The CISO and the Business

By JC Gaillard

Keep appointing pure technologists in CISO roles and you’ll never win

The Wannacry ransomware attack that affected so many large firms in May 2017 led to a number of animated discussions amongst InfoSec communities.

The corrective patch (fixing the vulnerability targeted by the malware) was out since March for supported systems and many firms were badly hit because of their reliance on the unsupported Windows XP (which reached end of life in 2014).

The timely deployment of security patches has been regarded as a fundamental security good practice since the CodeRed, Slammer and Blaster virus outbreaks over 10 years ago, so how can it be that so many large firms are still struggling with this today?

It cannot be just a matter of security investment: Many of the firms reportedly affected by the outbreak would have had fully functioning security practices all that time and would have been spending millions every year on security products.

It has to be a plain matter of adverse prioritization of security issues by IT and business leaders.

Which brings under the spotlights the role and profile of the CISO in those firms. Surely it would have been the CISO’s job to ensure that those matters remain on the agenda of the right leaders, to communicate their urgency, to drive remedial programmes, and to keep hammering at it until it gets fixed.

What is the security community doing wrong, if it is collectively unable to address a technical issue such as the timely deployment of security patches, over a period of time spanning more than a decade?

One reason that is often put forward by security technologists refers to a language disconnect between the CISO and the Business. Somehow, CISOs are not being heard by business leaders and would need to learn to “speak the language of the business”. Such assertion – in itself – raises concerns about the actual profile of the CISO if there are question marks over their ability to rise above mere technological arguments and present them in a language a non-specialist would understand.

Of course, many CISOs are technologists by background; and frankly, security has rarely been seen as a pathway to the top in IT circles, so very often the CISO is either in that job because of a personal interest in the technical aspects of the topic … or because there was little else for them to do.

To break the spiral that has led to the past “lost decade” on cybersecurity matters, you urgently need to inject talent into the security industry.

It is primarily managerial excellence that is missing and it will have to be attracted by rewarding the right skills at the right level. It is also a matter of cultural transformation for many firms, because it is about changing the value scale on which security is being judged.

To attract the best leaders, Security – i.e. the protection of a firm’s assets – has to be seen from the Board down as something fundamental that the firm values Go to the full article.

Source:: Business 2 Community

Be Sociable, Share!