Why cybersecurity will suffer the same fate in 2015 as it did in 2014

Cyber security in 2015 – Skating away on the thin ice of the new day

1 2 Page 2
Page 2 of 2

9. When you hire military intelligence analysts, be sure they know how to spell cyber.  Just because they are analyst trained does not mean they have a clue in the information security arena. They need to have a solid indoctrination in industry and the information security space. Establish programs to get them there. They will get the job done for you if properly trained.

10. Why is it that CISOs need a multitude of certifications and CIOs don’t need squat? There are complete programs at colleges and universities around the globe built for training information security staff yet nary a one I can find that is completely dedicated to creating CIOs (CIOs with information security as a standard, required pedigree). Each CIO needs to have three to five years’ time in security grade, time in security service before consideration as a CIO. They cannot be the CEO's buddy, the CFO's junior staff or from the outside auditing firm who audits your books while another segment of the same firm performs IT audits.

11. We still see an extreme lack of immaturity in the IT space for foundational elements.  IT shops don’t know what assets they have, how they are configured, who has access to them, or how and when they were changed last and by whom. Software is not written with closing holes in mind nor written (and I really hate this misnomer but have to use it for understandings purpose) securely. There is no such thing as secure code only code that has been properly written, tested and validated to do what it says it is going to do and only that no matter the input. Monitoring is incident driven and projects are not run with full-fledged project schedules including dependencies, slack, costing, (and even a mention of earned value management).

12. And then there is #12 who by the time they have read to this point are completely incensed at the above words largely since they are part-of-the-problem.

To cover the 12 areas without the narrative:

  1. CISO reports to the CIO
  2. Cyber Security budget is a percentage of the CIOs budget
  3. CISO does not have the academic or position credentials or their resume is phony
  4. Information Security is not embedded in every project throughout the company
  5. CISO has no access to corporate leadership, audit committees or external boards
  6. IT staff do not secure what they own
  7. Cyber Security leadership is from law enforcement
  8. Organizations who focus on APTs, the Kill Chain and Incident Response – operationally / technically
  9. Hiring of military intelligence staff who have no cyber experience
  10. CIOs in place with no security pedigree
  11. IT organizations who have not matured foundational configuration, change and release management
  12. The group who will debunk this list since it is very close to home

I have been in this game for nearly three decades. Almost every IT program encountered, every information security organization engaged, the problems remain the same. You can close your eyes and hear the same people making the same excuses, deflecting the same issues today as they did and have for 30 years.  The CISO is held as the scapegoat. The CISO is shot for communicating the message. The process of communicating the message becomes the target for remediation. True causal analysis is not performed only analysis to keep the finger pointed at the wrong individual or group. All while IT and the CIO skate away on the thin ice of the new day (thank you Jethro Tull).  

Copyright © 2015 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Microsoft's very bad year for security: A timeline