George Campbell doesn't pull punches. Trust us. After CSO's first issue was published, the former CSO of Fidelity sent us a terse missive about what he thought was a fundamental flaw in our approach to covering CSOs. We were focused too narrowly, he said, on the tactical CISO role and not the strategic CSO role.
In fact, Campbell views that bias as a sort of epidemic spreading through the security community. He's concerned when he observes that CISOs have "captured" the title of CSO without really having the requisite skill set. And he's frustrated by what he views as "intellectual arrogance" on the part of IT-centric information security officers. (OK, he actually calls them "propeller heads," but they started it, he says, by suggesting that CSOs are just retired cops who don't understand technology.)
Of course, we couldn't resist a good fight. To that end, we had to find a counterpart to Campbell, a CISO who would go head-to-head with him. We got Georgia Student Finance Commission CISO Bill Spernow. To our delight, we learned that Spernow once worked for Campbell at Fidelity. So it wasn't a surprise when Campbell started the conversation, which Senior Editor Scott Berinato moderated, by saying, "I'm surprised your parole officer let you do this, Bill." Spernow ended the conversation by tipping his hat to his old mentor: "Good to see you're still out there making people uneasy, George."
I get offended when I see the CSO title being captured. Why do they feel compelled
Spernow: Well, because George is right, and George is wrong.
Campbell: He used to say the same thing when he worked for me. [Laughs.]
Spernow: From the percentage of organizations that reflect your experience, George, you're right. But you represent only 5 percent of the population of folks doing any type of security. But because that 5 percent has high visibility, it represents most of what happens. That 5 percent gets the press, and as a result, the other 95 percent is struggling with trying to figure out how it's going to make its security stuff compatible with its infrastructure and IT culture, which primarily hasn't been focused on anything to do with security.
What most companies are doing is taking their best-case experience and saying, "We need to have somebody in charge of security." Then they go out and find somebody who is a former bureau agent with great physical security credentials and the stuff that they can relate to, and because he took one information security training course, he's also considered an information security specialist. So they hire him, and they task him with doing all the security.
I don't see the people who, according to George, call themselves CSOs but should be information guys only, because that's all they're actually doing. In fact I see just the opposite of what George sees. I see guys being hired as CSOs who are only doing physical security, because of their background, but are also in charge of information security.
Campbell: I absolutely agree that people like myself or these ex-bureau agents
Campbell: I'd underscore that. My complaint with having the CISO as part of the IT department is you get the fox in the henhouse. Where do you have an honest set of controls that can make it before the audit committee in its own right?
Spernow: I've actually fought that battle [at the Georgia Student Finance Commission] and won. The CIO should be concerned with how to maintain the infrastructure today and how to plan for its future. The CISO should be looking at the ramifications of new technologies the CIO wants to adopt. [For more on this, see "How to Rope in Rowdy Technologies" at www.csoonline .com/printlinks.]
Campbell: Let me ask you this, then. To what extent does a CISO's background and experience as an information security professional detract from his ability to effectively lead and strategize for the other aspects of security that a CSO controls?
Spernow: They become technocentric. I've seen CISOs try to integrate authentication log-ins with physical security controls like access cards. That's usually where they stop because it ends up not working. At first, the locked door and exposed trash bins and all the other physical security issues associated with controlling building entry and exit...
Campbell: I'm reminded of a conversation I had with a CISO. I basically challenged him to tell me how the greater security organization could be engaged in the information security program. After a couple of minutes of pondering, he said, "Well, I suppose they could collect the trash."
It reminds me of an article about a city in the Midwest that was experiencing problems with vehicles hitting pedestrians in the downtown area, and I remember reading an editorial suggesting that to fix this, cars should be designed so that when a car is getting ready to turn, it will beep and the pedestrian will know that the car is coming. Nobody suggested we train pedestrians to look out for cars. We need to think from that other perspective. Having that ability
Campbell: The bias is clear every year when we make the annual trek to the ASIS exhibit hall to find out what the technocrats have created for us. It's easy to see this is technology in search of an application, but as CSOs, we also have a responsibility. Are we truly engaged with the technology community in articulating what our needs are? I think the answer to that, quite frankly, is no. For example, issues around trade secrets are soft and don't necessarily have technology to address them. I've been looking for years for a technology like the smokeless, dust-free paper shredder, to make it easy and effective to destroy sensitive information. Because if [an executive has] to get up and walk down the hall to shred a document
So I think technology is doing a hell of a job around what it has been built to do, but there's still an awful lot on the operational side of information protection where it hasn't been applied. Until now, we've let the CISOs have much more say in what the technocrats bring to market.
Spernow: You're inferring that we don't look at other solutions, and we're going to miss the big one that is actually going to work and that, instead, we're going to spend a lot of time looking at small ones that don't work. In a lot of cases, that is where we're at now. A lot of the controls we have here look good, sound good and they're portable, but they don't work. Because we don't take the user into account or the actual individual who is part of the threat.
Campbell: Where does the audit program fit into this equation, Bill? Are the [auditors] doing their job to point out to committees and senior management what the risks are to their information assets?
Spernow: I think they try, but because the risks aren't actually threats at the doorstep, they fail.
Campbell: It gets back to the notion of a true partnership [between CSO and CISO]. You need a fundamental relationship, based on the risk assessment and the relative roles and responsibilities that are going to be performed by the two organizations. The goal has to be to provide a total umbrella of protection to the enterprise. Otherwise, there are corporations where the [two parties] will never talk. And I bet Bill has seen more cases where CISO and CSO didn't talk than those where they truly had a partnership...
Spernow: ...because they build their moats, and it ends up being ego issues.
Campbell: Well, you know, we're the knuckle-draggers.
Campbell: The premise here is that Bill's removing the info security function from the CSO...
Spernow: ...for the purpose of the argument.