Notes from the Front Line: CISOs Share their Problems and Prescriptions
June 13, 2014 Leave a comment
- The NSA leaks have created new opportunities for non U.S.-based cloud providers.
- Developing people and political skills among IT security pros is equally as important as developing technical skills, but it is often overlooked.
I had the good fortune to attend the CISO Forum in London this week and as usual it offered a lively discussion of critical security concerns faced by enterprises, governments and non-profits. Topics covered long running themes such as how to define, measure and manage risk; how to communicate the value of and need for information security to the C-Suite and board; how getting the basics right is difficult for most organizations; the security skills shortage; the need to provide agile security and more.
The meeting fell roughly on the first anniversary of the initial NSA leaks and I used the occasion to ask the panel of esteemed CISOs whether it has had an impact on their security policies and operations and whether they believe it has changed the level of trust that their enterprises have when working with U.S.-based suppliers. Reactions ranged from nonchalant to vehement. One CISO quipped: “It’s slightly easier to get encryption in place.” And more than one said their organizations flat out refuse to work with cloud providers that that are headquartered in the U.S. In fact as one panelist pointed out, it has opened a huge opportunity for some European cloud providers to make inroads against U.S.-based cloud providers. Switzerland in particular is seeing a massive industry growing for building non-U.S. hosting facilities.
The discussion on the skills shortage highlighted an interesting problem that is not often discussed: the lack of political or socials skills that exist among security professionals in dealing with end users or line of business groups. One panelist noted that the industry has focused on developing technical skills, but not people skills. For his organization there is no shortage of technical skills, but he noted that, “We forget at end of the day it is human interaction that makes us a success.” Another panelist noted that his organization has invested in putting customer service-trained people on the front lines and teaching them the ins and outs of the technology. In general, enterprises typically either invest in developing security skills, or they lure skilled workers away from their competitors by offering fatter paychecks. For the record, I think all organizations would be better served by investing to develop IT security skills, and working with industry groups and higher education, rather than just poaching someone else’s talent. ISACA, by the way, is doing some great work in this area around developing entry level training programs.
Other random thoughts from the CISO Forum: Do enterprises need a CISO? One panelist pointed out that some 60% of the Fortune 100 do not have one in place. And as far as sea changes in the information security industry are concerned, don’t look at the Target breach as a catalyst for increasing investments in IT security commensurate with the threat level. The CEO lost his job not because of the breach, but because Target mis-executed in its bid to expand into Canada.