Wannabe infosec kingpins: Forget tech, grab a clipboard
Ditch the debugger, bone up on biz risk management
Budding chief information security officers (CISOs) would be better off boning up on business, communication, and risk management skills than getting bogged down in detailed discussions about technology, according to a panel of senior security professionals.
The overwhelming message from the InfoSecurity Summit 2012 in Hong Kong, was that CISOs need to be trusted and they need to add value, but most importantly they must understand risk in all areas of the business and then manage that risk proactively.
“The days of the CISO being technology-focused are over; the role is much more transversal now,” argued Jerome Walter, chief security officer Asia Pacific at French bank Natixis. “You should build relationships. Each department has different risk, different issues and you need to create an image of trust so they’ll come to you.”
Thomas Parenty, MD of fraud prevention firm Parenty Consulting, agreed, adding that security should never be approached out of context of the business.
“You need to deeply understand what the business does to be effective,” he said. “You need to better understand how the business operates more than you need to know about the security technology – that can be handled by someone else.”
This is not to say that CISOs should have no competence in technology, however, according to Dale Johnstone, who heads up security and risk management at the Hong Kong Hospital Authority.
“The fundamental principles of security have stayed the same over the years and a good CISO has to have enough understanding of technology to communicate with the tecchie people and the higher level management,” he explained.
“However, today they’re very reactive: fire-fighting and waiting for problems to happen rather than putting together an overall strategic plan.”
Trying to protect all the organisation’s information all the time can be challenging, especially when the bad guys can put all their resources into nabbing just one bit of it.
Thus, being able to discern “the pythons from the cockroaches” – or those attacks which could seriously damage a firm and those which aren’t so dangerous – is also a key skill, according to Vikalp Shrivastava, info security boss at casino group Melco Crown Entertainment.
There was one final piece of important advice for budding CISOs from Steve Tunstall, head of corporate risk at Cathay Pacific Airways: beware the regulators.
“What scares me is that data moves so fast. For many years our data was in mainframes, but over the past few years that shoe box has not only become porous, now it’s disappeared,” he argued.
“I don’t know where half the stuff is now. Regulators are slow to catch on but when they do the penalties are getting worse and worse. If you’re not alive to the latest changes in penalties you will be when a writ arrives on your desk.” ®
If they're not technically competent
They will request, and then pressure the minions for, things that are self-contradictory or otherwise impossible.
There's every reason that a CISO should be savvy to the workings of the business, and very little reason why she or he should be technically competent. As long, of course, as said CISO has a team of people who do understand the technology.
Interesting that the 'Panel of senior security professionals' (aka 'Men in Shirts') didnt seem to think such minions to be worthy of notice.
they should also have some technical competencies and rightly come from a technical background
The person who makes decisions such as which vendor to choose, which product to use, which architecture should be employed, that person needs to have an in-depth technical understanding of those things.
If the CISO wants to appoint someone who has the knowledge to make those decisions then that is fine. The problem I see everyday though is that "suits" make buying decisions based on pretty graphs and then the technical people who implement and use the security controls are stuck with products and solutions that don't work.
What I see is that not even "junior" or operations managers have the security and technical knowledge necessary to make effective decisions. That might be OK if those managers are just making staffing, financing, administrative decisions. But if they are making security and operational decisions then it is a disaster.
They don't have to come from a technical background if they a) have the techies in the risk management meetings/assessments etc and b) Have an IT Security Manager under them...
but...almost every information security manager I know came up through the IT Security route. Mainly because it is easier to teach a techie how to do risk management than teach somebody who knows risk management about IT (which of course is not necessary if they meet the criteria stated above, i.e. if you don't have a an ITSec Manger then your InfoSec manager needs to be techie.