The Equifax breach will expose many failures and learning point on how not to run a security program. Aside from the breach itself, Equifax executives didn’t look at itself as a top security risk for the type of business they did. I can assume that in their minds the fact that they had all of the financial data on most of the American population and other countries didn’t motivate them to secure it properly.
Data isn’t thought of in the same way gold bars are. If you store gold bars you put everything you can into securing those gold bars. Data is intangible, you know it’s there but can’t touch it and those without the experience is unaware or naive to the value of that data.
The position in a company that is responsible to secure it all is the Chief Information Security Officer (CISO).
I am going to try to not personally bash Susan M. I am sure she’s a fine professional and she has a network and respect of peers to be placed in those high level positions she has held. I will also not simply say this was a Diversity hire, but it’s tough to look at the public information and not question the CEO’s thought process to the qualifications for the CISO.
What should be questioned going forward was how Equifax looked at the CISO position, not necessarily who filled it. However, in the past week Equifax has taken great steps to scrub, mask, delete and obfuscate every thing about Susan M., her background and any interviews, videos and audio recording from the Internet. If a person in a leadership position was qualified and a mistake happened, why not stand shoulder to shoulder and defend that leadership rather than try to erase it? Every company will experience a breach of some level, no one can stop everything. The Equifax is a little different. As easy as this breach was to carry out, how stupid the gap was that was exploited I fully agree that any CISO and CIO should be removed from their position if this happened to them in this way.
The CISO position is still fairly undefined and open to interpretation by the business world. Some companies have embraced it and treats the CISO like a pure executive, others have the CISO in title only, a checkbox on the org chart and looks at it as a subsidiary to IT. In most cases the CISO reports to the CIO. I would think no C-Level position reports to another C-Level unless it’s the CEO.
In my experience there are two lines of thought when it comes to management positions in companies.
The first approach is the mindset that “People who are trained and are ‘experienced’ managers can manage any department they are placed in.”
The second approach is the mindset that “Only those that have years of experience in the area can elevate to the top management positions.”
Equifax went with the ‘mangers can manage anything’ approach. This approach does work, but for anything other than C-Level positions. Rookie CEOs in startups don’t count.
A C-Level position should be experts in their defined areas, top of the game, been in the trenches working for a few decades learning from the ground up to reach that level. Only through those proven years of dedication can you convince me to place you in a C-Level leadership position. I can fill lower VP, Director level positions to manage sub-departments with the less-than-experienced people to let those people get the technical experience but the C-Level needs to know the game they are set to lead. Period. I don’t care how many certification letters you have on your business card, how many years you spent in a classroom to get the PhD, I want to see how many years you spent actually doing it.
Let’s take the managers can manage anything approach and apply it to other common C-Level positions.
- CFO – Chief Financial Officer – Would you put someone here that doesn’t hold a CPA, able to read market conditions, look at a budget and deliver accurate balance sheets, never been in charge of all purchases and investments?
- CTO – Chief Technical Officer – Would you put someone here that doesn’t know the difference between Linux and Windows? How to build a multi-tiered network? Be able to talk to vendors at the deep core technical levels? Never worked 24 hours in a server room putting restoring failed systems?
- COO – Chief Operating Officer – Would you put someone who doesn’t have any knowledge on how the business and industry you work in functions?
- CMO – Chief Marketing Officer – Would you put someone who has never worked in marketing before, never ran a brand recognition campaign, built a social media strategy?
With the CISO position I fear the cybersecurity approach is still looked at as a sub-set of IT and limited to firewalls, virus scanners, accounts and passwords. A CISO can be any ‘manager’ that can manage the team of techies that keep the technology running. Put the CISO under the CIO to make sure the inconveniences of security doesn’t slow down projects and frustrate people.
This isn’t the case. The CISO is like any other C-Level position requirements, if not more so. I am sick and tired of hearing that someone is ‘too technical to be a manager’. Not only do CISOs need to be vastly experienced and knowledgable in the security technologies they need to be able to understand the symbiotic connections to security initiatives, threats and risks and wrapping them around the business needs. That skill is not learned in a classroom or from a certification course. It’s only gathered through experience, working through the security industry, reading reports and papers, feeling failure and successes and years of paying attention to everything around you.
The college degree or lack thereof doesn’t bother me. So what? Music major or Business Administration, both are non-security and non-technical. But had the CISO worked for 5 years as a security engineer, then a manager of an operations team for the next 5 years, moved up to a Director of a security compliance department for a few years, got a VP position in a security related field then was hired as a CISO – that’s acceptable. That’s substantial qualifications, through experience not from a degree 25 years ago.
On the flip side if a person has had nothing but ‘professional manager’ positions and nothing in a technical field, I would reconsider. Time and time again we are shown that career managers that just take manager positions and nothing tactical or strategic end up failing bad.
CISOs need to be experienced leaders, not managers. Directors and VPs can manage the teams, C-Levels provide the guidance, validation, strategy based on experience. If they cannot do that this places an unnecessary burden on those working below them to make all the decisions, to set the directions, and the CISO is just a middle man messenger. Sits in meetings all day passing reports around, taking the credit and putting the stresses on the teams. This also sets up the CISO for failure as the experience is not there to be able to verify what the teams are telling them. The wisdom to ask the right questions on the plans, initiatives, requests and reports the teams are feeding the CISO.
In that situation you can have a Critical Level 10 Apache Struts vulnerability and would the CISO even know about it? If the teams said that it would take 6 months to patch it, would the CISO manager accept it or would an experienced CISO push back, question the time frame and go after the terrible application development that it’s so unstable for a patch? Would a CISO manager understand how the 143 million records are stored and how the criminal world works if that data were to get out?
Classroom training is short term, certification course lay out basic ground work of a concept but only through hands on experience can skills be cultivated.
Look at a commercial airline pilot, I know many. They go get their pilot’s license in a classroom, they can take a course on how to fly a 787. But no pilot is ever made captain unless they have the thousands of hours on lower planes, shorter flights, smaller crews… gain and earn the experience. An airline pilot is responsible for only 150 people and $20 million dollar plane.
A CISO responsible for 150 million people’s lives and livelihood driving a multi-billion dollar global corporation… not so much experience required I guess.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.