SRM Blog

How a CISO can exert influence at board level

Mike Tyson once said, “Everyone has a plan until they get punched in the mouth.” As he is perhaps best remembered for his infamous ear-biting antics, he is unlikely to be a role model for many of today’s Chief Information Security Officers (CISOs), but the former heavyweight boxing champion does have a point. The biggest challenge faced by CISOs today is not the need to defend against known risk, but to identify the potential gaps in their own strategy. In short, to intuit what may be the ‘unknown unknowns’.

Because it is not simply a question of rolling with the punches. Like any good boxer, the CISO’s best defence is anticipation. They need to step back from individual skirmishes and establish a strategic defence from potential blows which may not even have yet been considered, even by their opponents. And the most valuable skill they can possess to facilitate this? It is not a heavyweight knowledge of the information security domain, but the ability to influence.

For while protection against known risks can, to an extent, be delegated to the wider CISO team, the senior CISO cannot dodge the essential forward-thinking leadership role required. They cannot simply oversee comprehensive risk analysis, the integration of appropriate security tools and the development of a security culture; they must also ensure that they influence in such a way that priority is given to the organisation’s defensive strategy.

So, in addition to a high level of technical expertise, a thorough understanding of the business model and an ability to mitigate risk, the CISO needs to articulate the state of information security to the company stakeholders and lead employees. They need to do this to ensure that resources are available to defend against the (as yet) unknown. And for this the CISO must possess influence; and that influence needs to be at board level.

Now few would argue with an irate Tyson but in reality his approach is not usually the best model for those wishing to exert board level influence. Influence comes from confidence – both inner confidence and the ability to engender confidence in others. If fellow board members consider the CISO to be fully informed and strategically prepared, they are more likely to listen attentively. If they feel that funding and time are requested in a pragmatic way, with no unnecessary extras, then they are more likely to allocate resources.

The VirtualCISOTM, developed by SRM to meet this need, provides CISOs with all the resources and tools necessary to fulfil their role at the highest level. But it also provides strategic guidance from a designated highly qualified industry expert with an excellent knowledge of the wider sector and a detailed knowledge of the businesses with which they are working. Through collaboration and understanding, a detailed and cost effective road map can be developed, arming the CISO with the muscle required for board level influence.

The buck stops here: advice for the new CISO on campus

As Universities return for the beginning of a new academic year, never has the role of Chief Information Security Officers (CISOs) been more important. Some will be continuing an ongoing strategic campaign while others may be settling into new roles and, quite frankly, may be wondering what on earth they have let themselves in for.

Because not only are they expected to be responsible for the strategic leadership of the University’s information security program, they are also required to anticipate and respond to the fastest-moving environment on campus without ever getting it wrong. For just one breach will have huge financial consequences and a catastrophic impact on the reputation of the University.

Like any business, a University’s reputation is a precious, and marketable, asset. And like any other business, its employees have other jobs to concentrate on. Those who work in a University environment know that academics are not always the most collaborative of souls; some even likening managing whole-campus efforts to that most difficult of tasks, namely herding cats.

Yet, working in collaboration with everyone from the maintenance crew to the senior professors is essential. Because, without their full involvement, precious information cannot be protected from some of the most intelligent and ingenious minds of a generation who, for whatever reason, have opted to use their talents for the Dark Side. Cyber criminals and the webs they weave are not only brilliantly clever, they are also constantly evolving.

So, where should a newly appointed CISO begin? Here is a suggested plan of action for the first 30 days:

  1. People: get to know the people you need to have good working relationships with. These will include your colleagues in the IT department as well as key stakeholders across all other departments;
  1. Job description: review your job description. This will tell you what is expected of you but it is important to ascertain what may have been omitted so that you can pre-empt any resource issues;
  1. Resource: assess the resources of the IT security department and review its existing services and activities. Now is the time to establish what you have or are reasonably able to establish as well as what additional resource or expertise you may need to contract in;
  1. Guidance: access all available guidance but be cautious about believing everything you read. Prioritise advice provided by industry experts with a proven track record and experience in this particular field;
  1. Belt and braces: think strategically about how your department can, from the outset, fulfil its designated role: ensuring the safety of all personal data, information and systems. The buck stops here.
  1. Register with SRM to receive updates on the role of CISOs in Universities.

VirtualCISO: the philosophy of product development

The Dalai Lama said: ‘When you talk, you are only repeating what you already know. But if you listen, you may learn something new’. It is, of course, doubtful that he was thinking of the world of information security when he came up with these words of wisdom, but they can and do apply to all of us involved in this constantly evolving industry. And nowhere more so than in the sphere of product development. After all, coming up with a product or service because it makes sense to the developer is a bit like repeating what you already know. Whereas, working on a new service with major input from existing clients, responding to a genuine gap or problem, will in turn meet a genuine need.

That is how SRM set about developing its VirtualCISOTM service. As an organisation, we do not sell products or impose structures on clients; we work with them. And through this approach, we build good working relationships based on a thorough knowledge of their businesses and the understanding that we are there to support, guide and facilitate them in achieving their goals. Our consultants never sell services or products their clients do not need. In short, they don’t talk; they listen.

So it was a natural development when our consultants were increasingly hearing requests from Chief Information Security Officers (CISOs) for support with their roles. At one end of the spectrum are those who simply want the whole problem effectively managed by an expert team. Others, for example, know what they need but want strategic guidance for long term plans or support in the board room. Because as the world of cybersecurity becomes increasingly challenging, so has the role of CISO. In blunt terms, the buck stops with them and that is particularly daunting when that individual is to be held accountable for any single breach of the company’s defences.

Through collaboration and listening we know that the challenges faced by different CISOs varies. But by pooling the accumulated wisdom of their collective experience, as well as the knowledge of our highly experienced consultants, we are developing a service which will provide users with an unrivalled resource to address specifically identified existing problems while also enabling them to pre-empt potential future issues.

After a development phase lasting many months, we are delighted to be able to say that the VirtualCISOTM will soon be launched to a wider market. We have worked with, listened and responded to the needs of all types of business: large corporates, SMEs and micro businesses as well as national government, health and educational institutions. And while their specific requirements may vary, the VirtualCISOTM has been developed to be flexible and responsive to this wide range of need.

Look out for an announcement at the beginning of Q4 2016 that the VirtualCISOTM is live. If, in the meantime, you would like to be involved with the last stages of product development or have any specific questions, please contact us.

Multi Factor Authentication – why is this something that is so commonly misunderstood?

“The single biggest problem in communication is the illusion that it has taken place.” said George Bernard Shaw. This can be true in so many aspects of life and unfortunately, it is all too often reflected within the world of Information Security. It is common for many of us to think we have got to grips with a solution to a problem, only to realise half way through that the problem is not quite as we envisaged.

Take the case of “Multi Factor Authentication” (MFA), meaning the use of multiple methods of authenticating ourselves to one another, or to a computer system or application. We had all become used to the phrase “Two Factor Authentication”, meaning that we need two different credentials to provide this authentication. Seem simple enough to extend this out to “Multiple” means of authentication right?

Well – as it turns out, this is still an area that causes confusion, even before we changed the wording to make things even more vague! So, what is the problem? Let’s go back to the start.

We all use MFA without giving it much thought on a regular basis. Whenever we go shopping or take money out from an ATM, we are using MFA. In short, in any Chip and Pin transaction there must be multiple authentication methods, and these usually fall into the following categories:

  • Something you know (such as a password or PIN)
  • Something you have on your person (such as a Bank card or a USB stick generating a Token)
  • Something you inherently are (such as a biometric like fingerprint or retinal scan)

When accessing a system that requires you to authenticate yourself in more than one way we present two or more of these values to the authentication system. So why is there still confusion?

Well – it is easy enough to get this mixed up. Take the following scenario into consideration; “I log onto a system with my username and password, and then I access a database application with a separate user name and password. That is Multi Factor isn’t it?” – NOPE!……this is single factor being used multiple times, and is often the cause for much confusion.

In order for Multi Factor authentication to be truly implemented, at least two of the above means of authenticating yourself must be presented as part of the same log on procedure. So I present my User name and Password to my access application, which then also requests my fingerprint. This is two factor authentication. MFA is any access method that requires 2 or more authentication factors.

In the case of the trip to the shops, when I purchase something I present my payment card (something I have) and then I must enter my PIN, (something I know). 2 Factor Authentication. Apple Pay brings in another element in that it uses biometrics as the second factor, which is another step up the security ladder.

This is something that will affect us all in our daily lives as security tightens up to reduce identity theft and online fraud. How many of us have been given a PIN reader for use with our online banking accounts? This is generating a ‘second factor’ token for you to use alongside your password.

The PCI DSS version 3.2 now requires the use of Multi Factor Authentication for administrators accessing Payment Card systems from within the local network. MFA was previously reserved for remote access but the additional security that MFA brings is such that it is a useful tool, even from within trusted systems.

So, MFA is here to stay and when it is implemented well it should be easy and intuitive to use. There are lots of solutions out there, so finding one that suits your needs should no longer be a barrier to increased security.

Information Security Consultant, SRM's Principal PCI DSS QSA and Payment Card Industry expert, Paul B is a regular contributor to the SRM blog.

Promoting and Protecting your Identity

How much control is too much when it comes to social media?

Organisations spend millions on their marketing campaigns in the hope and expectation of raising brand awareness and increasing publicity. However, one seemingly innocuous tweet sent by an employee has the potential to give an organisation all the publicity and attention they could ever want – just with the spotlight focusing in the wrong area.

Managing employee usage of social media is a growing concern for organisations worldwide. Many social media platforms give users the option of stating where they work. If an employee decides to share this information, their behaviour could be considered reflective of the who they work for. The information could provide an insight as to what kind of people that organisation hires and what they find acceptable, thus reflective of their morals and culture. Essentially, this gives employees the leverage to make or break a brands image. This topic is just as important whether or not an organisation has a social media presence too – effectively, their employees create a presence by the virtue of their own online activity.

In 2013, a single tweet ended Justine Sacco’s career as Communications Director of the New York-based internet empire IAC. She posted the tweet before boarding an 11 hour flight to South Africa, which received over 2000 retweets whilst she was in transit – she’d become an internet phenomenon before she’d even landed. Justine was subsequently fired by IAC, a move taken in order to protect their own brand image.

Sacco’s story is an extreme case, but the incident has become a byword for the need for people to be cautious about what they post on social media. However, seemingly innocuous posts could still do a lot of damage to an organisations brand image. Complaining about working conditions could deter future applicants; posting sensitive information could affect the company strategically; and general online behaviour could reflect badly on the company’s culture.

Many social media users are now keen to highlight the fact that “all views are my own”, however these kind of disclaimers will not prevent your employer from firing you if you say something that reflects badly, and it’s not going to prevent people from associating your views with your employer.

Social media policies are being introduced throughout organisations large and small, and we’ve listed a few things to consider when creating these policies:

  • Creating a safe space for employees to speak about concerns goes a long way. Having an outlet for discrepancies within the organisation reduces the chances that employees will express any negative information online.
  • It is worth defining what is considered to be confidential/sensitive information. The assumption that all employees will generally know this is a dangerous assumption to make.
  • It may also be worth discussing involvement in illegal online activity. Warn employees against engaging in any illegal activity. Remind employees to respect others’ copyright, trademarks when online for both personal and professional reasons.