Do we really need a CSO?
Dear CEOs,
I know that you feel that security is important – something which was not always the case in all the years I am working in the industry. But you changed your mind and this is great. But I know as well that you rarely feel comfortable, when it comes to working with your Chief Security Officer as he (or she) is rarely very communicative and able to explain the risks to you. And when he does, he often gets lost in tech-talk and really irrelevant risks for you. I completely understand that. Therefore I know that we in the industry need to change. We need to get closer to your world and help you to be successful.
I understand this. However, this story has two sides: Dear CEO, you need to start to try to understand my world as well – and let me tell you, it can be really, really ugly. I will give it a try.
There are different people playing in there who do not want to do you good. They are criminals. Period. We have vandals out there who want to get access to your data or deface your website just because they can and because they think it is fun. I know, they should be (and are) easy to defend. But there is more. There are hacktivists out there – and they often react on statements you make and they feel like they disagree. They will join forces and attack your infrastructure. Then there are criminals and they are all about money. Everything they can grab and sell, they will as long as the business case works. And they can rely on a vivid underground market, where they join forces and can sell and buy services. Then we find the terrorists, where we do not yet know, where they will go. And finally the government. Well, I guess you read enough about the governments, so that they are fairly known to you. But are you sure? You told me that you are worried about industrial espionage – I am really worried about sabotage. You tell me that we are not in the focus – this might be true but we use the same technology as other companies in other countries and the devices we build upon are all developed in a small set of countries and manufactured in another small set of countries.
This is part of my world and the daily fight I am going through. Now, what does that mean for you? We need to get the basics right – no matter how our financial results look like. We need to get the basics around patch management, lifecycle management, identities etc. right. Oh, I just forgot: What about the inventory? During recent incidents it took us days to find that bl**dy server spreading malware and figuring out, who is owning it. We need to fix this jointly.
So far so good, right? Now let’s go to the heart of my issue. Let’s talk about trust. Trust in your security organization. What happened during the recent targeted attack, where we wanted to understand the attacker first, before we stop the bleeding? Ever thought of the attacker leaving a virtual bomb in our infrastructure in case he gets kicked out? Or the attacker having installed a second backdoor in case we close the one we know? Tough decisions, leave them to the pros…
Now to the real reason I wrote this letter: This morning, I read about a study on how you think. Majority CEOs unwilling to share cybersecurity information with outsiders. Let me tell you a secret: Incidents happen in all the infrastructures, every company gets breached and we need to assume breach when we go forward. But the situation is worse: The bad guys share their knowledge, share their intelligence because it helps them. We do not – because you do not dare to as incidents do not happen by definition. This is fundamentally wrong! We can only win this, if we leverage the joint knowledge and if we work together. If I read that more than half of your colleagues do not want to share security information with other friends, then we are on the losing edge (I know that you are part of the other 50 percent). We need to work together and we need to leverage that we know more about our network than the attacker (at least I hope so – and this is my job).
So, let’s start to work together, dear CEO, to get this done and fixed. Together we can change the game but we need to be brave!
Regards,
Somebody in the security industry
Related posts
