The wisdom of making Information Security more than a suggestion

Posted by on

Brigadier General (retired) Gregory Touhill was the first federal CISO of the United States. Fresh from that role, he did an interview with the Information Security Media Group (ISMG) during a visit at RSA 2017.

He made a comment that did not surprise me, but it should send a shock-wave through both the Information Security profession and the top levels of Business Management. Unfortunately it will not. I am in total agreement with Brigadier General Touhill when he stated:
“When taking a look at the root causes we have to deal with... over 95% of incidents in both the public and private sector that we dealt with, you could make the case that carelessness, negligence or indifference within their own ranks is more of a cause of a problem than advanced persistent threat (APT).”
Too often in business Information Security is a bolt-on, an ancillary task side-loaded into a business after a decade of best practice neglect. Information Security takes that same backseat role in modern agile development with the principle of JBGE (Just Barely Good Enough). Those two areas combine to solidify an insecure foundation of products produced and services provided. I highlighted one small example in How vendors empower weak security.

Alongside the comments of Mr. Touhill, Security Week recently highlighted an IANS Research model of high performing CISOs. In the article Research Unearths 5 Secrets for Higher Performing CISOs, Kevin Townsend highlighted 5 secrets of the IANS research as:
  • Lead without authority
  • Embrace the change agent role
  • Don't wait to be invited to the party
  • Build a cohesive cyber cadre
  • It's a 5 to 7-year journey to high impact
IANS is very correct that a CISO must “lead without authority”. In fact, since the majority of CISOs report to a CIO and not the board, that is actually the only option. I could not agree more with the 5 IANS surreptitious items, however I posit the reality of the situation using their own research. The IANS study shows that 60% of high performing security leaders report into risk and business roles (that have authority) -- and 95% of lower performing CISOs report to the CIO (where they don't). The reality is while one can try to lead without authority, it is very ineffective. Much like an unenforced policy is not policy but a suggestion.

Brigadier General Touhill had this advice for executives at all levels:
“.. take a look at cyber security as part of your risk management construct. Pay attention, do the right things and follow-through”
If you’ll permit me, I’ll add my own comment for executives:
“Consider how you embrace Information Security. Pretend you are coming out of a major security breach that impacted budgets and/or reputation. What changes would you make to integrate and evaluate”
Of this I am sure, the Brigadier General is a wise man. When asked what he would be doing next he replied, “I’m doing whatever my wife tells me to do.”