Michael Scheidell

    • Member Type(s): Expert
    • Title:Chief Information Security Officer
    • Organization:Security Privateers
    • Area of Expertise:Infosec,privacy,compliance,business
    • Member:ProfNet

    To become a ProfNet premium member and receive requests from reporters looking for expert sources, click here.

    Lessons from a Frog and an Ostrich

    Friday, March 21, 2014, 7:48 PM [General]
    0 (0 Ratings)

    We have all heard that an Ostrich will bury its head in the sand when frightened, ignoring the danger around it with an ‘out of sight out of mind’ attitude.  You have also heard warnings based on the story of how a frog will sit in a pan of water, and if the temperature is increased slowly, it will sit there until it boils.

    These are stories that we tell our children, trying to impress upon them the importance of danger signals, and to continue to pay attention to the situation around us, even if it is only a little uncomfortable right now.

    Recent revelations that the CIO for Target resigned, and executive management is working on revamping the Information Security team to include a CISO, coupled with stories about Target ignoring malware warnings by their newly installed FireEye system would seem to bring these stories to mind.  Didn't the CIO ever have story time in Kindergarten?  Where was the InfoSec Team when these alarms were going off?  Did they have their head in the sand, or were they overwhelmed with alerts and vulnerabilities?

    No doubt the Target CIO was imminently qualified for her position.  You aren't given that responsibility without a proven track record in large scale ERP and delivery systems.  Should she have taken the blame for this failure, or was this an overall failure of the culture at Target?  Why didn’t Target have a CISO?  They spent almost $2million on a malware system that they ignored.  Would moving the InfoSecurity out of IT and into Enterprise Risk Management have helped?

    Why did the CIO hang onto InfoSecurity when the Federal Government mandated CISO’s for all agencies? Are major organizations moving towards allowing the CISO a seat at ‘the big table’ finally?

    Back to the Frog and Ostrich:

    No Ostrich has ever been seen in the wild with their head in the sand.  Either this works very well, or, the Ostrich is smarter than his human counterparts.

    Same with the Frog.  A slight increase in temperature and the frog will jump out of the pot.  It seems that only humans will happily ignore the increasing danger around them until it is too late.

    The size of your organization will dictate the size of your executive management staff and the size of your round table.  A small organization may have a CTO/CIO/CSO handling all of these functions, much like this smaller organization may have one VP Sales and Marketing.  Larger organizations that rely on technology have already split the CIO and CTO functions.  It is time to help your organization by working with your existing InfoSec staff, ask them what they need, implement a mature InfoSec program that includes a CISO instead of endlessly chasing vulnerabilities and malware.

    Will a CISO fix all vulnerabilities?  Is this a 100% guarantee?  No, but they are better equipped by training and temperament to deal with the rapidly decaying information security environment.  And they can be your best friend.

    InfoSec professionals:  Re-read your CISP CBK book and see where your organization’s InfoSec maturity is.  Help your CIO by focusing on Risk Management, not Security Management.  You will never fix all the holes, but you must help your Executive Management team prioritize and control risks.

    For reference, please see:

    Bank Info Security:  How much is a good CISO worth:  The story of the SC DOR.  For the lack of a salaries CISO, the SCDOR’s breach cost them $20 million.  www.bankinfosecurity.com/blogs/how-much-...

    This article, nearly 4 years ago in SC Magazine:  “Want to reduce IT Risk and Save Money: Hire a CISO” www.scmagazineuk.com/want-to-reduce-it-r...

    Target CIO Resigns, looks for security and compliance makeover: www.darkreading.com/attacks-breaches/tar...

    Frog Fable brought to boil: conservationmagazine.org/2011/03/frog-fa...

    Animal myths busted:  kids.nationalgeographic.com/kids/stories...

    To achieve good security, you need to focus on business

    Tuesday, September 10, 2013, 5:46 PM [General]
    0 (0 Ratings)

    In September 2001, as the Nimda computer worm devastated networks worldwide, we in IT security thought that the management will finally wake up and see how important it was to secure out networks. They would begin to pay attention to the warnings from their network security, we thought, and we would finally have the budget we needed and recognition for what we do. But, we were wrong.

    In 2003, the Slammer worm shut down ATMs, call centers, even 911 emergency dispatch centers. People died. “We would finally get the CEO’s and CFO’s attention,” we thought again, and we were wrong again.

    In the next 10 years we witnessed a succession of worms, Trojans and viruses shut down and compromise Department of Defense networks, banks and nuclear facilities. We are constantly told that our critical infrastructure is at risk: terrorists can take control of our railroads, power systems and other critical infrastructure. The time has finally come for management (and the world) to listen to us!

    We had seminars and Gartner symposiums with CIO’s around the world. We have written whitepapers. Cisco, Symantec, IBM and 3com spent billions building or buying technology to stop the attacks and secure networks.

    And… It didn’t work. Nothing we did could stop the attacks. We made laws, fined people, and increased penalties for hackers. We held companies liable for leaking personal private data and made them pay millions in fines. 

    Then, we - and I speak here as a CISO with 20 years of experience – blamed the management. 

    Surely, it was the CEO’s fault for not understanding cross-site scripting, SQL injection, APTs and other risks associated with the Internet.

    Maybe it was the CFO who didn’t understand that it’s impossible to calculate the ROI of securing the network. So we tried to come up with a strange formula called Return on Security Investment (ROSI), but the CFO saw through this and called our bluff.

    We had CISO and CSO forums, councils, worldwide meetings, whitepapers, and endless PowerPoint presentations - all to come up with programs to educate the CEO and CFO. We came up with simple marketing slogans like “self-healing network”, “Security Transcends Technology” and “Security is a process not a product”. Whole companies were created to teach the CEO and CFO.

    But ultimately, the CEOs and the CFOs weren’t the problem – we were: CISOs, CSOs, and VPs of Network Security didn’t understand business. We refused to see that ROI was – and has to be - the driving factor for the CEO and CFO.

    We need to learn their language rather than attempting to make them understand ours. We need to understand senior executive management. We need to align our priorities with theirs. It is not our job to lock down the network, keep the hackers out and prevent data loss. That should be a side effect of our real priority and a unique and valuable side effect that only we can achieve. 

    Our real priority is to help our $750 million company become a billion dollar company. We can’t stop running with scissors - we have to run faster and we need to make them sharper. 

    Too many failed security initiatives cost the company money and have had little or no effect on the ability to protect company property or client privacy. In some cases they actually hindered the company mission. 

    Consider the TSA in the United States. Their mission statement is “Protect the Nation's transportation systems to ensure freedom of movement for people and commerce.” So, have you flown lately? How is your “freedom of movement” at the airport? There is a 3-year-old girl with spina bifida in a wheelchair that will never threaten the transportation system again, because she is terrified to enter an airport after her experience of “freedom of movement”. 

    Most IT security initiatives have taken their eyes off the ball. They focus on “prevent” when they should focus on “enable”. 

    We need to add real value to our company, showing that a properly run security and privacy group can reduce costs, increase customer and user satisfaction and drive revenue. We need to take some courses in finance and learn about CapEx and derivatives. We should live with the following six financial terms stapled to our foreheads (or at least on our screen savers): Bottom Line, Gross Margin, Fixed versus Variable Costs, Equity versus Debt, Leverage, and Capital Expenditures.

    Once you understand the priorities of the CEO and CFO, you can prioritize security budgets. Now you have the advantage, because you understand both the security implications and the financial implications. If your security initiative breaks the bank, or makes people want to drive (to a competitor) rather than fly with you, you have failed.

    Keep things in perspective; keep your eye on the ball. You can become the most important member of your firm’s executive management team if you can achieve this.