Wireless security, risk management -- of course, the CISO has them in his sights. But what about human resources? Dr. Fred Cohen, an analyst and CEO of a security consulting company, says a good CISO needs to have his eye on them, as well.
Cohen is a principal analyst for security and risk management strategies for The Burton Group, and CEO of Fred Cohen Associates, a security consulting company. He also runs Security Posture, a Omaha, Neb.-based company that focuses on security and wireless issues. He also teaches graduate courses in information protection in the master's degree program in national security at the University of New Haven, based in Livermore and Sacramento, Calif.
In a one-on-one interview with eSecurityPlanet, Cohen, who just authored the book, The Chief Information Security Officer's Toolkit: Governance Guidebook, says a company's greatest risk is its employees, that CISOs do not yet sit at the executive table, and security managers need to make sure they have sufficient control over outsourcing.
Q: What is the primary role of the Chief Information Security Officer?
The CISO or whoever is the enterprise's top-level person in information protection is in a governance role. Their task is to take the duties... defined by the shareholders, legal people, CEO, auditors, and so forth, and... implement it throughout the enterprise by using influence over all facets of how things operate. It's a governance position, not a technical, line-management position.
The CISO should be charged with security governance -- network security, risk management -- not with carrying out any of these activities, but assuring that all these activities get carried out appropriately. And that includes setting policy, getting procedures in place, dealing with legal.
Q: How many corporations have a CISO today?
There are a fair number of them but it's more the exception than the rule. Less than half or maybe a third have the title CISO -- a person who shares both the physical security and information protection and executive protection. Regardless of the title, there is somebody who is the top-level security person in almost every large enterprise today.
Those people may not be properly positioned within the enterprise, so a significant number of them are not properly positioned to carry out the governance role. They end up working for a CIO, for example, because top management doesn't have a clear understanding of the scope of issues that have to be covered... If they are too low in the structure, it's too hard for them to exert influence and the enterprise has less protection and more potential for serious loses and other problems.
Q: Does the CISO have a role at the executive table?
No. There will be executive committee meetings where the CISO is there but it's not like a chief legal counsel or CEO or CFO who has to be there all the time. It's more like a member of the audit committee; one of these cross-cutting governance positions, like head of HR or corporate communications. They typically aren't there making day-to-day business decisions. That's not their role, but they are providing information to the people making those decisions.
Q: What technologies pose the greatest security challenges?
People pose the most important information protection challenge. Information protection is more about people, especially at the CISO level. The CISO is typically not dealing with whether there's some vulnerability on a PC somewhere. He has to ensure that change is properly managed and risk is not occurring. It's more about process than technology.
The greatest technology issue I see and the most pervasive is associated with risk aggregation, meaning data center consolidations and virtualization, cost-saving measures and outsourcing, and what's happening is... We're aggregating small risks together and creating larger risks. We're putting very high levels of dependency on a smaller number of servers. Data center consolidations, to save money, are causing issues.
Another major challenge has to do with outsourcing when you have inadequate control. Some large enterprises have outsourced all of their functions to a third party and it's out of their control and they cannot ensure continuity for their business. They won't have the ability to respond to an attack because they don't have adequate visibility into that other party. When you outsource, you give up all feedback that comes through human interactions and you're left with some list of service-level agreements. So when you give up that level of control, there's potentially a very serious level of risk.
Q: What aspects of security could or should be outsourced?
There are things in security that can and should be outsourced. The typical reason you outsource something is that there are some places that have more of the right level of expertise than you have and another reason is you need someone who is independent to do that job. It's the same reason you get a consultant. They know something you don't know -- they give an independent, objective opinion. Or you don't have enough people time to get the job done. With outsourcing, there's cost savings. The main condition should be you don't have enough information technology expertise to do the job yourself or it's too expensive to pay for that expertise.
What you don't want to outsource is security governance, which is like outsourcing your CEO, or your internal audit people who work for the company and are the executive management's independent check that the proper controls are in place and are being followed.
It's probably also a bad idea to outsource your security architecture. There's some amount of architecture that's related to security and you might outsource the development of an architecture, but you need internal expertise that operates that architecture on a daily basis. Their function is the definition, understanding and adaptation of the enterprise information architecture. They understand what information is where, and how it gets from place to place and how it's controlled. Usually that's a very high-level technology person. Very often they will work under the CISO.
Q: How do you build a strong security program with a tight budget?
Normally the CISO doesn't have lots of budget. People with money are the people running the applications, and the ones who are moving product back and forth. So the business is where the money lies. The information security officer's business is to use power and influence to properly apply their resources in security. So the CISO doesn't run the network, the networking people do. The CISO's job is to influence people running the network to make reasonable and prudent decisions on what security should be on the network and how to operate that security function on the network.
Q: What are some of the hidden costs of security that enterprises fail to account for?
It's awfully hard to measure the cost of security... It's hard to assess those differential costs... One of the most interesting [costs] everyone encounters is with someone who works in accounting and knows something about computers. [When someone in that department] says, 'My computer isn't working right', someone else in accounting says, 'Let me take a look' and takes time out of their day to do something that may be security related -- on company time. It's five minutes here and 30 seconds there and by the time you're done, it's very substantial overhead. It's all the costs of backups, disaster recovery, continuity plans, virus scans, un-interruptable power supplies -- what keeps the computers running. They are security-related costs hidden in other budgets. The question is which of these costs are attributed to the security function? They're attributed to something else, like facilities or people's time.
Loading Comments...