George Campbell doesn't pull punches. Trust us. After CSO's first issue was published, the former CSO of Fidelity sent us a terse missive about what he thought was a fundamental flaw in our approach to covering CSOs. We were focused too narrowly, he said, on the tactical CISO role and not the strategic CSO role.
In fact, Campbell views that bias as a sort of epidemic spreading through the security community. He's concerned when he observes that CISOs have "captured" the title of CSO without really having the requisite skill set. And he's frustrated by what he views as "intellectual arrogance" on the part of IT-centric information security officers. (OK, he actually calls them "propeller heads," but they started it, he says, by suggesting that CSOs are just retired cops who don't understand technology.)
Of course, we couldn't resist a good fight. To that end, we had to find a counterpart to Campbell, a CISO who would go head-to-head with him. We got Georgia Student Finance Commission CISO Bill Spernow. To our delight, we learned that Spernow once worked for Campbell at Fidelity. So it wasn't a surprise when Campbell started the conversation, which Senior Editor Scott Berinato moderated, by saying, "I'm surprised your parole officer let you do this, Bill." Spernow ended the conversation by tipping his hat to his old mentor: "Good to see you're still out there making people uneasy, George."
I get offended when I see the CSO title being captured. Why do they feel compelled
Spernow: Well, because George is right, and George is wrong.
Campbell: He used to say the same thing when he worked for me. [Laughs.]
Spernow: From the percentage of organizations that reflect your experience, George, you're right. But you represent only 5 percent of the population of folks doing any type of security. But because that 5 percent has high visibility, it represents most of what happens. That 5 percent gets the press, and as a result, the other 95 percent is struggling with trying to figure out how it's going to make its security stuff compatible with its infrastructure and IT culture, which primarily hasn't been focused on anything to do with security.
What most companies are doing is taking their best-case experience and saying, "We need to have somebody in charge of security." Then they go out and find somebody who is a former bureau agent with great physical security credentials and the stuff that they can relate to, and because he took one information security training course, he's also considered an information security specialist. So they hire him, and they task him with doing all the security.
I don't see the people who, according to George, call themselves CSOs but should be information guys only, because that's all they're actually doing. In fact I see just the opposite of what George sees. I see guys being hired as CSOs who are only doing physical security, because of their background, but are also in charge of information security.
Campbell: I absolutely agree that people like myself or these ex-bureau agents
Campbell: I'd underscore that. My complaint with having the CISO as part of the IT department is you get the fox in the henhouse. Where do you have an honest set of controls that can make it before the audit committee in its own right?
Spernow: I've actually fought that battle [at the Georgia Student Finance Commission] and won. The CIO should be concerned with how to maintain the infrastructure today and how to plan for its future. The CISO should be looking at the ramifications of new technologies the CIO wants to adopt. [For more on this, see "How to Rope in Rowdy Technologies" at www.csoonline .com/printlinks.]
Campbell: Let me ask you this, then. To what extent does a CISO's background and experience as an information security professional detract from his ability to effectively lead and strategize for the other aspects of security that a CSO controls?
Spernow: They become technocentric. I've seen CISOs try to integrate authentication log-ins with physical security controls like access cards. That's usually where they stop because it ends up not working. At first, the locked door and exposed trash bins and all the other physical security issues associated with controlling building entry and exit...
Campbell: I'm reminded of a conversation I had with a CISO. I basically challenged him to tell me how the greater security organization could be engaged in the information security program. After a couple of minutes of pondering, he said, "Well, I suppose they could collect the trash."
It reminds me of an article about a city in the Midwest that was experiencing problems with vehicles hitting pedestrians in the downtown area, and I remember reading an editorial suggesting that to fix this, cars should be designed so that when a car is getting ready to turn, it will beep and the pedestrian will know that the car is coming. Nobody suggested we train pedestrians to look out for cars. We need to think from that other perspective. Having that ability
Campbell: The bias is clear every year when we make the annual trek to the ASIS exhibit hall to find out what the technocrats have created for us. It's easy to see this is technology in search of an application, but as CSOs, we also have a responsibility. Are we truly engaged with the technology community in articulating what our needs are? I think the answer to that, quite frankly, is no. For example, issues around trade secrets are soft and don't necessarily have technology to address them. I've been looking for years for a technology like the smokeless, dust-free paper shredder, to make it easy and effective to destroy sensitive information. Because if [an executive has] to get up and walk down the hall to shred a document
So I think technology is doing a hell of a job around what it has been built to do, but there's still an awful lot on the operational side of information protection where it hasn't been applied. Until now, we've let the CISOs have much more say in what the technocrats bring to market.
Spernow: You're inferring that we don't look at other solutions, and we're going to miss the big one that is actually going to work and that, instead, we're going to spend a lot of time looking at small ones that don't work. In a lot of cases, that is where we're at now. A lot of the controls we have here look good, sound good and they're portable, but they don't work. Because we don't take the user into account or the actual individual who is part of the threat.
Campbell: Where does the audit program fit into this equation, Bill? Are the [auditors] doing their job to point out to committees and senior management what the risks are to their information assets?
Spernow: I think they try, but because the risks aren't actually threats at the doorstep, they fail.
Campbell: It gets back to the notion of a true partnership [between CSO and CISO]. You need a fundamental relationship, based on the risk assessment and the relative roles and responsibilities that are going to be performed by the two organizations. The goal has to be to provide a total umbrella of protection to the enterprise. Otherwise, there are corporations where the [two parties] will never talk. And I bet Bill has seen more cases where CISO and CSO didn't talk than those where they truly had a partnership...
Spernow: ...because they build their moats, and it ends up being ego issues.
Campbell: Well, you know, we're the knuckle-draggers.
Campbell: The premise here is that Bill's removing the info security function from the CSO...
Spernow: ...for the purpose of the argument.
Campbell: Understood, understood. But if you do that in the real world, the person we're talking about isn't really a CSO anymore. The notion of a CSO must extend to all aspects of protecting assets, including information assets. The perception that we have the luxury of being more strategic
Spernow: George is correct in that the CSO cannot appreciate the technical challenges I have because, in a lot of cases, I don't understand the challenges myself. And if I don't, I'm damn sure a CSO won't.
Spernow: I don't think I agree with this whole "laws of physics" assertion. Conceptually it might be valid, but in reality we're experimenting every day in how we do this. We're not dealing with set laws.
Campbell: The sad thing is the need to even have a debate like this. When you peel it back, we're all in the same business. The fact that there's a vocabulary, tools, principles applied by CISOs that are arcane or hard for a layman like me to understand doesn't one bit change the fact that we're all here to provide integrated controls. Integrated. Underscore that. I have to think about being prepared to work with information security executives; and when it hits the fan, they have to be prepared to help me.
You know, it's all about vocabulary. CISOs will say, "You guys just aren't going to understand what I'm trying to deal with here. It requires knowledge that you guys don't have." Acknowledged, right, understood. But suppose I ask, "What's the purpose of the technology, this lexicon that I don't understand? What are you trying to do?" And the CISO says, "Well, I'm trying to protect against intrusion." Ah! That I can understand.
Spernow: On the other hand, we're considered a bunch of propeller heads...
Campbell: ...pointy-headed propeller heads. [Laughter.]
Spernow: We're looked at as techies who somehow managed to wriggle into management. [People like George] view us as being here because of a special skill set and not necessarily because we can do the job.
Campbell: I think CISOs start with the assumption that those guys on the other security side, that CSO team, just aren't going to understand what my problems are. They don't understand what I'm up against, they don't understand the technology, so what's the sense in even talking to them.
Spernow: But how do you get around that? It's tough, because you've got to essentially convert people to your way of thinking without offending them, and make them understand what you're trying to do and why you're doing it. I mean, that's probably the toughest job that I have on a daily basis.
Campbell: But what happens when it hits the fan? We need a set of protocols between the two organizations so that, when there's an intrusion, someone separate from the IT side is making sure that evidence is preserved, that logs are preserved. It's like arson: IT wants to put the fire out. I'm looking for evidence after the fire is out.
Spernow: But if you try to do it during the incident, you're shooting yourself in the foot
Campbell: Getting back to the model Bill has adopted
Spernow: Always, always. It's the biggest battle I've had here. If I see an organization where the CISO reports to some IT component, I see a position that's not working, guaranteed. The conflict of interest is just too much to overcome. Having the CISO report to IT, it's a death blow.