CSO and CISO: Mad About You

The SceneA trendy restaurant in downtown Chicago. Jake DeLaw, CSO for a large consumer products company, taps his fingers on the table, checks his watch and keeps his eye out for a 5'7" brunette in a black pantsuit. He's nervous; it's the first date he's had since his wife up and left him 10 months ago for one of his former FBI buddies, the weasel. He surveys the room, putting to memory the location of the emergency exit, a habit he picked up during his years in the bureau. Cripes, it's loud in here, DeLaw thinks, as synthesizer-heavy Europop music cranks through the speakers (why can't they play Sinatra or Bennett?) and mixes with the high-pitched buzz of twentysomethings throwing back fluorescent drinks and shouting over each other.

Melissa Hardrive strides into the restaurant. Hardrive is the CISO for a national trucking company. She's recently ended a relationship with her Pilates instructor and only grudgingly agreed to meet Mr. DeLaw, a friend of a friend. She eyes a slightly graying, square-jawed man in a dark suit and tie, collarless shirt sitting by himself and guesses she's spotted her dinner companion. The hostess leads her to his table.

DeLaw (standing up, offering his hand): Hi Melissa, Jake DeLaw. Very nice to meet you.

Hardrive: Melissa Hardrive. It's a pleasure. (They sit; the server brings over two menus and a wine list. They chat briefly about the weather and the price of oil. When the server appears, DeLaw orders a crabcake appetizer and a rib eye for an entrée, Hardrive the foie gras ravioli and striped bass. After some discussion, they agree on a bottle of Bordeaux. Hardrive notes DeLaw's ease in navigating the wine list; she was half expecting him to ask what light beers they had on tap.)

DeLaw: Well, I never expected to be having dinner with another security type. I understand you head up infosecurity at Bigwheels?

Hardrive: Yes. And you're the CSO at Skindeep?

DeLaw: Yeah, I've been there two years now. I'm the knuckle-draggin' corporate cop, making sure our shampoos and lotions make it to your bathroom in an unadulterated fashion.

Hardrive: And what did you do before you entered the world of glamour?

DeLaw: Well, let's see, I spent 15 years with the Chicago PD, then joined the FBI sometime around 1990. After a dozen years or so, I realized that putting three kids through college was going to be, uh, a bit of a challenge. That's when I decided to jump ship for the huge bucks. (He chuckles.) And you? How long have you been at Bigwheels?

Hardrive: Seven years. Before that I worked at an insurance company, before that a software company, and before that I was a geology major. IT security, in my view, begins with rocks.

DeLaw: I see. I was an economics major myself. But the opportunity to wear a badge, carry a nightstick and scream, "Hands on your head!" won me over.

Your CSO is Bill Krimeseen, right? Good guy. Old school.

Hardrive: More like ancient school. I've been trying to convince him for years that he needs to get a better handle on technology, but he shuns it like kryptonite. He still has that stovepiped mind-set that security is all about guards, guards and more guards, and that IT security is best handled by us "pinheads"his term. When I or the other members of my staff sit down and try to explain to him what we're doing, he barks that everything we're trying to tell him is unintelligible. Just last week I tried to talk to him about a TCP port 80 problem, and his eyes glazed over like a Krispy Kreme.

DeLaw (a bit taken aback by her forthrightness and now feeling a little defensive): Hmm...not sure I blame him. When you throw terms like that around, most folks outside the IT domain are going to lose interest pretty quickly. I've spent a bit of time with my CISO the last two years trying to gain some understanding of our company's systems, and I have to admit, it can be an exercise in frustration at times.

You also need to remember that it's rare to find someone in a C-suite or on a board who knows how to get down and dirty with IT, who knows the difference between a firewall and a fire exit. So I'm responsible for taking all the techie talk and turning it into plain English for them. With a few colorful charts thrown in of course.

Hardrive: I'll admit that sometimes we can be a little too liberal with our acronyms. But frankly, Jake, I'm sick and tired of hearing that lame old complaint over and over again. It's a new world. Get used to it. I'm talking about my CSO, of course. You sound a little more enlightenedI think. (She smiles.)

(Appetizers arrive. The conversation switches to the recent election, da Bears, the best South Side hot dog joints, before returning to their chosen profession.) CULTURAL DIVIDEDeLaw: So how does the IT staff at Bigwheels view Bill? Does he scare the bejeezus out of them?

Hardrive: Let me preface my answer by saying that I like Bill. But he does intimidate some people. It could be the crew cut; or perhaps his fondness for expertly weaving vulgarities into his sentences.

DeLaw: Speaking as a CSO, I will say that I've been the target of many zingers from the IT department. I'm the big, bad guy who putsheaven forbid!controls on their access. Take developers, for example. They love to leave doorways into their applications so that when problems hit they can get into them more quickly; it's more convenient for them. But these are the same doorways that the bad guys exploit.

When there is an attack from the outside, the techies do a good job trying to put the fire out and preserving the integrity of the system. But a lot of times, in the process, they accidentally destroy evidence. That makes my job tougher; when I come on the scene, I need to preserve any and all evidencewhere the adversary came from, how he got in. I need that evidence for investigation and prosecution purposes. Sometimes it ain't there; that gets my dander up.

Hardrive: I hear what you're saying, Jake. But you've got to remember, the IT staff is constantly under the gun to please the business units, to make sure productivity never suffers or hits any bumps. Sometimes that pressure leads people to take shortcuts. I'm not defending the fact that security concerns are often secondary to efficiency, but with the cost-cutting of the last few years, there are fewer techies responsible for more systems. So they do what they can to make their jobs a little easier. That's the reality.

Frankly, Bill hasn't gained the respect of the IT staff, since he's out of his element when it comes to technology. You know, a number of us infosecurity types think it's easier to take a techie and make him a cop than take a cop and make him a techie. Here's my theory: A classically trained physical security person uses all five senses to process information and figure out solutions. If you take him out of that world and put him in a cyberenvironment, he's forced to rely on just his visual sense, what he can see on a screen. That's a struggle for most of them.

DeLaw: Wow...can't say I've heard that line of reasoning before. I don't think the fact that I can't smell a computer hinders my ability to get a handle on a cybersecurity event.

Maybe your theory is, in fact, senseless. (He grins, hoping she isn't too offended.)

But let's get back to controls for a second. The IT folks complain that their freedoms have been taken away, even when the most basic controls are implemented. I'm talking about passwords failing after a few invalid attempts; passwords expiring every 90 days; monitoring privileged users. Cripes, when I joined the company, thousands of people had privileges. It was more uncontrolled than a wildebeest stampede.

From a security point of view, I think the most dangerous person in the company is the LAN administrator. They have the keys to the kingdom. Worse, sometimes they're nonexempt, hourly workers, or, and this blows my mind, the job is outsourced. That's scary.

(Entrées are delivered.)RISKY BUSINESS Hardrive: It is scaryand that's why all my privileged users are monitored. I know the threats we face both inside and outside, and my job is to worry about them day in and day out. That's where I think a lot of you physical guys fall short; it's hard for you to adjust your mind-setthose five senses I talked about earlierto the new, virtual threats. I understand why; you're used to measuring and mitigating risk by relying on years of legacy datasuch as crime rates in cities or the likelihood of someone stealing a laptop. CISOs can't rely on such data. Every day there are new threats, yet no risk metrics to measure those threats. If there's a zero-day exploit, we need to be prepared for that. This lack of good risk data is one of the reasons CISOs sometimes have trouble communicating with CEOs and boards. Those folks understand the physical guys when they talk about risk; it's harder for them to comprehend virtual risk.

That makes my jobif I may lose my humility for a secondmore complex in many ways than that of the traditional, physical security exec's. That guy has a limited checklist of things that need to be right to be good; once you've got proximity badges, guards, locks and cameras, you have a pretty secure infrastructure. I, on the other hand, have a list of 150 things I need to worry about; in a big company, I'm dealing with vulnerabilities that pop up hourly such as someone doing a marketing research project who introduces a new Web server and website that's insecure, or that inadvertently creates a tunnel into a database. We're often accused of being overly paranoid; that's why.

DeLaw (making hacking noise): Please pardon me (cough), must have gotten an asparagus spear (cough) caught in my throat.

Melissa, you're grossly underestimating the responsibilities of the CSOs I hang out with. You don't really believe that cameras and locks and guards comprise my whole security portfolio, do you? Let me tick off a list of some things we do that you probably never think about. Take background checks, for example. I'm guessing you'd be happy to know the folks that work in the offices next to you aren't convicted felons or potential troublemakers. Along the same lines, you and your coworkers work in a safe office environment, partly because of the cameras, guards and access control measures that some people find a nuisance.

How about risk management? Take, for example, all those outsourced IT vendors my IT department works with in India and China and Russia. Many people at Skindeep don't realize that we vet those companies thoroughly, making sure they have strong physical and information security measures in place, before any contracts are signed. We also ensure the safety of our employees abroad, whether they're traveling or stationed overseas. My department also makes sure that every link in our supply chain is in compliance with our policies and procedures, which keeps our products safe, keeps costs down and preserves our brand integrity.

I haven't even mentioned crime investigations, crisis management and business continuity. Oh, there, I just did. So, Melissa, while I appreciate all you have to do to maintain a safe network, I hope you'll open up your eyes to the multitude of areas that I manage as well. It's a pretty full plate.

Speaking of full plates, how's your fish?

Hardrive: Quite good, quite good. Your rib eye?

DeLaw: Perfect. I popped an extra Lipitor before I left my house to make sure I had a guilt-free time.DéTENTEHardrive (chuckles): Okay Jake, I admit I may have underestimated your responsibilities. Perhaps it's because I've been dealing with so many new and ever more creative cyberthreats during the past few years that I've inadvertently put some blinders on to the other threats facing companies like Bigwheels and Skindeep. You've motivated me to reach out to Mr. Krimeseen, to make a greater effort at improving our working relationship. In fact, there's a disaster recovery meeting I was going to send one of my managers to next week; I think I'll attend myself.

(They order another bottle of wine. Hardrive, on a roll, decides to share her vision of the CSO future.)

I have another theory that may shock you. I think my job is going to go away as an executive position in the future. Why? Because, as you said earlier, it's hard for other senior execs to relate to a CISO; they lack the technical background. They understand surveillance cameras and exposed doors, but they don't understand open ports or rogue devices being hooked up to networks. I think infosecurity will morph over to the physical side, that we'll begin to see true convergence.

DeLaw: Well, I can't disagree with you....I do think the CSO and CISO roles need to be integrated. I'm fortunate the powers that be at Skindeep understand the need for the two positions to work together, not in isolation. Though we can probably do more on that score.

Hardrive: But here's the kicker, Jake. I think the primary focus of the new, improved CSO will be infosecurity. With all the new regs in placeGramm-Leach-Bliley, Sarbanes-Oxley and the likeboards are going to see the light; they'll start to understand how important infosecurity is. They're going to understand that we virtual mavens have the chutzpah and the know-how to combat the moving targets that threaten to wreak havoc with our networks.

In short, Jake, I think it's the CISO who's going to become the CSO. There, I said it. Please don't hit me over the head with your steak.

DeLaw (laughing, shaking his head): And here I thought this dinner was going so well. Melissa, you and your kin will need to jump up a few levelsand get out of ITbefore you get to breathe the rarified air I'm inhaling.

Maybe at that point, you and I can revisit your prediction over dinner. But I fear I'll be real hungry by the time that comes to pass. So how about next week?

Hardrive: Perhaps...though I'm still not used to the idea of being seen with a knuckle-dragger in public.

DeLaw: For being prehistoric beasts, we sure dress a heck of a lot better than you.

Copyright © 2004 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)