — arguably the most dangerous result of this practice.

A Calamitous Vision Realized

In 1979, Chinese leader Deng Xiaoping stated that software, if properly weaponized, could be far more destructive than any nuclear arsenal. Given the calamities now unfolding before our eyes, it appears that his vision is becoming reality.

It’s up to security professionals to protect enterprise resources from becoming pawns in disinformation schemes and to make sure they are focusing on the true problems facing their organizations. Business executives, security leaders, IT professionals and media consumers around the world must learn to distinguish legitimate news from inaccurate, agenda-driven indoctrination. In the age of disinformation, this distinction is more critical — and blurrier — than ever.

Is the CISO Job Market Overcrowded?

Published at Securityintelligence.com

Is there an oversupply of chief information security officers (CISOs) in the cybersecurity job market? According to an Indeed report, the answer is yes — but the study’s statistics don’t tell the whole story.

The economists behind the study found that employee interest in the CISO job market in the U.S. is more than double the actual demand for the position. Moreover, there is a vast pool of highly qualified but chronically underemployed security leaders in the U.S. Applicant interest in the position is driven mainly by the high salaries and prestige the position offers, Indeed said.

But economics is an imprecise science because it relies on “human behavior,” as the researchers stated in their disclosed methodology. And all the evidence I’ve seen in my experience and in countless industry articles indicate that CISOs are in very high demand, and there are few qualified candidates available. Perhaps more importantly, the job descriptions in the majority of CISO postings do not accurately reflect what the role entails.

The Ultra-Competitive CISO Job Market

The demand for CISOs has never been greater, and the main factor that drives up salaries is the law of supply and demand. A greater demand will push salaries upward and hurl employers into competition, scrambling to lure the best candidates.

It has become a seller’s market, which also drives skyrocketing salaries across the country. IT and cybersecurity recruiting firm SilverBull recently published salary figures in major metropolitan areas. The top six candidate locations by average salary are:

  1. San Francisco ($249,000)
  2. New York ($240,000)
  3. San Jose ($240,000)
  4. Washington, D.C. ($225,000)
  5. Los Angeles ($223,000)
  6. Chicago ($214,000)

When CISO positions are elevated into the C-suite, it will undoubtedly move the salary ranges well past the $500,000 mark. Still, executive recruiting firms and chief information officers (CIOs) who play key roles in recruiting security leaders are having difficulties finding them, despite these justifiable high salaries.

A Highly Targeted Hiring Process

It is a long road to become a qualified, well-rounded CISO. It requires years of experience developing expertise not only in the technology that surrounds the discipline, but also in governance, compliance and risk. It is equally important to acquire the business savvy and executive presence to lead. Impeccable communication skills are also critical to drive execution within the business.

Employers hiring C-level positions usually seek proven candidates through referrals within the executive ranks, often conducting retained searches to find the right combination of knowledge, experience and cultural fit. The majority of the top CISO vacancies are conducted in this manner, with employers directly targeting candidates they want. For this reason, many job seekers see only a fraction of positions advertised on the job boards.

Clarifying the CISO Job Description

When I studied most of the vacancies that were posted on job boards, I noticed that companies were not bound to accurately describe the duties of a CISO. The job descriptions often misrepresented the true meaning of a C-suite position. Some required hands-on engineering responsibilities with a blend of many other skills that are not characteristic of executive leadership positions. Some emphasized program or policy management, governance, compliance or risk, while others specified operations, architecture or engineering without mentioning true leadership abilities that affect change.

Furthermore, a number of organizations are hiring their first CISOs. For a seasoned security executive, this is a red flag to approach with extreme caution or completely avoid. Businesses hiring security leaders for the first time may not comprehend the responsibilities and expectations the job entails. Many times, when a new executive begins instituting controls, complaints emerge and escalate upward. This dynamic carries an unacceptably high risk that the executive’s tenure will be short-lived.

A Resume for Success in the CISO Job Market

A seasoned CISO’s resume must tell a compelling story of achievements backed by concrete metrics that propelled previous employers to new heights. It must exhibit C-suite characteristics, such as vision, strategic thinking, execution, technological skills, team and relationship building, communication, presentation, integrity and change management, that demonstrate leadership abilities.

During the interview process, a CISO must be prepared to answer probing questions, such as:

  • How would you execute your vision of security?
  • How would you influence others and gain executive buy-in for security initiatives?
  • How would you sell security to leadership and the board?
  • How would you identify, prioritize and mitigate risks?
  • How would you ensure that the organization maintains compliance with privacy regulations?
  • What are your thoughts on security convergence, IT reporting structure and organizational culture?
  • What are your greatest achievements, and how did you execute them?
  • What does the CISO role mean to you?
  • How would you describe your leadership style?
  • How would you relate to the CEO and the board of directors?
  • What is your breach prevention and mitigation strategy?
  • What are your thoughts on offensive security?
  • What methods do you use to keep up with the latest security trends and issues?
  • How would you act as the security spokesperson internally and externally?
  • What value will you bring to the organization?

When it’s all said and done, employers sum up candidates based on the overall value they can deliver. The last question is the kicker, analogous to an age-old HR question: Why should the organization hire you? It’s critical to present key traits that separate you from the rest of the pack.

Building an Effective CISO-CIO Partnership

Published at Securityintelligence.com

For many, the most common reporting structure in today’s business environment is overly complicated. The majority of security leaders around the world report directly to the chief information officer (CIO), which can cause an enormous amount of conflict. That reporting structure, however, is slowly changing for some companies. In those organizations, the chief information security officer (CISO) might report to the CEO, chief operating officer (COO), chief financial officer (CFO) or legal counsel. Still, the security industry has a long way to go to convince corporate boards and government leaders of the conflicting issues at hand.

Breaking Down the CISO-CIO Conflict

In most organizations, the CISO and CIO have totally different mindsets when it comes to IT operations. The CIO is focused on keeping things running. Moreover, when it comes to new technology acquisitions, the CIO is primarily concerned with return on investment (ROI).

The CISO, on the other hand, is focused on using security tools to reduce risk, which can be measured as return on risk (ROR). The rub is that risk reduction always takes a back seat to operations, and that gap is constantly increasing. As the two executives evolve in their respective specializations, the gap grows and ultimately leads to both disciplines becoming separate roles.

A structure that requires the security leader to report to the CIO can also create a power struggle. The importance of security often gets lost in the maelstrom of office politics and tight budgets, which can potentially lead to an adversarial relationship between the two IT executives. When a security breach occurs in this kind of environment, the CISO is often scapegoated, even if the incident is a consequence of the CIO’s decisions.

IT Roles Shifting in Government Agencies

In an August 2016 congressional report, the U.S. Government Accountability Office (GAO) detailed the concerns and outlined the authority of the security executive within federal agencies as defined under the Federal Information Security Modernization Act of 2014 (FISMA 2014). The report addressed the reporting hierarchy within government agencies and questioned their ability to deliver on their responsibilities. Moreover, security leaders reported challenges to their authority as a result of competing priorities between operations and security, such as:

  • Insufficient staff and inadequate budget to achieve compliance with many mandated security controls;
  • Inability to offer salaries that are competitive with the private sector for candidates with skills in high demand;
  • Lack of appropriate training opportunities in highly technical roles to ensure proper risk evaluation and support security infrastructure; and
  • Budgetary conflicts between security and operations executives that result in organizational failure to address security needs.

A congressional house bill, the HHS Data Protection Act, was a direct result of an investigative finding that originated from a series of current and previous network breaches against the Food and Drug Administration (FDA) and the Department of Health and Human Services (HHS). It revealed that the incidents were partly due to organizational structures that imperiled security to favor operations. The report advised the HHS to separate the IT executives, and the legislative bill will do exactly that.

Additionally, some private sector organizations have separated security from the CIO. Several of the “Big Four” consulting firms are actively advocating for this structural change.

A Healthy Rivalry

It is important to understand that the relationship between the CISO and CIO will always be somewhat adversarial, and that’s OK. A healthy rivalry is a good way to ensure checks and balances within the organization, which is one of the fundamental reasons why the security leader should never report to the CIO, but rather engage in a partnership.

Both positions have too much on their plates to begin with, so it makes sense to work in tandem. Both are responsible for leadership and vision where IT and security implementations are concerned. Both have critical roles to drive the business forward, and the CISO needs to provide insight and guidance to ensure that the security strategy is sound.

Information security leadership is beginning to gain board seats, building consensus to provide a security strategy that enables the business to move forward. What was once solely the CIO’s responsibility has now become a part of the security leader’s daily workload. It is important to set attainable metrics for business success to convey actions to the board, and for both executives work together to ensure that operations are conducted securely.

Building Trust

Trust is a key ingredient here because it affects the CIO-CISO partnership as well as the executives’ shared effort to unite all departments under a single security umbrella. It is a challenge to build that trust; both executives must be solid communicators who are able to evade conflicting tensions.

These two roles are interdependent, since the CIO relies upon the CISO for advice, guidance and risk evaluation while the CISO depends on the CIO for support and infrastructure resources. They must work together with a holistic, integrated approach that empowers every business department within the organization with a clear vision. Together, they must build trust, formulate priorities and execute them.

Information security is no longer an IT support issue, but a strategic business responsibility. Both IT executives must share common goals for security and IT operations to be successful.

How The Next-Generation CISO Will Lead Security Strategy

Published at Securityintelligence.com

The role of the chief information security officer (CISO) must continually evolve just as businesses do. The next-generation security leader has to grasp the various demands of the board, and communicate security risks and strategies in terms directors can understand. To protect the organization’s assets from the ever-changing threat landscape, this leader must posses a strong business acumen, a results-oriented mindset and various board-level skills.

Speak the Board’s Language

The security leader needs to be business-facing most of the time in relation to a technical role. This is where productivity gets stymied, since the CISO oversees technical environments with many tools and technologies implemented.

In a business environment, it is extremely important to convey technical details appropriately to a nontechnical audience. Next-generation CISOs must be able to communicate clearly to all executives and employees within their organizations. They must be visible, approachable and able to articulate security principles simply and concisely. They should also collaborate with contemporaries outside their organizations to gain a richer understanding of the CISO role.

It Takes All Kinds

The CISO role is all about leadership, like any other C-level position. The next-generation CISO must know how to delegate tasks based on skills that come from a variety of sources. You may have employees who are good at managing and leading a team, for example, and others who might excel at working with peers from various departments. Some employees might build leadership skills through their technical savvy as subject matter experts. A successful leader knows how to identify and harness these traits and these individuals to build a strong security program.

Aligning Security With Business Goals

It’s crucial for the CISO to be relevant to the business. This means taking on a more strategic role to pivot board conversations toward risk management. It also includes going beyond the negative consequences and explaining risk in terms of its positive effects, such as competitive advantage, business growth and revenue expansion.

Relentless passion and a results-oriented drive are essential to deliver upon business goals. CISOs must build strong teams of security professionals who buy into these goals. They must also be adept at problem-solving, managing the concerns and expectations of stakeholders, and formulating effective solutions to complex problems.

Empowering the Next-Generation CISO

Finally, security leaders must posses certain board-level skills. Of course, they must master the vital aspects of managing security technologies and protecting both digital and physical assets. CISOs should focus on establishing strong security policies and communicating risks in plain, relevant terms to executives. They need to drive discussions in board meetings to educate, engage and align stakeholders with respect to their security strategies and initiatives.

The key is to understand that business operations and information assets are crown jewels. That principle should influence CISOs to institute strategic governance that prioritizes information security investments and aligns with business goals.

CISO Complexity: A Role More Daunting Than Ever

Published at Securityintelligence.com

The role of the CISO is more complex than ever. One major factor contributing to this CISO complexity is the growing number of regulatory compliance requirements with which organizations must comply. There are also industry-specific standards muddying the water. Financial services, for example, are heavily regulated in the U.S. and the European Union (EU). These regulations are rapidly changing, and it is very difficult for CISOs to keep up with all mandates.

CISOs are often confronted with organizational business units that simply accept risk instead of attempting to mitigate it with regulatory and security compliance. It is difficult to justify this problem to regulators who often see it as a black-or-white issue — either you’re in compliance or you are not. CISOs have a tough time addressing this gap in the ever-changing regulatory environment.

Getting Executives on the Same Page

The heightened awareness of executives and boards of directors also contributes to CISO complexity. Through collaboration with other organizations, these executives are becoming more sensitive to the importance of security. They have seen other organizations suffer data breaches and heard of the masses losses, and they want to know that their own critical data is protected.

The seemingly insurmountable threat landscape adds even more complexity. Cybercriminals are becoming more sophisticated, and everything from state-sponsored attacks to organized criminal campaigns are occurring around the clock. Advanced defensive solutions can be helpful but may also be difficult to operate, adding yet another layer of difficulty.

Zooming In on the Big Picture

Complexity is not necessarily a bad thing, but understanding what causes it goes a long way toward dealing with it. CISOs must understand what creates complexity in their organizations. They should, for example, remove any tools that do not add value and delegate tasks to direct reports whenever possible.

Organizational complexity creates big obstacles that make it difficult to get things done. Executives and board directors often lack a realistic understanding of how information security and the related challenges actually affect their businesses. I’ve noticed that many leaders simply revert to past personal experiences to address security issues from a big picture perspective, yet they fail to understand or consider the consequences of that, especially as it relates to employees. It could result, for example, in inadequate processes and ambiguous role definitions.

What Drives CISO Complexity?

Security leaders must identify pockets of individual strength and weakness in their departments to effectively deal with these challenges. It is important to properly delegate work to individuals who can deal with delicate situations and also to train others to develop the required skills. This enables the CISO’s staff to create and use networks within organizations to build relationships. A team effort is required to overcome poor processes, manage complexity and bridge organizations silos.

Organizations have varying degrees of complexity due to both internal and external factors. To top it all off, security staff members view complexity differently than executives. Those stakeholders must recognize how their staff deals with complexity and develop an understanding of what drives it.

CISOs Are Constantly Confronted With Conflicts of Interest

Published at Securityintelligence.com

Corporations, government agencies or individuals may be quick to throw ethics out the window when there’s an extra buck to be made. Some of these conflicts of interest are overt, while others are difficult to recognize. CISOs are constantly challenged to identify patterns that might put them in a morally compromising position.

The most common conflict of interest arises when an employee working for one company freelances for a competitor. Another type of conflict results from nepotism, when one or more employees is related to a company manager or executive. These are the most obvious examples, but other instances, such as C-suite friction and negative publicity, are subtler and usually intrinsic.

Even innocent interactions between two people at a conference or on social media can lead to termination of employment or legal action if both parties are not careful. It’s difficult to keep track of every potential problem, but IT leaders can save themselves a lot of headaches by simply knowing what kinds of issues commonly lead to contention.

Stifling Whistleblowers With Gag Rules

Chief information security officers (CISOs) must manage conflicts of interest among their board of directors and other departments throughout the organization. Most employees blindly trust their CISO’s decision-making skills and don’t even think to challenge them. But consider the problems that might arise if a board member favors a particular vendor because he or she holds a stake in that company or stands to redeem an undisclosed incentive in the future. This is also why employees are often pressed to sign noncompete agreements.

Some companies go so far as to establish gag rules that prevent employees from publishing articles or books without explicit approval. A Google employee even filed a lawsuit claiming that the company breached California labor laws by using confidentiality agreements to run what essentially amounts to an internal “spying program.” The tech giant, according to the lawsuit, even forbid employees from writing novels about “someone working at a tech company in Silicon Valley.”

If Google is found guilty on all violations specified in the lawsuit, it could face fines up to $3.8 billion. The allegations illustrate how a company might use its confidentiality rules to prevent whistleblowers from disclosing illegal activities to regulators and law enforcement.

Corporate and Government Conflicts

CEOs are often motivated to engage in conflicts of interest with government agencies, and vice versa. For an example of this, look no further than the lobbies influencing federal, state and international lawmakers to bend legislation in their favor. Big Tobacco, for example, sits on the governing committee for tobacco control in the Philippines. Now, imagine how this conflict might negatively impact things like health care or product distribution.

Ironically, these global corporations typically have ethics and governance programs, yet turn a blind eye when these principles conflict with opportunities to establish dominance in the marketplace. For the CISO, naturally, this presents a moral quandary.

Managing Conflicts of Interest

A CISO should always consider the job from the outside looking in. Corporations don’t take conflicts of interest lightly, and it’s important for security leaders to make sure their actions align with the company’s business goals and code of ethics.

Restrictions relating to conflicts of interest vary from industry to industry. Independent contractors, for example, can use skills obtained elsewhere for personal gain because they are self-employed. In a corporate setting, however, employees are bound by the company’s stipulations related to conflicts of interest.

Before you engage with another organization or participate on social media, ask yourself:

  1. Are you treating specific co-workers, relatives or friends differently because of the nature of those relationships?
  2. Are you using skills you developed at work for personal gain outside the company?

If the answer to either of the above questions is yes, you may be in conflict with the interests of your company. Recognizing these situations will help you avoid them.

Increased Regulatory Compliance Is Choking the CISO

Published at Securityintelligence.com

Chief information security officers (CISOs) love to laugh at ridiculous compliance regulations. In the financial industry, for example, some organizations are forced to comply with Regulations Systems Compliance and Integrity (RegSCI), Commodity Futures Trading Commission (CFTC) rule 39.18, the Committee on Payments and Market Infrastructures (CPMI), the International Organization of Securities Commissions (IOSCO) and Principles for Financial Market Infrastructure (PFMI) Principal 17.

The problem with regulatory compliance is not the rules that are self-evidently absurd, it’s the ones that sound reasonable on their own but impose a huge burden collectively. Federal, state and local governments are cramming thousands upon thousands of new compliance regulations down our throats each year, and that creates big problems for CISOs.

Drowning in Regulatory Compliance Requirements

Each regulator seems to think it can ensure its immortal legacy by issuing standards that are a bit different. Some security experts might argue that regulatory mandates help toe the line for corporations large and small, but it is becoming vastly overcomplicated, especially for small organizations that lack resources.

Consider the Dodd-Frank legislation that aimed to prevent another financial crisis. It’s purpose was to create transparency, stop banks from taking excessive risks, prevent abusive practices, and seize tottering, too-big-to-fail financial firms. That law spanned 843 pages — that’s 23 times longer than the Glass-Steagall law that followed the Wall Street crash of 1929. Dodd-Frank became outrageously demanding when regulators filled in further compliance details beyond its original purpose.

For example, the Cybersecurity Information Sharing Act of 2015 (CISA) is designed to “improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.” Unfortunately, the law has no teeth. Many industries opposed it despite the fact that the idea of sharing intelligence surfaced frequently in discussions. The political climate often tears the best intentions along ideological lines, and that weakens legislation for an end result of not striking a proper balance with respect to security and privacy.

So small businesses are being choked by excessive compliance regulations and large, global firms are forced to increase resources to comply with regulations. The business environment is now so incredibly toxic that many leaders have simply given up trying to work within the system, and security pays the price.

The Role of the Compliance Auditor

Business leaders often complain that auditors advise how to be in compliance by dictating what to do without regard to the organizational context. This conflict commonly occurs when an inexperienced auditor fails to understand an organization’s resources, size and wherewithal to remediate findings efficiently. Small organizations may benefit from this gap since it may be easier to enact small positive changes or alter policy, but it can irritate leaders of large firms.

A compliant environment is not necessarily a secure one, and acheiving compliance is an unreliable method of reducing risk. This sometimes leads CISOs to challenge auditors, counting on management to support their views. Ironically, no individual can reasonably know how to comply with overcomplicated regulations such as Sarbanes-Oxley Act (30,470 words), the Affordable Care Act (400,038 words) or Dodd-Frank Act (377,491 words), let alone the many other rules and regulations applying to businesses today.

A Path Forward

Many of these complex regulations are redundant, with each placing a different spin on its meaning and wording. Security frameworks such as the Payment Card Industry Data Security Standard (PCI DSS), the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST) and others often overlap, so it’s important to map out specific regulations to address any redundancy.

Remember, a CISO’s focus, regardless of specific compliance requirements, is to safeguard corporate data and, in turn, protect employees, patients, vendors, customers and shareholders. Know the requirements of the regulations you must comply with. Read them, study them, and perform audits and assessments against them. Stay current on interpretations, rulings and news regarding these mandates.

When I headed the internal audit department with a previous employer, these data compliance audits were rarely scheduled. Most regulators prefer unannounced audits to make it harder for companies to sweep issues under the rug at the last minute. You have to be prepared.

In practice, audits can be performed directly by the examination and enforcement staff of the regulatory agency itself. In other cases, third-party examiners, such as accounting firms acting under the oversight of a regulatory agency, may conduct compliance audits. It is therefore critical to work closely with internal auditors to prepare for these events should a breach trigger an unscheduled audit.