Should CISOs Be Technical Leaders Or Business Leaders?
To “hyperspecialize” or be a security generalist. That was the topic of this week’s Task Force Radio episode. Both host George Rettas and guest Rafal Los, the founder of Rabbit 77 agreed that people are needed who think in terms of both risk and information security. “We just don't have enough of them,’’ said Rettas, the president and CEO of Task Force 7 Radio and Task Force 7 Technologies.
There are probably already enough pen testers and red teamers, said Los, who is also the host of the “Down the Security Rabbithole” podcast.
More people are needed who have a blend of knowledge about what risk means and the technical aspects of protecting an organization, Los said.
He recounted a story from his days as a pen test in the early 2000s and went into his company’s CTO's office because “I halted the deployment of a web app that had been deemed critical by the business and I was not going to sign off on it because it had a problem in it.”
The CTO listened to his reasoning, Los said, but while he knew his arguments were correct, the CTO told him that “I wasn't conveying it properly. I was using technical terms. I might as well have been speaking a foreign language to him.”
The CTO also told him that he would have “a really, really short career here if you keep that up.'"
Los said that left an impression on him and years later, he had a discussion with someone about whether a CISO should be someone who rises up the ranks from technologist, or if they should be someone who understands the business and hires technologists around them without having an in-depth understanding of the technology themselves.
“I think that both of them are valid approaches,’’ Los said. However, “given the way the world is moving, I continue to believe that the business-to-tech approach is probably more valid for a leadership position because of the fact that it's a leadership position,’’ he said.
Los pointed out that a CFO doesn't come in “from some random career path. They're usually a CPA, they move up to a comptroller, VP of Finance and selling their CFO.”
Those are roles that are highly focused on business impact, whereas, for some reason, the field of cyber security continues to vacillate, he said, theorizing that maybe it is because it is still a young field.
“The pinnacle of who we are comes from knowledge of business discipline, but I think that if you're going to be [one of] the best CISOs that I know, consistently come from knowledge of ‘the business’ or from business leadership [but] also have a techie background,’’ he said.
Rettas agreed, because of “the challenges that CISOs face today and the diversity of thought that they need to have across the different lines of business and [the ability] to speak the common lexicon of risk to executive leadership teams.”
The two then discussed the importance of having “deputy positions” that are around to give the organization some balance. That way, if there is a CISO who is highly technical, it’s a good idea to find a deputy who has more business skills on top of technical skills.
Soft skills being able to articulate risk analysis as well as the ability to negotiate and persuade and lead people, are critical, Rettas said. Regardless of who has more business skills and who has more technical skills, it is important that a CISO and a deputy be able to work together, he added.
Turning Points In The Cyber Security Field
Los said there have been a couple of significant turning points that have helped cyber security evolve over the last two decades. “The pendulum between edge and computing at the edge means something different today, but essentially, out to the client and then back to the server and out to the client back to the server has ping-ponged a bit,’’ he said.
One of the first major changes was the move to Windows NT from the model of green screens to true client server networking, Los said. That pushed a lot of computing out to the client with greater processing power. “Graphics boards, mice, keyboards … at that point, barn door was swung open, and we never looked back,’’ he said.
But not a lot of security capabilities were built into these compute models, until the realization came that patches needed to be applied, he said. Then came virtualization and when “data suddenly found legs outside the office” with the dawn of mobile devices like laptops and PDAs. That was followed by cloud computing and greater dependency on devices and computing at the edge, he said.
Yet, cyber security teams had the opportunity to get involved at the time of inception and each time something new came along, but they didn’t, he said. The thought was always “we’re going to get it right this time," but seven years on, he said, “we missed it.”
In answer to a question from Rettas, Los said the biggest non-technology evolution he’s seen is not a product or something that can be sold, but “the drive to include cyber security at the board level. I think that has fundamentally changed the game for us security professionals and … has forced us to be more aware of the businesses we support.”
Like many other security professionals, Los said it is critical for a security leader to be in the boardroom to provide visibility into what is going on.
How Security Can Help Get Businesses Through The Pandemic
Now that so many businesses have their employees working remotely since the start of the COVID-19 pandemic, Los said they need to rely on their security professionals more than ever because of the strain this has placed on networks. Many were not set up to have so many staff working remotely securely, he said.
Remote work is “going to forever change the landscape of how cyber security is utilized,” Los said, “but there's going to be a ton of growing pains because I think what's happening is a lot of these companies are simply saying, ‘We've got to make this happen. Our firewall currently is too restrictive, our policies are too restrictive, people can't print when they're at home, turn off all these security policies.’"
That is a panic response, he said, because disabling security features that are perceived as hindering business is not an option.
“I blame ourselves partly for this because how did we not see this coming,’’ he said, referring to the scenario where a business would have to operate in a fully distributed way. This is another opportunity for CISOs and security leaders to emphasize the need to keep staff operating securely, he said.
Rettas and Los also discussed the importance of partnering with figuring out what core competencies you have and what to outsource to third parties to meet your security needs. Los said he doesn’t believe companies should be building their own security operation centers (SOCs), with some exceptions in the Fortune 100.
“If you've tried to build your own SOC, and you think you can do it better than some of the service providers that are doing it at scale – 10 times what you're doing --I think you're delusional, at worst,’’ he said. “You're hurting yourself.”
Start From The Ground Up
Coming back full circle to where the conversation began, Los said if someone wants to be a cyber security professional, they should learn to write some code, “even if it's poorly like I did; you should go work a help desk, you should learn how networks work … you should learn how operating systems and client server and how all the underlying technology works.”
That way, you get will get a base level of experience in security by understanding how everything interacts, he said. “Security really is about exploiting the interactions between other parts of the system in a way to do something that's not supposed to be authorized.”
The ‘Task Force 7 Radio’ recap is a weekly feature on the Cyber Security Hub.
To listen to this and past episodes, click here.