CISO’s CSO’s and Target Debacles
The Target Debacle & CIO/CEO Separations
Yesterday I had a short conversation with Brian Krebs post the news that the Target CEO was being fired and that his severance was a fat 65 million dollars for the effort. He mentioned that he was asked to do an Oped for the Guardian on this and I vented on the subject of CISO’s and CSO’s not being worth their salt on average as well as that if they do have a clue they are hamstrung by upper management. Brian’s post this morning made some salient points about not only Target but many companies in general that may not even have a CSO or CISO title in their food chain. What does this mean for the “security” of those organizations he mused. Well, in my opinion those companies that don’t have a CSO/CISO are only more nakedly clear about their lack of care on the subject of security than those others who have the titles but hamstring them or have useless individuals in the roles.
That the Target CEO leaves with a large sack of money and there is still no CISO/CSO position filled at Target should be a clue for all of you out there that they really don’t get security nor do they really care. Sure they will dump a lot of money at the problem like Brian says in the Oped but that will not change the culture that caused alerts to be ignored will it? Perhaps they will be more sensitive for a while but I am sure they will go back to their somnambulism on security soon enough once the press has died down on this. Of note in the news concerning the CEO’s departure from Target is that he was not only axed because of the hack. In fact the CEO was sent packing because he bungled their strategy of opening stores in Canada. This is the reason he was ousted in my opinion more than the hack. You see, a CEO is at the will of the board and the board was not telling him he needed better security or a CISO were they? Net/net nothing has changed at Target but spend on security to look like their is some magic happening but that’s about it I fear.
CISO’s and CSO’s
Now, about those CSO’s and CISO’s out there. As I have mentioned before I am the Methuselah of INFOSEC (TM) so I have been around a while and seen a lot of things that made me go “hmmmmm” One of the more common issues other than not having any kind of C level security exec in a corporation is the CISO/CSO dunsel. Now these people I have generally found doing my own recollection statistics from assessments over the years have been on average figureheads only. This is a sad and rage inducing fact for me and has been throughout my INFOSEC career. What has come to pass is the recognition that if the CISO/CSO has any credentials it is usually a CISSP and that’s about all the experience they have had. I have not run into too many CISO/CSO’s in general corporate ‘Murica who have actually done the work that would make them a good CSO/CISO and rightfully claim the word “security” as a field of expertise.
I was Tweeting earlier these sentiments so I will just kinda put them into a bullet list here…
- CSO/CISO’s should have been Network Admins/Security/Auditing people who actually did the job. Anyone who is only a theoretician should not be doing this job unless they listen to their security staff and follow their lead. However, if you haven’t done the job how the fuck are you going to understand what your tech tells you?
- If your CSO/CISO does not have a good rapport with the security team that actually does the work what good are they? If you have a CISO/CSO that is very “executive” then it’s game over.
- If your CSO/CISO is too politic and boot licking to his peers within the org or bows to pressure too easily without a fight.. Well what’s the point?
I guess the summary here is that if you have a CSO/CISO that isn’t passionate about the job, understands the technologies and the issues, and generally will listen to the staff under him advising them about the issues of the day then you should get out of that org and find a place where they do. You will not get anywhere and you will be frustrated… unless you let apathy win and just go through your day not caring. Alternatively you will get all that burnout we all have been yapping about lately and that is no way to go through life either is it?
Report To Chains
Another big issue here is the placement of the CSO/CISO in the food chain. I have seen many orgs who actually have a CSO/CISO in the food chain but they are hamstrung because they report to the wrong person. The fact of the matter is no CISO/CSO should report to the CIO alone. Nope, a CSO/CISO should report directly to the CEO and be available to give them the straight dope on what the problems are within the org. I have seen places where the CSO/CISO is just cock blocked by the CIO who takes his reports and files them away for no one to see. Why? Because it may rock the boat or make them look bad in the eyes of his peers that’s why.
The CEO and the board should get an unfiltered channel on the inner workings of security within the company so that they are informed. Unfortunately this is not the case in most places and in fact security as we all well know is the cost center redhead stepchild no one wants to deal with most of the time. If the report to chain is fubar then the poor CSO/CISO’s job is basically to be the fall guy/woman when the shit hits the fan.. sorta like the Target CIO, who coincidentally had no IT experience to start with so there you go. It’s just an illusion of propriety for the shareholders and the media folks and nothing more when this happens.
It is my firm opinion that every org should really take a look at their report to chains and see just how well or not that’s working for them. If they have a CSO/CISO that reports just to the CIO let’s say and is filtered what good is that? There has to be efficacy here but then again the orgs have to care about security in the first place and not just give lip service to it for the media and the audit teams right? Too many orgs are just broken and just don’t really care to change that. I would hazard that Target is even one of those companies post the POS hack and loss of millions of credit cards and personal data.
Speculation On Changes Post Target
While on the subject of Target I would like to say that they will care about security until such time as they are no longer in the news. Sure they have lost money but they will bounce back and the shoppers will return soon enough. You see we all have short attention spans out there and we will soon forget all about this debacle. Our fears will dissipate and we will go on with our lives because we have not really felt the sting here from this hack. What do I mean? Well, who pays for the credit monitoring? Well that would be Target. Who lost their money altogether and wasn’t reimbursed for their credit cards being stolen? Well that would be maybe the banks right?
What I am saying here is that overall the banks should be the ones forcing the companies to tighten their security because they are the ones paying for this in the end. Well, actually, I suspect we all will pay in larger fee’s in the future right? I mean the banks have to re-coup their losses too and who better to fund them than all of their customers right? Hey it’s a win win win here financially in the long run so without an epic flame out no one will really care at the end of the day right? The Targets of the world will live on and go back to what they were doing before because vigilance and doing things right is hard and costs too much in their books. They will just buy the next blinky light appliance that some FUD vendor hawks to them as the new panacea to all hacking and they’ll be good!