You may not have been aware there was a presidential election in Ukraine last Sunday, but all eyes in the cybersecurity and intelligence communities were keenly focused on this event. In the past few years, cyberattacks targeting elections in democratic countries, including the U.S., have become increasingly disruptive. And in the past few months, international observers have seen disinformation campaigns attempting to influence the outcome of the Ukraine election.
Leading up to the election, the IBM X-Force Incident Response and Intelligence Services (IRIS) team had been preparing to observe and analyze possible attempts of foreign interference in the election. Although it appears that a major cyber disaster was averted, we were ready for the worst.
… we recognize that the risk of a major cyberattack on Ukraine could be the bleed-over to the rest of the world. IBM Security has many clients, including some of the largest financial and logistics companies, that need to be resilient in an attack or face potential damages in the millions or hundreds of millions of dollars. We needed to prepare a response to go at a moment’s notice.
Well in advance of the first round of the Ukraine election in March, we decided that we couldn’t afford to sit on our heels until an attack was launched. We began to operationalize a plan for responding to anything that we could conceive of happening before or after the election event. I ordered the creation of an incident command center team, comprised of top experts across the IBM company, that was on alert and could be stood up immediately if needed. This team operated outside of the traditional organizational structure.
Now that we have moved from an alert posture back to a normal readiness stance, I can share a little bit from behind the scenes about how we prepared. I’ll also describe what organizations can do to evolve their security posture from a reactive stance to a more proactive and predictive security posture.
I don’t often post articles about IBM Security (full disclosure: my employer) but I like Caleb’s write-up about this – especially about the C-TOC:
Plus, for the first time since it’s construction, we had at the ready the X-Force Command Cyber Tactical Operations Center (C-TOC), the industry’s first mobile command center, to assist clients in Europe with investigations and recovery. We had multiple drivers ready to go at a moment’s notice and drive through the night if necessary. The C-TOC gives us unique capabilities in a destructive attack: If a client’s systems go down, we have a sterile platform from which to work, and we travel with our own internet, data center and all the gear we need to accelerate recovery.
It is pretty cool! Check out the whole article for the breakdown on what my colleagues did and some generally good advice around being prepared for the worst.
Earlier this year, the European Commission, the executive arm of the European Union, recognized Japan’s data protection regime as adequate under the European General Data Protection Regulation (GDPR). Japan is now treated as part of the European Economic Area (EEA) under the GDPR, and data flows from the EEA may be transferred to Japan without any additional safeguards or agreements. This is the first adequacy decision since the GDPR took effect, and it will likely provide a road map for other countries or territories seeking EU approval going forward.
At the same time that Japan’s adequacy determination was being finalized, the California attorney general began hosting seven public forums across the state to allow public comment during the California Consumer Privacy Act (CCPA) pre-rulemaking process. The CCPA, enacted July 28, 2018, and effective Jan. 1, 2020, is modeled on the GDPR, imposing new data protection requirements on certain companies and granting new rights to California residents.
Even before the CCPA was signed into law, the bill sparked speculation about whether California could apply under the GDPR for adequacy. While California has not yet expressed an intention to apply, the state has a history of forging its own path in the absence of federal action. And notably, industry stakeholders at the CCPA public forums requested that the potential CCPA regulations contain a safe harbor provision for GDPR-compliant businesses. In addition, legislation introduced this year to amend the CCPA to more closely align with the GDPR framework—coupled with last year’s stalled efforts to create a California data protection agency—indicates that some state legislators may have a broader vision of the relationship between the two privacy regimes.
But could a single state secure a GDPR adequacy determination even though the United States has not obtained a full adequacy decision? This post considers whether California could apply (based on the factors considered in the recent Japanese adequacy decision) and, importantly, whether any legal barriers exist under the GDPR.
A fascinating read about CCPA and GDPR. The Japan example is a useful one but only to a certain point. Andrei Gribakov’s article is an excellent breakdown of the issues and how this might play out.
The more time we spend trying to build new things or get work that matters done, the more mistakes we are inevitable going to make.
I’ve come to realize that the key is to not let the chatter (both external and internal) about the mistakes and the stuff that is broken to get in the way of showing up every day with enthusiasm.
Every day, we get the opportunity to solve puzzles that involve continually prioritizing between fixing what’s broken, plugging short term gaps, and investing in the long term. We get to do this in our products, in our communities, in our families, and within ourselves.
We (and what we build) are always going to be work in progress. Once we accept that, it follows that the best thing we can do is to make the most of that opportunity and continue to earn it every day.
In the long run, it turns out that becoming is far more important than being.
They walk among us in just about every office: People with their laptops open, bound for conference rooms and common areas, many keeping their devices ajar to avoid losing those precious few seconds of computer wake-up time.
While we cloak our phones in shock-proof plastic and their screens with tempered-glass shields, laptops rarely get similar protection. Considering these pieces of hardware are some of the most expensive items we work with, it’s a little shocking to see how cavalier we can be toward our one essential work device.
But since when has safety outweighed looking cool?
Over the past few weeks, we’ve been observing Quartzians in their natural habitat and have tried to make sense of their odd office rituals in porting their laptops from one meeting to the next. Here are some of our findings.
This is some silly fun. I know which one I am (“The Clutch”) and which I’d like to be (“The Vacationer”).
Here’s my list, in order, of what drives behavior in the modern, privileged world:
Cognitive load (and the desire for habit and ease)
Greed (fueled by fear)
The five are in an eternal dance, with capitalist agents regularly using behavioral economics to push us to trade one for the other. We’re never satisfied, of course, which is why our culture isn’t stable. We regularly build systems to create habits that lower the cognitive load, but then, curiosity amplified by greed and fear (plus our search for connection and desire to love) kick in and the whole cycle starts again.
I like Seth’s set up for this but not the corporate entity as the example. Here’s a sanitised version:
…without habits, every decision requires attention. And attention is exhausting.
And it’s stressful because the choices made appear to be expensive. There’s a significant opportunity cost to doing this not that. … what are you going to skip? What if it’s not worth the [time or wait]? What are you missing?
It’s all fraught. We feel the failure of a bad choice in advance, long before we discover whether or not it was actually bad.
What consistently good communicators do: Prepare thoroughly, show up on time, seek to understand, be thoughtful about their contributions, pay attention to non-verbal cues, and follow up.
When they do all of this, they succeed in reaching the people they’re speaking to in the right context – unerringly.
It turns out that being a consistently good communicator is largely determined by what we do when we’re not trying to communicate.
This post came out a while ago. I was reminded to write about it when I saw the 16 April Daily Stoic entry, OBSERVE CAUSE AND EFFECT:
“Pay close attention in conversation to what is being said, and to what follows from any action. In the action, immediately look for the target, in words, listen closely to what’s being signaled.” —MARCUS AURELIUS, MEDITATIONS, 7.4
To both quotes, there is an undercurrent of presence, of being in the moment when communicating. Being distracted by a laptop, tablet, or phone takes away from that presence.
The other undercurrent is that communication is, by definition, bidirectional (or full duplex for the networking nerds out there). It’s funny to me how many people forget that.
Cyber Security—also called Information Security, or InfoSec—is arguably the most interesting profession on the planet. It requires some combination of the attacker mentality, a defensive mindset, and the ability to constantly adapt to change. This is why it commands some of the highest salaries in the world.
“Cyber” vs. Information Security
One of the most common questions in the computer security industry is the difference between Cybersecurity and Information Security. The short answer is, “not much”. But the long answer is, well…longer.
Essentially, “Cyber” is a word from pop culture that actually fit our digital future fairly well, with the merging of humans and technology and society. In the beginning, “CyberSecurity” was used as a way to glamorize or sensationalize computer security, but over time people started using it in more and more serious conversations. And now we’re stuck with it.
If I had to give any distinction today (2019) it would be that Cybersecurity is a bit larger in scale than Information Security.
Read on in Daniel’s article for how he breaks Security down.
In general I think his taxonomy is spot on for the difference between Information Security (InfoSec) and Cyber Security. I am one of the people he references here:
People who’ve been in Information Security for a long time tend to really dislike the word “cyber” being used in a non-ironic way to describe what we do. But we’re getting over it.
I don’t always agree with Daniel’s writing, but this is a nice index.
This was a common topic on the late lamented PVC Security podcast. Let’s dive in!
The chief information security officer (CISO) is the executive responsible for an organization’s information and data security. While in the past the role has been rather narrowly defined along those lines, these days the title is often used interchangeably with CSO and VP of security, indicating a more expansive role in the organization.
Ambitious security pros looking to climb the corporate latter may have a CISO position in their sights. Let’s take a look at what you can do to improve your chances of snagging a CISO job, and what your duties will entail if you land this critical role. And if you’re looking to add a CISO to your organization’s roster, perhaps for the first time, you’ll want to read on as well.
What does a CISO do? Perhaps the best way to understand the CISO job is to learn what day-to-day responsibilities that fall under its umbrella. While no two jobs are exactly the same, Stephen Katz, who pioneered the CISO role at Citigroup in the ’90s, outlined the areas of responsibility for CISOs in an interview with MSNBC. He breaks these responsibilities down into the following categories:
Security operations: Real-time analysis of immediate threats, and triage when something goes wrong
Cyberrisk and cyber intelligence: Keeping abreast of developing security threats, and helping the board understand potential security problems that might arise from acquisitions or other big business moves
Data loss and fraud prevention: Making sure internal staff doesn’t misuse or steal data
Security architecture: Planning, buying, and rolling out security hardware and software, and making sure IT and network infrastructure is designed with best security practices in mind
Identity and access management: Ensuring that only authorized people have access to restricted data and systems
Program management: Keeping ahead of security needs by implementing programs or projects that mitigate risks — regular system patches, for instance
Investigations and forensics: Determining what went wrong in a breach, dealing with those responsible if they’re internal, and planning to avoid repeats of the same crisis
Governance: Making sure all of the above initiatives run smoothly and get the funding they need — and that corporate leadership understands their importance
What does it take to be considered for this role? Generally speaking, a CISO needs a solid technical foundation. Cyberdegrees.org says that, typically, a candidate is expected to have a bachelor’s degree in computer science or a related field and 7-12 years of work experience (including at least five in a management role); technical master’s degrees with a security focus are also increasingly in vogue. There’s also a laundry list of expected technical skills: beyond the basics of programming and system administration that any high-level tech exec would be expected to have, you should also understand some security-centric tech, like DNS, routing, authentication, VPN, proxy services and DDOS mitigation technologies; coding practices, ethical hacking and threat modeling; and firewall and intrusion detection/prevention protocols. And because CISOs are expected to help with regulatory compliance, you should know about PCI, HIPAA, NIST, GLBA and SOX compliance assessments as well.
But technical knowledge isn’t the only requirement for snagging the job — and may not even be the most important. After all, much of a CISO’s job involves management and advocating for security within company leadership. IT researcher Larry Ponemon, speaking to SecureWorld, said that “the most prominent CISOs have a good technical foundation but often have business backgrounds, an MBA, and the skills needed to communicate with other C-level executives and the board.”
Paul Wallenberg, Senior Unit Manager of Technology Services at staffing agency LaSalle Network, says that the mix of technical and nontechnical skills by which a CISO candidate is judged can vary depending on the company doing the hiring. “Generally speaking, companies with a global or international reach as a business will look for candidates with a holistic, functional security background and take the approach of assessing leadership skills while understanding career progression and historical accomplishments,” he says. “On the other side of the coin, companies that have a more web and product focused business lean on hiring specific skillsets around application and web security.”
As you climb the ladder in anticipating a jump to CISO, it doesn’t hurt to burnish your resume with certifications. As Information Security puts it, “These qualifications refresh the memory, invoke new thinking, increase credibility, and are a mandatory part of any sound internal training curriculum.” But there are a somewhat bewildering number to choose from — Cyberdegrees.org lists seven. We asked Lasalle Network’s Wallenberg for his picks, and he gave us a top three:
“Certified Information Systems Security Professional (CISSP) is for IT professionals seeking to make security a career focus.”
“Certified Information Security Manager (CISM) is popular for those who are looking to climb the ladder within the security discipline and transition into leadership or program management.”
“Certified Ethical Hacker (CEH) is for security professionals looking to obtain an advanced awareness of issues that can threaten enterprise security.”
CISO vs. CIO vs. CSO
Security is a role within an organization that inevitably butts heads with others, since a security pro’s instincts are to lock down systems and make them harder to access — something that can conflict with IT’s job of making information and applications available in a frictionless way. The way that drama plays out at the top of the org chart can be as a CISO vs. CIO battle, and the contours of that fight are often established by the lines of reporting within an organization. (CSO discussed this in depth in the article “Does it matter who the CISO reports to?”) Even though both titles have “C” in the name, it’s relatively common for CISOs to report to CIOs, which can constrain CISO’s ability to execute strategically, as their vision ends up being subordinated to the CIO’s overall IT strategy. CISO’s definitely gain clout when they report directly to the CEO or the board, which is becoming an increasingly common practice. This might involve a change of title — according to the Global State of Information Survey 2018, CISOs are more likely to be subordinated to a CIO, whereas a security exec with the title of Chief Security Officer (CSO) is more likely to be on the same level as the CIO — and to have non-tech security responsibilities to boot.
Placing CIOs and CISOs on equal footing can help tamp down conflict, not least because it sends a signal to the whole organization that security is important. But it also means that the CISO can’t simply be a gatekeeper vetoing technical initiatives. As Ducati CIO Piergiorgio Grossi told i-CIO magazine, “it’s up to the CISO to help the IT team provide more robust products and services rather than simply saying ‘no.'” This shared responsibility for strategic initiatives changes the dynamics of the relationship — and can mean the difference between success and failure for new CISOs.
CISO job description
If you’re part of a search for a promising CISO for your organization, part of that involves writing a job description — and much of what we’ve discussed so far lays the foundation for how you’d approach that. “Companies first decide if they want to hire a CISO and obtain approvals for the level, reporting structure, and official title for the position — in smaller companies, CISOs can be VPs or Director of Security,” says Lasalle Network’s Wallenberg. “They also need to set the minimum requirements and qualifications of the role, and then go to market for external candidates or post for internal applicants.”
CSO Senior Editor Michael Nadeau lays out in some detail how you’d approach writing a CISO job description. One of the important things he points out is that your description should make your organization’s commitment to security very clear from the get-go, because that’s how you’re going to attract a high-quality candidate. You should highlight where the new CISO will end up on the org chart and how much board interaction they’ll have to really make this point clear. Another important point he makes is to keep the job description fresh, even if you have someone in the role — after all, you never know when that person will move on to another opportunity, and this is a crucial job that you don’t want to leave unstaffed.
If you check out Glassdoor, you can see salary ranges for current CISO job openings, which can help you get a sense of which sectors pay more or less. For instance, at this writing there’s an open CISO position in the federal government that pays between $164,000 and $178,000, and one at the University of Utah that pays between $230,000 and $251,000.
The CISO job landscape is always changing, and CSO has plenty of material to keep you up to date — how to get a CISO job, and how to navigate the career landscape. You might want to check out:
“A CISO’s guide to avoiding certain CISO jobs” : Not all CISO jobs are created equal, and some will set you up for failure that can have negative career implications down the line. Here’s some tips on red flags to watch out for.
“Why do CISOs change jobs so frequently?”: The average CISO only stays on the job for 24-48 months, according to market research. Find out what these fast moves mean for the industry and how you can react.
“What is a virtual CISO?”: C-level execs aren’t immune to the trend towards “on-demand” employees who work on part time contracts rather than occupying full-time positions. This article will explain what virtual CISOs can and can’t do, which is important if you’re competing against them for jobs — or want to become one yourself.
The CISO/CSO and analogs suffer from a short life span and a need to impress the Board of Directors. Most CISO’s are in poor situations at the start, and anyone who aspires to such a role needs to know the disadvantages,
The CISO/CSO often reports to the CIO, which is a conflict of interest. I generally recommend reporting to CEO directly or else the COO or CFO.
CISO/CSO roles require strong reporting managers and talented teams plus reliable managed security service providers. The best way to determine their value is by measuring them. Yet many enterprises I visit fail to measure even the most obviously valuable metrics but want their Top Ten lists.
This is a solid summary of the CISO role. If you target this in your career path, this article is useful.