TSC Trusted Advisors’ Blog

Building A Successful Security Practice - Part I: What makes a good CSO/CISO?

Information Security is still in its infancy as far as being its own entity inside of any corporation and even more so inside of any government organization. While there are many views on who and what makes a good Chief Security Officer (CSO) or even for that matter if you should have a CSO or Chief Information Security Officer (CISO), there are some tenants that everyone agrees upon without hesitation.

In this series of articles I will be exploring the foundation principles of a good Information Security Practice. In this installment, I will be focused on the traits and key points of a good CSO/CISO candidate.

Your Information Security Practice is often called upon to perform several fundamental functions, some are precursors for, or are sometimes done in the absence of, a Global Audit Group. If you are publicly traded in the United States, your Information Technology department, those people who have the “Keys to the Kingdom”, are to be audited and have many degrees of restrictions and procedures added to their processes. These I will cover in a later paper. But your CSO/CISO is the one who is responsible for ensuring that there is a strong relationship between him/herself and their counterpart in the IT department.

Like any authority figure, especially one that must not only enforce but also produce and custom tailor policy and regulations, your head of security must be of the highest moral character. Those companies that afford the CSO/CISO true “C-level” rank and privileges do so because they hold this position to the same Code of Ethics as any of their other Sr. Vice Presidents or Presidents.

The grand majority of companies in today’s environment have the head of security reporting into various divisions of the company, but most likely have this person titled as a Director or Sr. Director, or a lower-level VP. Personally, I would argue that the importance of the Practice and impact on the Stock Holders and profitability of the company would warrant direct reporting to the CEO, but as of yet only a handful of companies have started doing this.

The surge in hiring for the CSO/CISO position has come with several levels of enthusiasm from the companies hiring such a person and building such a practice. You have companies that wish to check the box for the new “C-level” position simply to say “yea we have one of those” as they did many years ago for a CIO, and much like that time no one is quite certain what their CSO/CISO should be doing. You have companies, especially financial groups, that have a very clear vision of what their new CSO/CISO should be responsible for, but may or may not empower them to do these things as they are not sure where the person should be reporting.

While I won’t argue a company’s vision on its command chain, I will take the time to point out having the CSO/CISO reporting to the CIO is a little like having your head of financial audit reporting to your CFO. You can’t really audit and take action against your own boss, and anyone could argue there is a massive conflict of interests.

Also causing issues is the mass of so-called “experts” now appearing on the horizon, and quite sadly the increase of people with very embellished resumes. While I can’t draw for you the perfect generic image of a CSO/CISO that would fit in your company, I can outline some items to watch out for and some items to keep in mind when making your selection.

You see, much like the development of your company’s security practices and policies, your head of security must be a good cultural fit that takes into account your particular business market. If you have a creative company then having a draconian security czar is probably not the way to go. Likewise, if you have a company that must adhere to very stringent regulations and handles sensitive information you probably don’t want the person who likes to make exceptions in the policies for anyone who asks.

First, let’s discuss items to watch out for on a resume. I will try to make something quite clear, Information Security is not like Information Technology where you see people hopping from one company to another to increase their pay or position. Information Security is more akin to your Legal department, and for many of the same reasons. You need people that you trust, that have the highest creditability and integrity, and that are very well versed in their area of expertise.

More to the point, your Information Security Practice is indeed an amalgam of Legal and IT. They must understand and stay abreast of legislation, Information Technology trends and advancements, and understand your business model / functions. Unlike your IT department, it is quite likely that your Information Security department will end up on a witness stand or in a courtroom presenting information or testimony on your company’s behalf. This means their character can, and of course will, be called into question.

If someone needs to understand a business, I would safely argue it takes a year or more just to understand the ins-and-outs of that business. So if the person you are looking at has spent less than a few years at their places of employ this should raise flags for you. Likewise, the head of a security practice has to be able to say “no” to co-workers, executives, and even at times the Board of Directors. It may very well be that if you are looking at a person with only a year or so at all their last employers you are seeing someone who lacks the political savvy necessary to tell someone “no” while providing them with an alternate solution and the same time making the person believe it was their idea to begin with.

Affiliations in security groups is an interesting topic. With the exception of a few, membership takes only one email to a list server to subscribe and be part of the group. Review the memberships that a person holds and think over the following: Do any of these groups directly relate to increased security awareness or skills in my company? Are any of these groups providing accreditation of the applicant you are reviewing? Do any of these not look right?

Affiliation to Government and Law Enforcement is something I see more and more on job descriptions. Be cognitive of what you are asking for when you post such a requirement. In most cases you, the hiring company, are looking for someone who has had experience in interacting with State and Federal Law Enforcement in a prior job as part of their duties in Information Security. So someone listing that they were the liaison for such communication and relations is what you are after.

If you are looking at a person who has no Law Enforcement background, and they are listing they are working for or have worked with a federal agency you might want to dig into exactly what they were doing and gain a contact name that can validate this statement. I have personally seen people list that they are “advisors” to the FBI, for instance, and this is a title that they themselves have appointed as the FBI does not take on civilian advisors except in very rare cases.

Even those who have been such advisors will tell you the documents they had to sign with the FBI do not permit them to claim they ever worked for the FBI. Also watch out for people listing membership in “task forces.” While there may be some civilians on such a task force, most all such groups are exactly what you would envision if I said “Drug Enforcement Task Force.” They are Officers and Agents assigned as resources to investigate and make arrests.

Papers and writings are key when you are looking for someone at this level. While you may not be shopping for the best White Hat Hacker available, you do want someone who is active in the Information Security world as this will assist in vendor management, technology knowledge and future staffing. This may mean they do a lot of speaking rather than writing, but again you should vet and check on these things. Writings are easy, especially if the person is like me and maintains a website full of Information Security blogs and has published papers.

If your candidate is a frequent speaker I suggest going and attending one of their lectures. Ask audience participants what they thought of the talk, and get other general feedback. You might just learn the guy you really wanted to hire is considered a quack and the audience was there in large part for the entertainment factor. I once attend a talk on forensics by a so-called expert because I knew he had recently been removed from the witness stand and his “expert” accreditation from the court was revoked. I found his talk, being an expert in forensics myself, to be off-the-wall and quite humorous and sad all at the same time.

This same individual, who’s name I won’t reveal out of courtesy, also claimed association with the FBI and other government groups and went so far as to say he had helped close many high-profile cases. It was strange how his entire lecture went away from his slides and the chest pounding ended when a group of men in dark suits walked into the back of the room and stood there waiting for him to finish talking so they could escort him to a car waiting out front.

Remember, claiming employment and association with such groups when it doesn’t exist is a felony. And holding a lecture where you purport to be such after being warned not to is frankly quite ignorant of the outcome. You as the hiring company don’t want your future CSO/CISO being charged with such a thing, or worse yet having such purported associations made on public documents (resumes, blogs, etc.) being called into evidence during a Senate Hearing ala Enron… aka a SOX Hearing.

It seems odd that I would have to make the next statement, but do perform a background check. I can’t stress this enough, and I know so many people just want to trust the person they are hiring is indeed the person they say they are. But look at who/what you are looking for when you tap into this world. Information Security has always had, and always will have, undertones that whisper “hacker.”

Social engineering is a cornerstone talent used by people in my world. Frankly I have gotten quite far into a network, after being hired to do so of course, by literally talking my way past people to get their credentials to enter. Kevin Mitnick’s famous (infamous?) hack was mostly all social engineering. Recently a very large security vendor in the Bay Area hired a CSO who knew a thing or two about Social Engineering. The man worked at the company for six months as their CSO, and while some people had suspicions he was not capable of the job, his resume spoke volumes for what he should be able to do and he was hired after putting on a great show at the interviews with his fine resume punching tickets the entire way.

No real background check was performed, and it turned out that not only did the person falsify their entire resume, but they also stole the identity of another individual while doing it! This probably would be one of those “bad” things for you to discover when your CSO/CISO is sitting before Congress telling them that your SOX compliance audits were indeed performed correctly and the SEC is “just misinformed. “ Calling past employers and checking out the basics like job description, pay rate, etc. is a nice start to a background check. And if this were hiring Jonnie in the mail room, you could stop at this step and consider it a job well done.

I would argue that anyone hired at a “C-Level” job be put through the same level of background check that say a police officer or federal agent is subjected to. Not just a reference check. Literally go over every aspect they list on their resume, use Google to research and find not only information but people that can talk to you. In the case of the Bay Area Company, simply using Google to find photos of the well established person whose identity was stolen by their CSO would have been enough to prevent the embarrassment of hiring that person. Again all public papers, public speaking engagements, development teams, etc are posted and easily searchable online. Finding skeletons in the closets now is always better than having someone force your eyes open when they rip the doors off a closet for you later.

Your Information Security Practice, every last person in it, will be called upon to make statements, even if just internally, about wrong doings of members of your staff ranging from entry level to Chief Officers. With E-Discovery on the rise, and accountability for compliance regulations such as SOX, PCI, etc all falling to these groups, their integrity will be of paramount importance when giving testimony and the fact that their very signatures accounting for compliance are what is being trusted by the federal agencies who govern these policies. We have all watched the police drama where a police officer or detective goes bad or has something from his past uncovered and all of his cases and convictions come into question. The same could happen here, but of course with dire civil consequences.

And while we may all internally argue over where Information Security should report, what its exact responsibilities should be, and who makes a good candidate for a CSO/CISO, it should go without saying that a righteous character and upstanding degree of integrity are prerequisites for any candidate.

I hope you enjoyed this short write-up and come back for the next installment where I will be talking about policy and corporate culture.

Originally published at http://www.lovemytool.com/blog/2008/06/francisco_artes.html