One of my part-time hobbies is pushing to professionalize the Information Security profession. Admittedly, it is a lonely pastime and not nearly as exhilarating as it sounds. I wrote a multi-part article about the topic called “What does Information Security have in common with Eastern Air Lines Flight 401?” Allow me to quote myself:
Providing businesses with trained professionals (not only in the technical aspects but also in the business aspects), combined with certification on a national or global level delivers to the business some basic assurance.
However, the largest benefit comes from elevating the field into the business arena, where businesses are aware of, better understand the role of, and are able to fit Information Security into the proper level of business process.
It would seem that Equifax fits both of my use cases. Let us take the first case, professionals trained and certified in both the technical and business aspects.
It appears the Equifax CISO held a BA and MFA in Music Composition instead of a Computer Science degree. The blogosphere has blown up into two camps regarding this revelation. The first camp thinks her hiring into that lofty position with no apparent certification, related education or history was a “diversity” hire. The second camp believes degrees and certifications say nothing about a person’s ability to perform a function. They claim plenty of people have diplomas that share little in common with their current career path.
I find myself with a foot squarely in both camps. I do find it amazing a company such as Equifax did not have a seasoned CISO abundantly bona fide. To the detractors in the second camp, care to bet if the next CISO has both a CS degree and relevant certifications? Aleksey Korzun had this take from his blog:
Unless the person is a world-renowned security expert with decades of management experience, and a public track record that goes on for miles — the idea of putting a BA in ‘Music Composition’ in charge at that level and in that kind of company is irresponsible and borderline criminal.
In the second camp, Brian Fung published an article in The Washington Post titled, “Equifax’s security chief had some big problems. Being a music major wasn’t one of them.” Actually Brian… it surely could have been. To be fair we do not know the full details, so it appears foolish to be so sure it was or was not a factor.
Equifax is not some small startup with a database of emoji to protect. Every CISO position I was ever recruited for required a CS degree or equivalent years of experience. In addition, each required at least one professional certification and most desired two. I have also been asked more than once to help interview prospective CISO candidates. I can assure you everyone on those interview panels took related education and certification into serious consideration.
Those in camp two, who are blogging and tweeting about being self-taught are exactly what is wrong with the Information Security industry. Being self-taught is not a problem. We are all self-taught. Do people really think you pop out of college with a complete comprehensive knowledge of your craft? Do people think if one has a degree or is certified one is somehow done with any need to self-illuminate?
Regardless, the CISO experience is not that of the network administrator, the coder or even the hacker. It is a subtle blend of business skill and technical acumen. I feel certain in saying that the majority of self-taught router experts did not then go and self-learn how to perform corporate risk assessments.
People in IT and corporate executives too often equate the CISO position with normal IT line positions. That is why the reporting structure is usually wrong and why people think having only a music degree could prepare one for the CISO role.
Now let me align with the second camp. It would be just as silly to say having a degree or certification can prepare anyone fully for the role of a CISO. I would suggest that certifications do provide proof of further study and engagement. I can guarantee anyone studying and testing out as a CISM or CISSP will learn valuable lessons; lessons they did not inherently get being self-taught with a copy of Kali. It also means you are now committed to continued learning to keep your certifications active.
Yet, no degree, no certification and no self-taught guru will prevent every breach. We should all realize by now that is not going to happen. Do we blame the CISO because patch cycles are not up to date? Maybe, but those who so easily do are exposing their lack of practical knowledge of an operating business, especially large complex businesses.
Very few businesses define a single gold standard and remain inflexible to that standard. On a routine basis, businesses are moving pieces to a cloud, connecting to third party partners, bringing in new applications that require special hardware or operating systems. A business that says no to these changes is soon out of business. It is excessively easy to blame the CISO when, in fact, they usually have no authority on the operational confluences. That brings me to my second use case.
Professionalizing’s largest benefit comes from elevating the field into the business arena, where businesses are aware of, better understand the role of, and are able to fit Information Security into the proper level of business process.
Kevin Townsend’s post on the Equifax Breach rightly reflected, “I shall expect to see the CEO also go as soon as possible.” That is not likely to happen because the business is still isolated from Information Security. I fear only regulation is the alternative path beyond professionalizing the industry. You can probably surmise the ills of heavy regulation. Allow me to quote myself again on the latter path:
No longer would Information Security be just an IT problem, but what it actually is: a business problem. When businesses undertake Information Security like any other business risk, businesses enhance their level of security; this enhancement flows down to the products and services they deliver. When the current ad-hoc approach is exchanged with a holistic approach, it benefits the business, the industry, the consumer and the nation.
Update: Kevin's expectation fulfilled:
September 26, 2017
The Board of Equifax Inc. (NYSE: EFX) today announced that Richard Smith will retire as Chairman of the Board and Chief Executive Officer, effective September 26, 2017
One breach (however a big one) took out a CIO, CISO and CEO - Wow!