Notes from the Front Line: CISOs Share their Problems and Prescriptions

Paula Musich

Paula Musich

Summary Bullets:

  • The NSA leaks have created new opportunities for non U.S.-based cloud providers.
  • Developing people and political skills among IT security pros is equally as important as developing technical skills, but it is often overlooked.

I had the good fortune to attend the CISO Forum in London this week and as usual it offered a lively discussion of critical security concerns faced by enterprises, governments and non-profits. Topics covered long running themes such as how to define, measure and manage risk; how to communicate the value of and need for information security to the C-Suite and board; how getting the basics right is difficult for most organizations; the security skills shortage; the need to provide agile security and more.

The meeting fell roughly on the first anniversary of the initial NSA leaks and I used the occasion to ask the panel of esteemed CISOs whether it has had an impact on their security policies and operations and whether they believe it has changed the level of trust that their enterprises have when working with U.S.-based suppliers. Reactions ranged from nonchalant to vehement. One CISO quipped: “It’s slightly easier to get encryption in place.” And more than one said their organizations flat out refuse to work with cloud providers that that are headquartered in the U.S. In fact as one panelist pointed out, it has opened a huge opportunity for some European cloud providers to make inroads against U.S.-based cloud providers. Switzerland in particular is seeing a massive industry growing for building non-U.S. hosting facilities.

The discussion on the skills shortage highlighted an interesting problem that is not often discussed: the lack of political or socials skills that exist among security professionals in dealing with end users or line of business groups. One panelist noted that the industry has focused on developing technical skills, but not people skills. For his organization there is no shortage of technical skills, but he noted that, “We forget at end of the day it is human interaction that makes us a success.” Another panelist noted that his organization has invested in putting customer service-trained people on the front lines and teaching them the ins and outs of the technology. In general, enterprises typically either invest in developing security skills, or they lure skilled workers away from their competitors by offering fatter paychecks. For the record, I think all organizations would be better served by investing to develop IT security skills, and working with industry groups and higher education, rather than just poaching someone else’s talent. ISACA, by the way, is doing some great work in this area around developing entry level training programs.

Other random thoughts from the CISO Forum: Do enterprises need a CISO? One panelist pointed out that some 60% of the Fortune 100 do not have one in place. And as far as sea changes in the information security industry are concerned, don’t look at the Target breach as a catalyst for increasing investments in IT security commensurate with the threat level. The CEO lost his job not because of the breach, but because Target mis-executed in its bid to expand into Canada.

 

 

 

About Paula Musich
Paula brings 20 years of experience in the networking technology and management markets to Current Analysis clients. As Senior Analyst for Enterprise Network and Security, Paula is responsible for tracking and analyzing the evolving technological and competitive developments in the threat management segments of the information security market. Paula is responsible for coverage of the Anti-X, IPS, DLP, secure messaging, and Web security markets. In addition, she covers major technological, strategic and tactical developments in the enterprise networking market.

What do you think?

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: