Carbon Black & VMware Announce Expanded Partnership to Secure the Software-Defined Data Center (SDDC) Learn more

The CIO Will Report to the CISO: The Why

CIOCISO
jjguy
July 31, 2017 / Jeffrey Guy

(Note: This article originally appeared on LinkedIn Pulse. If you disagree with me, please visit the LinkedIn post to join the comments we’ve gotten so far.  As a community we need the open discussion to advance our collective thinking. If you agree, please like, comment and/or share the post. It’s easy for those who disagree to close the browser tab and dismiss me as “just some crazy ex-government hacker guy,” but your “like” is a vote in favor of these ideas. Together, we can demand they be taken seriously and drive the conversation.  Together we will not be dismissed.)

__________________

 

Or, why the CISO position should never have existed.

A couple weeks ago, I published The CIO Will Report to the CISO.  The premise was it makes more sense to align core infrastructure under the CISO, allowing the CIO to focus on business processes and applications that make the business more efficient. If we don’t take action, I believe this transition is inevitable. It will be driven by the need for increased rigor in basic IT operations in order to continue making our systems more secure, a gap that is becoming increasingly apparent.

The feedback was incredible. To all who commented, liked or shared: thank you. I learned a lot.  If you didn’t see it, I encourage you to read it, but especially the comments: it’s an excellent collection of the diverse views in our community.

After reflecting on your feedback I didn’t change my opinion, but I better understand the experiences and perspectives that led the dissenters to their opinions. This is a more thorough explanation of why I’m sticking to my guns. Where the prior article is pithy punditry, this is historical analysis – as objectively as I can manage. It is long – an unfortunate necessity to level set, given the wide range of experiences we all have.

If you disagree – please comment!  As a community we need open discussion to advance our collective thinking. If you agree please like, comment and/or re-share. It’s easy for those who disagree to close the browser tab and dismiss me as “just some crazy ex-government hacker guy,” but your “Like” is a vote in favor of these ideas.

This is a warning for CIOs. It was a mistake to create the CISO role and move it out of your organization. There is another opportunity developing, don’t squander it a third time.

CIOs: this is a warning. Collectively, you missed an opportunity to take responsibility for security when the CISO role was initially created. You missed it again as the CISO was moved outside the CIO organization. Those actions were mistakes, but it was found necessary. Don’t squander the opportunity a third time.

Note: in addition to below, my opinions are shaped by what we value in our security programs. You may find My Four Cybersecurity Principles useful background. If you think this doesn’t apply to you, read my Farmer & Chicken story.

The History

Information security has historically been a function of IT.  Like other IT functions, the business value comes from the product you buy and people are a tax required to administer the product. CIOs purchased a suite of security products from vendors as part of the overall network architecture, similar to routers, switches and email servers. Those products quietly and reliably provided services such as endpoint antivirus, network traffic monitoring and application-level proxies.

Security as an administrative IT activity was good enough for opportunistic attackers seeking value in scale of access, but threats are evolving.

For many years, this was sufficient. The predominant threats were opportunistic attackers, who monetized their access based on scale. The attackers did not care which computers they compromised, they just wanted a lot of them to use for click-fraud, spam and other Internet-scale activities. Their presence in enterprise networks was annoying, but largely irrelevant to the business since the primary financial impact was to third parties: a classic negative externality.  

The combination of these two characteristics meant traditional signature-based endpoint antivirus was good enough: successful attackers’ large footprint would get them signatured and blocked; less-successful attackers were just “noise” the business managed.

The APT

In the late 1990s and early 2000s, the U.S. Department of Defense (DoD) and other governments around the world experienced a series of repeated and targeted attacks, not focused on stealing computer cycles, but information – heavily focused on weapon systems design, development and capabilities.

Since these attackers were not interested in scale of access, but precision of access, endpoint antivirus was irrelevant. These attackers, if detected at all, rarely exceeded the “noise threshold” of antivirus companies to justify distributing signatures. As a result, these attackers were able to bypass security products at will and remain undetected inside compromised networks, often for years. Since attacker focus was the organization’s critical data, their presence was no longer an annoying negative externality, but presented a clear and present danger to the organization’s objectives.

In early 2000s, all commercial products failed against targeted attackers, so the US Dept of Defense invested not in products but people and processes

At that time, all products from all vendors failed to recognize the threat of targeted attackers and provided little or no meaningful mitigation capabilities. As a result, the U.S. Air Force (USAF) and other DoD agencies invested not in new products, but in the people and processes employing existing products.

They developed an operational model that included protection, detection and response as equally important activities in a continuous operational process – a distinct shift from the then-current best practices that depended on products for protection, with detection and response as ad-hoc activities in response to specific incidents.

In the late 2000s and early 2010s, the objective of targeted attackers broadened from mostly espionage into crime. Attacks against commercial businesses increased, focused on stealing easily-monetizable data such as credit card numbers and personally identifiable information.  The shortfalls of vendor security solutions became clearly apparent through repeatedly successful compromises. Commercial businesses began to intimately understand the lessons learned by the DoD a decade earlier.

Businesses began promoting security from an mid-tier manager in the CIO’s IT organization to the CISO. In many businesses, the CISO’s IT oversight role was used to justify moving the CISO position out of the CIO’s organization reporting to the CEO or another CxO.

As attackers targeting commercial businesses shifted their objectives to business critical information, the risk shifted from an annoying negative externality to a direct business threat.

Like the federal attacks 10 years prior, these targeted attackers were no longer an annoying negative externality but instead a clear and present danger to the business. With the benefit of ex-military security leadership, commercial CISOs followed the DoD pattern and invested not just in products, but also in people and processes.

Security Operations Emerges

CISOs began to recognize the value to the business didn’t come from the products they bought as with traditional IT, but from their people. Products are simply a tool in their team’s toolbox, supporting the team’s operation. People aren’t hired simply to administer the products, products are purchased to support the people.

In 2013, the DoD protection, detection and response operational model was shared with the world in the NIST Cybersecurity Framework. Its release accelerated development of the commercial Security Operations Center (SOC). With time, a consensus began to emerge between the DoD approach, industry analysts and commercial businesses.  

Today, a Security Operations Center is becoming a generally accepted requirement of any large organization’s minimum due diligence for their security, digital asset protection and data stewardship responsibilities.

Our Mistake

When commercial industry adopted the DoD’s security approach, we took the modelfor DoD security operations but not the organization. The DoD does not have separate IT operations and security operations leaders. They did not invest in their security operations independent of their IT operations. They did not split the organization with separate leadership chains. They invested in improving the operational discipline of both their IT and security programs simultaneously.

We took the model for DoD security operations, but not the org chart. That was a mistake. We wrongly prioritized the CISO’s audit and oversight responsibility over his security operations responsibility.

When we pulled the CISO outside the CIO’s organization, we made a mistake: we prioritized the CISO’s audit and oversight responsibilities over his Security Operations responsibilities.

CISOs are learning operational discipline and rigor adds more security value than audit, oversight or compliance activities.  Unfortunately, for organizations that split the CISO and CIO organization, the operational discipline of security programs are maturing independently of the CIO’s traditional IT operations.  

As an institution, the military often gets criticized for being slow to change.  In this case, they changed more rapidly than we have managed in the commercial sector. Military IT leaders change positions every 2-3 years, get promoted every 4-5 years and are deliberately placed in diverse assignments of increasing responsibility.

The military’s rapid turnover and promotion schedules enabled their IT leadership to evolve & mature more quickly than their commercial peers.

As a result, the expertise of the typical military IT leader naturally evolves and matures with the organization. The relatively glacial turnover in a commercial IT leadership team, combined with the generally older leadership and slower promotion rates, means commercial IT leaders do not have the same natural evolution, relying much more on an individual leader’s self-awareness to recognize the need for him/herself and the organization to change.  That level of perception and self-awareness is exceedingly rare.

As targeted attacks became more common in the commercial sector and security gained importance in the business, CIOs collectively missed an opportunity: if they had taken ownership of security and evolved themselves and their organizations, there would never have been a “CISO.”  When CISOs were still part of the CIO organization, the CIO had another opportunity to take ownership and evolve, but enough failed to do so that the general recommendation was separate reporting chains – a second opportunity missed.

Today, the CISO’s security operations teams are gaining discipline and rigor from a painful but effective feedback loop, thanks to constant testing by attackers. In many cases, the growing maturity is independent of traditional IT operations activities, still owned by the CIO.

CISOs are finding the IT basics such as network management, asset management and patching are critical to secure operations, but in many organizations they are poorly managed.  It is impossible to secure an enterprise network when the organization can’t handle the basic blocking and tackling of IT.

As realization of this truth grows, CIOs will have a third opportunity to evolve themselves and their organizations.

Your Action

Be aware this shift is coming and be mindful for when the inflection point arrives in your organization.

The next major step in security is growing the same discipline in our IT operations as we have in security operations. You can’t fix the problem by simply buying a new next-generation something-something product, or a new deep learning artificial intelligence gizmo.  It takes a combination of people, processes and products – inside an organization with an operational culture that is cognizant of their faults and constantly improving.  No vendor’s product can overcome your team’s lack of operational discipline.

CISOs with mature security operations teams have already recognized this; their teams have the momentum built and are gaining rigor daily. However, they are building security programs on top of the core IT infrastructure. The overall security of your network is only as good as the weaker of the two. For those programs, the security value of additional investment in security operations will soon decline because they are too far ahead of their IT counterparts. As compromises continue, there will be increasing pressure on basic IT operations to mature.

Your security is only as good as the weaker of your security and IT programs. The value of new investment in security operations will decline unless the IT operations also mature.

If you are a CISO, your responsibility is the security of the company, not just your team’s direct responsibilities. Be the torchbearer for extending your operational culture throughout the technology organization, deepening your partnership with the CIO. Do not let our past organizational mistakes cloud your thinking: your risk, audit and compliance responsibilities require some independence, but compliance does not make your company secure. Do not let those functions create a “arms length” mindset in yourself or your teams.

If you are a CIO, you need to start operationalizing your IT activities. If you do not act now, investment in security operations will no longer bring meaningful security value because your IT operations are not equally disciplined. If you allow this to happen, you have failed. The business will have no choice but to transfer ownership of core IT functions to the CISO.  If that conversation happens, the reporting chain conversation will follow.  The CIO already reports to the CISO at Booz Allen and their rationale aligns with mine.

CIOs: if you allow further investment in security operations to no longer add value because your IT operations are too immature, you have failed. The business will have no choice but to transfer ownership of those functions to the CISO.

If you are a CIO in a company with a strong program you still must act: you cannot allow your CIO peers to fail. If there is not critical mass of CIOs that get it right, the “best practice recommendations” will still be to transfer ownership of core IT functions to the CISO.  Your company’s success will be an outlier.

As you plan your company’s approach, I urge you to remember the mistake we made and fix it.  Do not try to mature security operations and IT operations independently. Building an operations center from scratch takes a lot of time; building two separate operations centers that must closely coordinate activities is bad leadership: you are not setting up your team for success.

Do not try to mature security and IT operations independently. Building two separate operations centers that must closely coordinate activities is incredibly difficult.

Around 2003, the Air Force introduced the Network Operations and Security Center (NOSC): a single operations center, focused on both security and IT operations. Since the USAF never split responsibility for security from normal IT, it was an obvious organizational construct as they operationalized their overall IT activities. However, since the commercial sector made the mistake of prioritizing the CISO’s oversight role from the operations role and splitting responsibility, that organizational construct may not be as obvious. Figure out the organization and build a CIO/CISO partnership. You might even call it a “fusion center” if you can say the words to the board with a straight face.

In Closing

I titled this article “The CIO will report to the CISO.”  In truth, our situation could also be summarized as “The CISO should never have reported to anyone but the CIO.” “The CISO should not exist” is another potential interpretation.  You can take my rationale and defend any of those positions.

We are still very early in the development of security as an independent corporate discipline with board-level visibility.  Many organizations have not yet prioritized security to this level, and there is a lot of diversity amongst those that have.

Whatever organizational construct fits your company, recognize these three truths:

  1. Compromise is inevitable
  2. Operationalizing security is more important than compliance and oversight activities
  3. Operational maturity must come not only to security-specific activities, but also the traditional IT activities

If you stay grounded in these truths and the broader security principles, your team will be successful.

TAGS: CIO / CISO / JJ Guy

Related Posts