George Campbell doesn't pull punches. Trust us. After CSO's first issue was published, the former CSO of Fidelity sent us a terse missive about what he thought was a fundamental flaw in our approach to covering CSOs. We were focused too narrowly, he said, on the tactical CISO role and not the strategic CSO role.
In fact, Campbell views that bias as a sort of epidemic spreading through the security community. He's concerned when he observes that CISOs have "captured" the title of CSO without really having the requisite skill set. And he's frustrated by what he views as "intellectual arrogance" on the part of IT-centric information security officers. (OK, he actually calls them "propeller heads," but they started it, he says, by suggesting that CSOs are just retired cops who don't understand technology.)
Of course, we couldn't resist a good fight. To that end, we had to find a counterpart to Campbell, a CISO who would go head-to-head with him. We got Georgia Student Finance Commission CISO Bill Spernow. To our delight, we learned that Spernow once worked for Campbell at Fidelity. So it wasn't a surprise when Campbell started the conversation, which Senior Editor Scott Berinato moderated, by saying, "I'm surprised your parole officer let you do this, Bill." Spernow ended the conversation by tipping his hat to his old mentor: "Good to see you're still out there making people uneasy, George."
CSO: We were turned on to this idea by you, George, when you wrote to us about this topic. You read the first issue, and the letter didn't read like you were surprised by the focus on IT; disappointed certainly, but not surprised.
Campbell: Well sure. I've actually had several people send me responses to the letter you published. Here's one I got recently: "I read your letter in CSO magazine with interest. FYI, attached please find an executive summary of a CSO leadership program prepared by the Center for National Software Studies. This program focuses on IT security and the role of the CSO." I responded to that clown as follows: "[Sir], thanks for the information. As I indicated to CSO magazine, what you and others are describing is a CISO, with an emphasis on the I." I can only conclude that this guy either doesn't read or doesn't understand what he's reading because I made it fairly clear that the CISO deals with some of the most critical assets of any modern corporation. But the role is nevertheless narrower by some significant measure—depending on what the asset base is of a company—than that of a CSO who has to investigate, do background vetting, due diligence examination, business continuity planning, security operations, first response—the whole nine yards.
I get offended when I see the CSO title being captured. Why do they feel compelledBill, why do you feel compelledto take that title, which to me doesn't imply what their job is?
Spernow: Well, because George is right, and George is wrong.
Campbell: He used to say the same thing when he worked for me. [Laughs.]
Spernow: From the percentage of organizations that reflect your experience, George, you're right. But you represent only 5 percent of the population of folks doing any type of security. But because that 5 percent has high visibility, it represents most of what happens. That 5 percent gets the press, and as a result, the other 95 percent is struggling with trying to figure out how it's going to make its security stuff compatible with its infrastructure and IT culture, which primarily hasn't been focused on anything to do with security.
What most companies are doing is taking their best-case experience and saying, "We need to have somebody in charge of security." Then they go out and find somebody who is a former bureau agent with great physical security credentials and the stuff that they can relate to, and because he took one information security training course, he's also considered an information security specialist. So they hire him, and they task him with doing all the security.
I don't see the people who, according to George, call themselves CSOs but should be information guys only, because that's all they're actually doing. In fact I see just the opposite of what George sees. I see guys being hired as CSOs who are only doing physical security, because of their background, but are also in charge of information security.
Campbell: I absolutely agree that people like myself or these ex-bureau agents—who don't come from a background of information protection in the cyber age—have no business fancying themselves as CISOs. But there's nothing wrong with them leading that effort as part of the global security strategy, as long as they've got the Bill Spernows of the world working within that team, whether directly for them or bridged in some sort of security council.
CSO: So George sees the CISO role as tactical and the CSO role as strategic. It also seems like he sees it, in some cases, as hierarchical, with the CISO under the CSO?
Spernow: I don't think so. The larger the organization, the more likely the security effort will be accomplished if the CSO and the CISO are on a peer level. In a midsize company, I'd recommend that the CISO be independent to the point where maybe he reports to legal as opposed to IT because most of the IT exposure you'll see from the information side is legal liability. And if you don't have the backing of legal to argue your case in front of the board, then you're probably not going to accomplish too much.
Campbell: I'd underscore that. My complaint with having the CISO as part of the IT department is you get the fox in the henhouse. Where do you have an honest set of controls that can make it before the audit committee in its own right?
Spernow: I've actually fought that battle [at the Georgia Student Finance Commission] and won. The CIO should be concerned with how to maintain the infrastructure today and how to plan for its future. The CISO should be looking at the ramifications of new technologies the CIO wants to adopt.
Campbell: Let me ask you this, then. To what extent does a CISO's background and experience as an information security professional detract from his ability to effectively lead and strategize for the other aspects of security that a CSO controls?
Spernow: They become technocentric. I've seen CISOs try to integrate authentication log-ins with physical security controls like access cards. That's usually where they stop because it ends up not working. At first, the locked door and exposed trash bins and all the other physical security issues associated with controlling building entry and exit …
CSO: … they suddenly become technology problems.
Spernow: Yes, but CISOs don't really grasp the real physical threat, or the human threat. I agree that having CISOs take on CSO responsibilities is usually a disaster. Once they've been exposed to it and integrate it into their mind-set, they can be effective. But it's an uphill battle to make them change their mind-set.
Campbell: I'm reminded of a conversation I had with a CISO. I basically challenged him to tell me how the greater security organization could be engaged in the information security program. After a couple of minutes of pondering, he said, "Well, I suppose they could collect the trash."
CSO: There does seem to be an institutional arrogance on the IT side. I don't mean it to be a reflection of personal character. Just, you know, that everything is a problem that technology can solve.
Spernow: For those organizations that have the budget, I'll agree with you that the technology becomes a solution, regardless of whether it's actually applicable, because it's familiar. If I ask an auditor to do an audit, he's not going to look at AI approaches to technology. He's going to say, "Give me the books and let me look at the columns." Our history condemns us to certain limitations.
It reminds me of an article about a city in the Midwest that was experiencing problems with vehicles hitting pedestrians in the downtown area, and I remember reading an editorial suggesting that to fix this, cars should be designed so that when a car is getting ready to turn, it will beep and the pedestrian will know that the car is coming. Nobody suggested we train pedestrians to look out for cars. We need to think from that other perspective. Having that abilityto essentially come into an organization and get it to think another wayI mean, that's the challenge that we all face. The biggest challenge I've had here is getting my employees to think like crooks, instead of like IT guys trying to stop crooks. If they can't think like crooks, they're never going to see the things that I need to know about.
Campbell: The bias is clear every year when we make the annual trek to the ASIS exhibit hall to find out what the technocrats have created for us. It's easy to see this is technology in search of an application, but as CSOs, we also have a responsibility. Are we truly engaged with the technology community in articulating what our needs are? I think the answer to that, quite frankly, is no. For example, issues around trade secrets are soft and don't necessarily have technology to address them. I've been looking for years for a technology like the smokeless, dust-free paper shredder, to make it easy and effective to destroy sensitive information. Because if [an executive has] to get up and walk down the hall to shred a document—these guys who are too damn important to think about things like that—they leave it for others to deal with, which is a security issue.
So I think technology is doing a hell of a job around what it has been built to do, but there's still an awful lot on the operational side of information protection where it hasn't been applied. Until now, we've let the CISOs have much more say in what the technocrats bring to market.
Spernow: You're inferring that we don't look at other solutions, and we're going to miss the big one that is actually going to work and that, instead, we're going to spend a lot of time looking at small ones that don't work. In a lot of cases, that is where we're at now. A lot of the controls we have here look good, sound good and they're portable, but they don't work. Because we don't take the user into account or the actual individual who is part of the threat.CSO: Let's get back to the CSO versus the CISO.
CSO: Has there been a tacit promotion of CISOs in some organizations to take on some of the broader CSO roles, whether or not the anointed individuals are prepared?
Spernow: I'll be honest with you, when I was involved in the analyst community, we were all writing papers that said, "You need to have a CISO as part of your staff because you need somebody to champion the budget for info security that we see coming down the pike. And if that budget is left to IT, it won't be spent well." So in some cases we've created this quagmire of putting a person in the position [whose credentials weren't] truly analyzed in depth. But it made sense at the time.
Campbell: Where does the audit program fit into this equation, Bill? Are the [auditors] doing their job to point out to committees and senior management what the risks are to their information assets?
Spernow: I think they try, but because the risks aren't actually threats at the doorstep, they fail.
Campbell: It gets back to the notion of a true partnership [between CSO and CISO]. You need a fundamental relationship, based on the risk assessment and the relative roles and responsibilities that are going to be performed by the two organizations. The goal has to be to provide a total umbrella of protection to the enterprise. Otherwise, there are corporations where the [two parties] will never talk. And I bet Bill has seen more cases where CISO and CSO didn't talk than those where they truly had a partnership ...
Spernow: … because they build their moats, and it ends up being ego issues.
Campbell: Well, you know, we're the knuckle-draggers.
Spernow: Right.
CSO: George has said more than once that CISOs think CSOs are just cops, that they lock gates and so forth. Talk about those biases and how you get past them.
Spernow: From a CISO perspective, we see CSOs—without the info security role—as those whose methodologies are proven from a tactical perspective. That allows them to be totally strategic [in their focus]. In comparison, CISOs are always dealing with new developments. So we have to bounce between tactical and strategic [orientations]. For example, I'm struggling with intrusion detection and prevention, trying to deal with behavior patterns of traffic for which there are no set methodologies of counteraction. I'm trying to be strategic, but I have to figure out how this will just work. I'd like to be in the CSO's position where he has that luxury, of being strategic all the time. CISOs don't have that luxury.
Campbell: The premise here is that Bill's removing the info security function from the CSO ...
Spernow: … for the purpose of the argument.