Monday, March 17, 2014

Lessons from a Frog and an Ostrich

We have all heard that an Ostrich will bury its head in the sand when frightened, ignoring the danger around it with an ‘out of sight out of mind’ attitude.  You have also heard warnings based on the story of how a frog will sit in a pan of water, and if the temperature is increased slowly, it will sit there until it boils.

These are stories that we tell our children, trying to impress upon them the importance of danger signals, and to continue to pay attention to the situation around us, even if it is only a little uncomfortable right now.

Recent revelations that the CIO for Target resigned, and executive management is working on revamping the Information Security team to include a CISO, coupled with stories about Target ignoring malware warnings by their newly installed FireEye system would seem to bring these stories to mind.  Didn't the CIO ever have story time in Kindergarten?  Where was the InfoSec Team when these alarms were going off?  Did they have their head in the sand, or were they overwhelmed with alerts and vulnerabilities?

No doubt the Target CIO was imminently qualified for her position.  You aren't given that responsibility without a proven track record in large scale ERP and delivery systems.  Should she have taken the blame for this failure, or was this an overall failure of the culture at Target?  Why didn’t Target have a CISO?  They spent almost $2million on a malware system that they ignored.  Would moving the InfoSecurity out of IT and into Enterprise Risk Management have helped?

Why did the CIO hang onto InfoSecurity when the Federal Government mandated CISO’s for all agencies? Are major organizations moving towards allowing the CISO a seat at ‘the big table’ finally?

Back to the Frog and Ostrich:

No Ostrich has ever been seen in the wild with their head in the sand.  Either this works very well, or, the Ostrich is smarter than his human counterparts.

Same with the Frog.  A slight increase in temperature and the frog will jump out of the pot.  It seems that only humans will happily ignore the increasing danger around them until it is too late.

The size of your organization will dictate the size of your executive management staff and the size of your round table.  A small organization may have a CTO/CIO/CSO handling all of these functions, much like this smaller organization may have one VP Sales and Marketing.  Larger organizations that rely on technology have already split the CIO and CTO functions.  It is time to help your organization by working with your existing InfoSec staff, ask them what they need, implement a mature InfoSec program that includes a CISO instead of endlessly chasing vulnerabilities and malware.

Will a CISO fix all vulnerabilities?  Is this a 100% guarantee?  No, but they are better equipped by training and temperament to deal with the rapidly decaying information security environment.  And they can be your best friend.

InfoSec professionals:  Re-read your CISSP CBK book and see where your organization’s InfoSec maturity is.  Help your CIO by focusing on Risk Management, not Security Management.  You will never fix all the holes, but you must help your Executive Management team prioritize and control risks.

For reference, please see:
Bank Info Security:  How much is a good CISO worth:  The story of the SC DOR.  For the lack of a CISO's salary, the SCDOR’s breach cost them $20 million.  http://www.bankinfosecurity.com/blogs/how-much-good-ciso-worth-p-1387

This article, nearly 4 years ago in SC Magazine:  “Want to reduce IT Risk and Save Money: Hire a CISO” http://www.scmagazineuk.com/want-to-reduce-it-risk-and-save-money-hire-a-ciso/article/169823/

Target CIO Resigns, looks for security and compliance makeover: http://www.darkreading.com/attacks-breaches/target-begins-security-and-compliance-ma/240166451

Frog Fable brought to boil: http://conservationmagazine.org/2011/03/frog-fable-brought-to-boil/

Animal myths busted:  http://kids.nationalgeographic.com/kids/stories/animalsnature/animal-myths-busted/