SN 754: The Internet of Troubles

Beep boop - this is a robot. A new show has been posted to TWiT…

What are your thoughts about today’s show? We’d love to hear from you!

I think I see one problem with the open voting software from Microsoft; the code that you can use to track/verify your vote. It makes it possible for someone else to see how you voted if they get the code, which I can see happening if someone offers money/free-speech for you to vote for someone.

Or am i misunderstanding how this on-line verification works?

TLDR: Today I learned what a CISO is and that they are unhappy. Isn’t the reason that the position is at the wrong flight level and the poor person is exposed to too many different types of stress?

Listening to SN today, I first heard of the position “CISO” (Chief Information Security Officer) and was pretty surprised that a) such an executive position existed and b) that I had never heard of it. Likely an oversight on my part. Consequently you may assume that the below is written from a blissful position of ignorance - but I hope these might help reflect on what may be merely grown but unquestioned structures. Learning about the troubles of the CISO was interesting, too. That’s the real point I write this.

Am I the only one thinking that the troubles of the CISO and its … peculiar position “way up high” go hand in hand? I mean: information security is a thoroughly specialist and pretty operative topic, especially in the heat of it. Of course, when information security is being considered as part of culture and systems, it can reach a dimension in which it is of strategic importance. But preventive measures are hardly ever a part of the competitive strategy of a company (and thus represented on the executive board) - it’s a critical hygiene factor of operations. Except for when security is your core strategic asset, information security is not a tool to generate (but certainly: defend) competitive advantages. And even if security is your core strategic asset, would you not position IS then as part of operations, product, or portfolio?

It goes without saying that I don’t mean disrespect to those holding the positions (neither the intent nor the option is there, I mean - they are the CISO, they read my mail!), but given the report on mental health and happiness, I was wondering whether the “CISO” is not just another side-effect of chief executives either a) relieving themselves from the duties of what the IS gal or guy needs to do, but not them, b) communicating externally that “IS is super important to us - look, we even have a person for that!”, c) maybe even pushing down insurance fees, or d) promoting a great person without a pay raise into a “position that is much more valuable than money”.

Since my point is no disrespect, time for me to come up with the real one: it’s a question that wonders about the solution. Is it sensible to put information security in the executive board? It does not help with generating (but defending!) competitive advantage. It may be even questioned, if his position helps the CISO to create better IS solutions when working administratively. To a degree, it absolves everyone else from not caring about IS. But, most critically: the situation combines the poor person to endure at least three types of stress - their highly specialised professional stress, a constant paranoia of being attacked out of the blue with disastrous impact on his or her company, and the substantial political and administrative stress of the board room where no-one gets him and everyone thinks he is a kill-joy worse than legal. I wonder whether IS might not be best implemented as a staff unit to the CFO. This is where the true power is in most organisations, there is an immediate and traditional connection between finances, cash-flow, operations, legal, and security, and our colleague in IS would (hopefully) have a strong executive protege, less weight on their shoulders, and at least half of a good night’s sleep.

I am aware that a board position can be fashionable, but - from afar - some offered positions seem downright sadistic. We need our IS people to keep their minds and health together, looking at the state of the challenge.

It is a unique, one-time code given to the voter at the terminal. It should be hard to decipher and guess a valid code, if it is done properly.

If the voter gives up their code to a third party, that is their decision and their right. If they are coerced into giving the code to a third party, that should be made illegal, if it isn’t already (I’m not a lawyer and I don’t live in the USA, so I’m not up on US laws per se).

It is still mainly a position in US companies or large, US-based conglomerates. It is still fairly rare outside the USA, AFAIK, especially in countries like Germany which have a majority of companies in the SME (Small to Medium Enterprise) arena, where many C-class positions don’t really exist.

From an outsider, it looks like the position has been generated in order to create scapegoats for the inevitable hack/data leak/crypto virus attack. One part of their job, for example, is covered by the Datenschutzbeauftragter (Data Protection Officer, DPO), which is a protected job (you can’t be easily fired) in Germany.

On the other hand, Information Security, as opposed to Information Services (IS for the last 30 years, having replaced the IT nomenclature in the early 90s) is a company wide subject/activity. It needs to include every employee in the company. It covers IT and technical infrastructure, but also user behaviour and corporate policy.

Therefore a CISO role is a possible way of formalizing it, if the company is big enough. Where I have worked in the last few years, in Germany, the role is taken on by a mix of the EDV manager (IT/IServices), the DPO and the Managing Director (Geschäftsführer / CEO) in SMEs.

Absolutely.

2 Likes

I’ve worked in a few companies with CISO’s, and worked with CISO’s on a couple of occasions. Putting Infosec up at board level is a double-edged sword - it means infosec projects have real weight in the company, but also a lot more scrutiny. The fortunes of said projects and the company’s future security capability also lean heavily on the CISO’s ability to make a good sales pitch or to defend security initiatives in a high-pressure situation.

I have seen one situation, many years ago, in which the CISO’s efforts over a few years led a massive uplift in security maturity level - everything from password policies and screensaver lockout to external monitoring, SIEM, server patching, etc. - but whose initiatives were mostly rolled back and dismantled when a new CIO was hired who took a dislike to the CISO and had him fired. That wasn’t about a security breach, just company politics. In that case, the CISO owned a lot of what we would now refer to as ‘security architecture’ within the company, although it was never called that. Even when it was going well, I think it was a difficult job as sometimes even low-level technical work would get axed and then later reinstated, apparently because of things that happened at a board meeting. On balance, in retrospect, it is hard to tell whether it wouldn’t have been better to have an ITSM who was less high-profile and thus less subject to sudden changes in direction.

Subsequently, I’ve seen the CISO role appear in bigger companies and develop into something much further removed from day-to-day running, more like the manager who sits above various other IT security related groups in the organisation, where the organisation has a whole tower (multiple levels of management and groups/subgroups) for dealing with various aspects of security (e.g., in a bank). I have no doubt it’s still a very stressful job, but I think that is where it makes sense, because low-level issues like password policies are far enough removed from that kind of CISO’s position for him/her to be able to say “let me take that feedback to the relevant group” rather than “oh, alright, I’ll change the policy then.”

1 Like