Not Enough CISOs to Go Around

This article is reporting that the demand for Chief Information Security Officers far exceeds supply:

Sony and every other company that realizes the need for a strong, senior-level security officer are scrambling to find talent, said Kris Lovejoy, general manager of IBM's security service and former IBM chief security officer.

CISOs are "almost impossible to find these days," she said. "It's a bit like musical chairs; there's a finite number of CISOs and they tend to go from job to job in similar industries."

I'm not surprised, really. This is a tough job: never enough budget, and you're the one blamed when the inevitable attacks occur. And it's a tough skill set: enough technical ability to understand cybersecurity, and sufficient management skill to navigate senior management. I would never want a job like that in a million years.

Here's a tip: if you want to make your CISO happy, here's her holiday wish list.

"My first wish is for companies to thoroughly test software releases before release to customers...."

Can we get that gift wrapped?

Posted on December 11, 2014 at 6:31 AM • 40 Comments

Comments

FirefoxDecember 11, 2014 6:57 AM

My first holiday wish would be to magic some sense into my company's executives so that they take security seriously (in all its aspects) before they have an incident, rather than rush to shut the stable door after the horse has got out.

My second wish would be to magic some sense into builders of hardware, software, comms protocols (well, everything really) so that they build in security from concept onwards, rather than paste it on as an afterthought.

AndyDecember 11, 2014 7:15 AM

My first wish would be for the execs to learn that information security is so much more than HIPAA.

My second wish would be for the execs to learn that HIPAA is not an information security framework.

M@December 11, 2014 7:17 AM

As a former CISO, one of the largest reasons there aren't "enough" is that when you're really good at it: strong leadership qualities, deep technical understanding, broad awareness of surface area, it's demoralizing to continuously have to fight your own peers to do the Right Thing(tm). I've stayed out of C-level security for the last 5 years, and don't miss it at all.

PiperDecember 11, 2014 7:36 AM

Not to worry. There is always a deep pool of executive sociopaths ready to fill any C-level position. And the Dunning-Kruger effect will ensure that they are all experts in the field.

MarcosDecember 11, 2014 7:47 AM

Well, one wishes simplicity, another wishes good testing, and a third saves his wishes for something impossible. That's less than half, I wonder if the others know how deep the rabit hole goes.

mercDecember 11, 2014 8:07 AM

Would help if CIOs also didn't cheap out with legions of insecure "runtime containers" instead of building real seperation with actual hardware.

jonesDecember 11, 2014 8:14 AM

re: "My first wish is for companies to thoroughly test software releases before release to customers...."


This NIST report studies the economic impacts of software bugs, and puts some interesting numbers on the problem:


The Economic Impacts of Inadequate Infrastructure for Software Testing

http://www.nist.gov/director/planning/upload/report02-3.pdf

My favorite part:

The media is full of reports of the catastrophic impact of software failure. For example, a software failure interrupted the New York Mercantile Exchange and telephone service to several East Coast cities in February 1998 (Washington Technology, 1998). Headlines frequently read, “If Microsoft made cars instead of computer programs, product-liability suits might now have driven them out of business.” Estimates of the economic costs of faulty software in the U.S. range in the tens of billions of dollars per year and have been estimated to represent approximately just under 1 percent of the nation’s gross domestic product (GDP).

JohnDecember 11, 2014 8:40 AM

perhaps companies could invest in their staff and train them to be their next CISO ... unlikely as that would need something other than the short term thinking that execs seem to do now.

Security should be included in the software architecture of a system. I'm not convinced people do software architecture anymore.

ChrisDecember 11, 2014 8:52 AM

In my organization, we actually closed the CISO position and used the dollars to contract out for security assistance. We found that since we could only afford one person, that one person didn't/couldn't have enough expertise on all the attack vectors we were seeing. Contracting out let us get more and broader help with the same dollars. This might help cash strapped organizations more.

paulDecember 11, 2014 9:03 AM

It sounds as if what these companies want is to tick off a box on a list. Perhaps if they advertised these jobs with generous severance benefits and explained beforehand that the CISO was just there so they didn't have to fire someone important when the clearly foreseeable disaster struck?

The Last Stand of FrejDecember 11, 2014 9:18 AM

As a CISO, convincing your peers with logic and pleads for adequately preparing for the inevitable will never happen. They don't see the fruits of security because when it's working, all is quiet on the front.

They only understand fear and "oh crap" moments. This is why a CISO absolutely has to know how to articulate information security in terms of risk. Because executives think in terms of numbers, quantifying information security risk gives them something familiar to digest. It also presents identified problems in a quantifiable way, effectively shifting the onus for action on those with the purse strings. It's also good CYA for the CISO.

My name is not importantDecember 11, 2014 10:34 AM

My first wish is that corporations and governments understand that is safer running OpenBSD than Microsoft Windows even if the former has the financial resources to pay for certifications.

My name is not importantDecember 11, 2014 10:35 AM

Obviously I wanted to write "even if the formas has not the financial resources to pay for certifications".

My name is not importantDecember 11, 2014 10:38 AM

Obviously not my day... "even if the former has not the financial resources required to pay for certifications".

In short, security is a process not a certification.

BillDecember 11, 2014 11:52 AM

"Here's a tip: if you want to make your CISO happy, here's her holiday wish list."

Interesting use of gender. Is this a hidden indicator?

G. BaileyDecember 11, 2014 12:23 PM

You'll never get software companies to thoroughly test their software for vulnerabilities until they have liability.

As it stands, software is a "market for lemons". Customers can't easily evaluate the security of software before they buy it, so it makes little financial sense for a company to invest in security unless there have already been breaches.

Ray DillingerDecember 11, 2014 12:29 PM

My Holiday wish is that software companies whose software is installed at the victim's facility, by the victim, on purpose, and becomes the vector of attack, should bear civil liability for damages incurred in the attacks. Or at least should be required to sell insurance against attacks mounted via their own products.

In other words, if you want security designed in from the beginning, the companies doing the designing need to have a financial motive to do so.

Yes, it would make software more expensive and less featureful. That's OKAY.

LessThanObviousDecember 11, 2014 1:12 PM

CISO is one of those roles many companies create just for compliance and appearances. Very few are given the latitude to provide real leadership. I see many in the media and in business taking attitude now that breaches are inevitable. In a sense that may be true, but taking that attitude only lessens accountability and willingness of business to make the tough expensive and inconvenient choices it takes to provide good security. My wish would be for business to finally decide that bad security is not a risk worth taking and realize that good security goes much further than being able to check all the boxes on the PCI compliance checklist. A really good CISO will get input from their staff and figure out where the gaps are that aren't covered by compliance. Maybe if we get that kind of leadership maybe we can avoid the current state of affairs where companies spend gobs of money on security and compliance and yet they are only one successful spear phish or vendor access breach away from total and catastrophic invasion.

AnuraDecember 11, 2014 1:48 PM

@G. Bailey

I think it varies based on the type of software. Getting a reputation for being unsecure and unreliable can hurt your imagine for a long time to come, even if you repair the damage. Making sure your software is solid before you release is a good business plan in many instances. The more customers you have, the more important that is. If you have fewer customers, say a B2B selling software to a few clients for expensive licenses, then reputation matters less and marketing becomes more important and it definitely gets murky.

I think the trick is to have processes which are certified to make sure that the software is thoroughly evaluated for both correctness and security, and developed in a way to minimize the number of issues that make it to production. This is something that both the corporate and the open source world are desperately in need of; in many cases, I'd say that open source has worse quality standards.

JustinDecember 11, 2014 1:49 PM

I don't really understand the role of a CISO. CIOs themselves need to be aware and cognizant of security issues when making general IT decisions. Otherwise you have a CIO making major decisions without considering their security ramifications, and then delegating "security" to a CISO who may not have much decision-making authority.

Larry S.December 11, 2014 3:25 PM

Financial corps, size don't matter, loves open source evenagelists, I mean the FreeBSD types. CISO is a relatively new position in the corporates; there are management types who's learned the technology, and there are technology types who's learned management. The management types are usually better at pushing things thru getting done. The products out there, there's just too much to worry about, even the technology types can't possibly know every details of whole spectrum of products involved; thus, it's equally important to hire and empower people that do. It's hard to work for somebody who has a good mix of skills. so...

I gotta go...

HenrikDecember 11, 2014 4:51 PM

"...here's her holiday wish list."

It would be nice if it really were "her", sadly all on that page were men, including the author. Has anyone worked out why exactly women don't do loads of jobs like this? Mostly because of sexism, or do women simply not like tech in general?

AnuraDecember 11, 2014 5:04 PM

@Henrik

I suspect it's just a legacy of US gender roles in American culture. I find that when I work in IT environments with large numbers of Indian immigrants, there is a much more even ratio of women to men than I work in an environment with a lot of US born people.

Nick PDecember 11, 2014 7:12 PM

Reports like this annoy me because I worked very hard to get into all kinds of CISO, IT, etc positions. I was "overqualified" or "underqualified" for the vast majority of them. There were always these BS requirements, a structure that gives the CISO little power to actually influence overall security, and/or pay that's more like a network admin. I ended up getting a job outside INFOSEC as I wasn't specialist enough for any of the positions in my area and all CISO-type positions had the above problems.

Now, I know there is some kind of shortage of supply vs demand. I just think that a bunch of it is created by senior management and HR decisions. This isn't limited to CISO positions: it happens for IT in general. So, one solution for many firms might be to simply quit disqualifying good candidates for arbitrary reasons.

Clive RobinsonDecember 11, 2014 7:36 PM

@ Nick P,

So, one solution for many firms might be to simply quit disqualifying good candidates for arbitrary reasons.

We have discussed this issue befor, and as I have said in the past the usuall cause of this problem is not the line managers or their managers but the "human remains" department.

In essence the HR Dept is more often a hinderance than a help in organisations where C-level and above execs are not founder/owners. The reason for this is the short term outlook of such execs who just want short term gains and don't care about longterm performance. I'll leave out the reasons for such behaviour, as again we have discussed some of them in the past and they quickly get very far off toppic.

Also HR Depts are responsible for the faux market of "product specific certification" like MSCE et al, which serves as a tax not just on individuals but organisations as well.

RARDecember 12, 2014 7:08 AM

@Justin

re: "Otherwise you have a CIO making major decisions without considering their security ramifications, and then delegating "security" to a CISO who may not have much decision-making authority."

I am not a fan of CISO's reporting to CIO's. (can anyone suggest a clever analogy to illustrate just how bad this is?)

The CISO must be able to challenge the CIO's decisions when needed. If the CISO reports to the COO or CRO then there is some hope of this. Even better might be to report to a board committee like internal audit does.

Clive RobinsonDecember 12, 2014 8:12 AM

@ Justin, RAR,

With regards CISOs reporting to CIOs, the only time I've seen this was when the CISO was a "make work" for "audit". That is a box needed ticking the CIO not wanting the audit crap on their desk "promoted" an admin, and usually the least effective one....

If you ar a CISO in the "under dog" position you only have two basic choices "Kill the Boss Off" in some way to step in their shoes, go find another CIO/CISO job with "board level" reporting. However if as many are, you are techie trained, do yourself a favour and do an MBA or equivalent so you can speak to them not just in words they understand, but also so they won't think of you as a jumped up no account techie... But just as importantly get to know the business from a business perspective, and temper your security advice accordingly, the board won't spring "share holder value" on security unless you can show high probability cause, and that it cannot be mitigated by other business processes or be used to show a real share holder return...

Oh and don't try any of that "if you know what I know..." DoD / IC crap on them, it won't work, for a couple of reasons, firstly they are --probably-- not "lifes failures" so don't do the "I'm a politico pay / bribe me" response routine, secondly they realy don't want to know, it's most often not "core business", they just want issues solved at the minimum short term cost. They see IT hardware and software licence costs dropping year on year they thus expect security costs to do likewise, it's your job to deliver it as the advert says "Simples".

Also have a look at how banks, insurance and finance houses manage risk on a day to day basis it might surprise you.

vas pupDecember 12, 2014 9:31 AM

This part of the article caught my attention in particular:"You need someone who can go into the board room and tell them they've got to spend money on security and m a k e t h e m l i s t e n." Yeah, that is broader problem in US to make listen (corporate bosses or legislators) to professionals not only in IT/Security, but any technology/science issue. Mostly, they have education in Business Administration or/and Law, and have no clue what all these (science/IT/security) about. As result, US is on 27th place in the world on math and most new positions in IT are filled in by immigrants from India, China, South Korea. My own vision is US have enough already investment bankers/hedge fund operators/Lawyers, but need more domestic grown professionals for science and technology. Thanks to God, sometimes public got collateral benefits out of gov structures such as DARPA, IARPA, InQtel + guys from Facebook and Google set up breakthrough annual award for scientists ($3 million per award). That is good sign. I just want to outlive to the time when scientists in US will be treated and known by and to general population as football/basketball players, Hollywood folks - you name it (in a pipe dream I guess).
@Nick P. 'Overqualified/overeducated' was set up and introduced by retarded people. They will bring country to the condition of 'Idiocracy' - you saw this movie I guess.

Gerard van VoorenDecember 13, 2014 5:40 AM

I like what James Beeson said in the holiday whish list:

"Every big organization struggles with simplification in my opinion. Security practitioners need to constantly push to simplify technology and process. This makes our lives easier, and drives efficiency and cost savings across the business."

In my work I also have to deal with lots of systems that all have their own security approach. It usually means logging into these systems, with a RSA key or something like that. It all works fine, however I of course don't know how secure it all is (think about the RSA key backdoor itself), but it complicates the overall user experience and it takes quite a lot of time and knowledge / training.

It would be a lot better if the security was built into the OS itself in a simple and uniform way. Security should be the basic layer of the OS so that applications don't have to deal with it their selves. An example of such an OS is Ethos but that is still experimental and the code isn't released yet.

Nick PDecember 13, 2014 9:07 PM

@ vas pup

"Overqualified/overeducated' was set up and introduced by retarded people. They will bring country to the condition of 'Idiocracy' - you saw this movie I guess. "

A friend told me to watch it. I both enjoyed it and was slightly depressed by it. Although a parody, it paralleled many elements of U.S. reality way too much. My friend said it bothered him for the same reason. Least it was funny and their retarded President commanded more respect than mine at the time. ;)

GwenDecember 14, 2014 4:17 AM

I came to this article by googling "CISOs being planted in US corporations" because I wanted to find out who are these people and where did they come from. My experience lately, working in many companies as a consultant, is they don't know security and they're not doing much towards making companies secure. I think Piper, Gunnar, and LessThanObvious have it right. There may be an influx of sociopaths into CISO positions. It's an easy one to BS your way into. I worked under a newly hired CISO once who had his 10 minute elevator pitch down. On the first day of meeting this guy you might be convinced he knows something. But three weeks later it's the same rhetoric and it's clear that he's no more than a talking head. Hired for compliance reasons to make the board feel like they have secuirty. On my last engagement I actually had a CISO say the words, "I don't need to know secuirty, I only need to know it conceptually. It's all about perception." I worked at a third company where the CISO didn't know what a BCP was, and he didn't know the difference between a pen text, a vulnerability scan and a risk assessment. He also couldn't write policy. He had no idea what they should say. He never heard of ISO or ISMS. After I wrote them for him the CISO went to our SOX compliance manager and said, "Now that they're written, what do I do with them?" Funny thing about this guy he's still with the company while every security person under him has left the company. Good security people are not going to stay at a company where they can't practice their craft. When good security staff work under a sociopath who cares more about his title, his nice office and his fat paycheck that he must protect at all costs to the point where he won't commit to doing anything for fear of failure and he resorts to politicking as his MO for job security, they won't stay and they company won't be secure. One common denominator I've found with these CISOs- they all came from Government, mostly federal. So I am wondering is DHS is somehow planting these "CISOs" in the private sector. Lastly on the gender issue. I LOVE technology and thrive being on the cutting edge of it. One problem it's hard to find companies embracing the new technologies coming forth in this tech paradigm shift we have now. The second problem is a sexist issue. Yes, it does still exist. I can't tell you how many times I've been brought on to clean up and do the work the men just don't want to do as if I'm their house wife. Like writing. Sorry, but information security and compliance today is a writing job-you have to document everything from policies and standards, to security plans, to IR reports, to remediation action plans and writting awareness training. Women get hired onto a predominately male security team and she's expected to be their note taker and tech writer, or to clean up after the organization by doing things like cleaning up Active Directory. I just landed in such a gig unwitingly and I'm going to be telling them to KMA (in a nice way, of corse) just as soon as I find the next one.

GwenDecember 14, 2014 10:32 AM

Also on gobs of money. In my experience I've seen a direct correlation between level of CISO incompetence and gobs of money needed. The more incompetent the more money needed. That's because these guys rely on the security vendors to tell them what they need to do. What vendor isn't going to love and take advantage of that "CISO wrapped around their little finger" situation? I've seen a CISO (a prior checklist auditor) whose security plan was a checklist of vendor product he had not yet purchased. Of the products already purchased some were powered on in the data center, some still in boxes, but none was being used effectively to control or monitor. Rather sad for an Identity Theft company with millions of subscribers. He's since been replaced. At a networking company I saw the same thing. The CISO spent his day setting his calendar, being dined by vendors and hitting balls at Top Golf with vendors. Primary and secondary data centers, and all field offices were equiped with Checkpoint firewalls built to the hilt with every blade Checkpoint offers. Fine for the data centers, but the network was hub and spoke-field offices came through corporate to get to the internet. There was no need, for example, to have IPS blade in the field offices when it was there at the perimeter in the data centers. Fortunately the CIO fired him at license renewal time. I took over, saw what he had done, eliminated the unnecessary blades and reduced the cost of their Checkpoint renewal by a third. I don't care what anyone says, Information Security is a technology field. It's by technology that these large breaches occur and it's largely through effective technology deployments that they can be prevented. And it doesn't have to cost gobs of money. There are plenty of good open source product. OpenVAS, OpenDLP, OSSEC, and OpenSIM can be used effectively in a budget pinch. But deploying these takes technical know how. You have to know how to deploy a linux VM, know linux, more manually install these open source tools, and know a little bit of regex. But there's security teams out there that hide their technical incompetence by saying they don't do, they tell others what to do, and their role is only to provide oversight. I say that's bull. And we wonder why security is so bad at many companies? This, IMO, is a big reason why.

GwenDecember 14, 2014 10:48 AM

So add to the Court Jester and Road Kill CISOs the Shopping Bag CISO and CISO Pontificator. Why am I so vocal about this? Because I've been doing security for 25 years. Since the days of TCPWrappers, TIS FWTK, Balista, 10Base5, etherreal, McAfee 2.0, and SNMP Walk was done at the command line. What I am seeing today completely disgusts me.

Nick PDecember 14, 2014 11:50 AM

@ Gwen

Nice post. The Sony Pictures security team having 3 technicians overseen by 7 or 8 managers, directors, a VP, etc. further substantiates your claims. The companies need people who understand both the technology, the risks, and how to handle them. Then the companies need to let them do their job. This simple requirement is rarely met.

And your mention of TIS is appropriate: they were a great INFOSEC company, esp with old school methods. Trusted Xenix was the first UNIX I even slightly trusted. They and Secure Computing Corp. both epitomized doing everything you could for assurance while still being practical and supporting common applications. Modern vendors could do well to take a page out of their book. Sad that they were both absorbed (and largely destroyed) by McAfee.

tzDecember 14, 2014 9:49 PM

It is not a matter of testing.

The only time you hear about security failing is when it does publicly and/or catastrophically. Sony?

The other problem is that a bottle of painful chemo drugs is more expensive than laetrile. The latter equivalent of doctors or the C-security-O also charge less.

I often contact. There was no CSIO, but even when there was, I doubt I could get into his office or email to report the glaring neon sign security flaws I stumbled across - I wasn't hired to pen-test but just noticed things. I might be dumped and the things hushed.

vas pupDecember 15, 2014 10:44 AM

@Gwen:"That's because these guys rely on the security vendors to tell them what they need to do." Yeah, I guess they were not familiar with this popular statement: "Never ask your barber that you need a haircut". Some precautions could be taken: separate diagnostic (security or any other problem, e.g. health, car problems) from treatment (fixing the problem by open bidding process by several vendors/doctors/mechanics). Never ask advice from somebody who is interested/benefited in your decision.

uh, MikeDecember 17, 2014 7:17 PM

I have the good fortune to stop working and care for myself and my family. I have the talent, but I can't hack the social scene with the execs and sycophants. So I just watch. Thanks for the show.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.