Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Dark Reading: CISOs Caught In A Catch-22

with 3 comments

Screenshot from 2015-07-22 10:36:45

Full article:

JESUS FUCK.

Now that I have that out of the way let me take this article and turn some things on their head a bit. I would ask, if I were writing an article on this subject just how talented on average are these CISO’s that are being made scapegoats and not allowed at the C-Level table? Are these CISO’s capable of making those security decisions to start? How technical are these CISO’s on average and have they worked the bulk of their career in information security?

See this is what burns me much of the time. We have CISO’s who are titular C-Level execs that most often than not NEVER carried out a pentest and have little to no real experience carrying out a security program to start with. This is a problem and one that everyone seems to not quite grok in the corporate world but if you are in INFOSEC and you are capable, usually you are not considered to be C-Level material at the average corp. This is just my experience of this being in the business so long but hey, this article seems to be backing this up a bit as well.

On top of all this it seems that the people asked in this survey of sorts showed that the CISO, like much everything else in INFOSEC is considered the red headed step child that is better neither seen nor heard. That is until they have had a breach and then they can blame the CISO that they have not empowered and perhaps never trusted because they weren’t competent to start with.

But hey.. That’s just me right?

The role of the CISO is evolving more now because the breaches today are at a high and the compromises with data dumps have been making the news cycle burn brightly. That’s the extent of it really, these companies aren’t looking at the news, turning to their boards or other C-Levels and saying

“SHIT! WE REALLY NEED SOME TALENT AND EMPOWERMENT TO THE CISO NOW NOW NOW!”

Mmmmmyeah, not happening that I have seen. Evolutions kids is a long ass process and in nature it takes millions of years. I am afraid though that in INFOSEC we don’t have that much time. So here are my bullet point thoughts to leave you with;

  1. We’re fucked
  2. If your CISO has no experience and shows that in meetings with other execs… You’re fucked
  3. If your CISO has no empowerment… You’re fucked
  4. If your CISO has no empowerment and no real experience he will be gone soon and… You’re fucked anyway
  5. Corporations are like living entities made of of large amounts of cells (people) that are in essence psychopaths. They are self involved, manipulative, and only want what they want and will do anything to get it.

You’re fucked.

K

Written by Krypt3ia

2015/07/22 at 19:56

Posted in Infosec

3 Responses

Subscribe to comments with RSS.

  1. The same could be said for much of IT. Under staffed, under funded and largely ignored but god help you if upper management can’t connect to the mail server (To read his Sugarddaddy.com messages) or there is an outage.

    DerHottentot

    2015/07/22 at 21:18

  2. You bitter, accurate, bastard, you!

    “I’d never be a member of any club that would have me,” — Groucho Marx, and Every IRL security engineer whose ever worked in the trenches, on why they don’t interview for CISO positions

    corq

    2015/07/28 at 04:05

  3. You forgot my ever present “ruthless truth”

    Krypt3ia

    2015/07/31 at 11:53


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: