Alan Paller of the SANS Institute delivered the first talk of the day at ISSA-LA's Security Summit IV, focusing on the keys to being a successful security leader. A lot of those keys involve cutting through the bull (my words, not his).
"Everyone in information security has an opinion," he said. "But the attackers are fighting us with weapons, not opinions."
The first misconception he suggested people cast aside is that CEOs don't get security and need to be persuaded that it's important.
"CEOs don't need to be persuaded, contrary to what people say," Paller said. "The problem is that they're not buying your proposed solution."
Security practitioners can no longer persuade the CEO simply by being an "expert" and saying they need to spend money on new tools and procedures, he said. The era of compliance is over because despite all the technological investments made in the name of compliance, systems are still not secure.
CEOs have the following questions, Paller said:
--What do I have to do?
--How much is enough?
--Who can I trust to answer these questions?
"Security leaders can answer those questions," he said. As to what makes a leader, he started by saying a real leader doesn't talk about all the things he-she has to do. They simply focus on fixing the core customer problem. Leaders are also recognized as the go-to person by customers and users, people want to work for them and they enjoy a level of economic success.
As one example of a true leader, Paller pointed to John Streufert who, as CISO of the State Department during the Operation Aurora attacks, got the exploited vulnerabilities fixed in short order. One thing Streufert did was hand out daily grades to his team. Winners got As and Losers got Fs. "The results were posted daily, but he gave people a chance to work their way up to an A before sending the winners list to (Secretary of State) Hillary (Rodham Clinton)," Paller said. "When you're graded daily, you tend to fix things faster."
He ended with another characteristic of a true security leader: the ability to find talent. "You need to find the talent -- the people with the technical skills. These people are the tanks in the next war," he said.
One example of how to find talent, he said, is to organize cyber camps and have hacking contests. He noted that for many of today's youth, hacking is the new video game. Kids are out there breaking into systems every day, and by holding cyber camps and contests you can find the more talented among them.