On the December 18 Virtualization Security Podcast, we were joined by Rafal Los (@Wh1t3Rabbit) to discuss whether it is time for CISOs to move on. Should CISOs start to look beyond simply the problems at hand? Should they drive security into all decisions made at the business and architecture levels? The discussion was mixed, to say the least.Wh1t3Rabbit Texiwill Conversation
CISOs have the unenviable position of trying to enforce compliance and security within an ever-changing realm of IT and development. At the moment, it seems CISOs and security teams are playing Whack-a-Mole while trying to align with the business. These are usually counterproductive approaches to security. First, you are out solving problems that may actually be counter to the business as a whole. Why? Because security seems to be the last team brought in on new projects and new business directions.
So, while CISOs are out fighting fires, the house around them is being rebuilt, and they have to find their way around once more, nearly every day. Perhaps it is time for the CISOs to take a step back and assign a team to concentrate on the future. Actually, Rafal said it best: CISOs need three teams—one concentrating on current issues, one on near-term issues, and one on the future. Each of these teams should be business focused without losing any security knowledge. Just because the business wants to head in direction A does not mean it should form a security perspective without having security involved from the beginning of the new direction. Yet, this may be what the CISO does not have time to do.
So three teams, if you have the folks. One should concentrate on the here-and-now, Whack-a-Mole, day-to-day activities. The near-term folks should look at what is coming up immediately, so that CISOs can start to do a bit of early planning. Last are the folks who are looking at the future, determining where the business is going and then seeing if the tool suite currently in use will meet those needs. The real issue is how these future folks can get involved.
We have said it on the podcast many times: if you are involved in IT Security, the best thing to do is go to the IT architecture meetings and just take notes. Say nothing, exclaim nothing, just go and listen. Once you have determined the direction in which IT is going (and this will take more than one meeting), then you can contribute from a position of knowledge: knowledge about the business direction and knowledge about current and future security practices. However, if you go to those meetings expecting to contribute from your position of half-knowledge, then you are doomed to failure, and security will once more be marginalized.
If we could develop a multistep program for CISOs for next year, it would include the following steps:

  • Realize that you have a security problem, the current in-use tools will not fix it, and there is no silver bullet. Accept the fact that you need a suite of security tools.
  • A suite of security tools is only as good as the architecture. Security MUST be involved with architecture.
  • Attend architecture and business meetings with the intention of just listening. If asked why you are there, you can say you are there to learn, so that security can meet business goals.
  • Divide and conquer. Set up teams to play Whack-a-Mole, teams to do near-term planning, and teams to do long-term planning.
  • Ensure that these teams talk to each other. If the architecture calls for a particular type of security product, it would be great if the Whack-a-Mole and near-term teams knew about it so that they can start to use the product instead of choosing the complete opposite set of products.
  • Pay close attention to the business. “How can security help the business?” should be the question on everyone’s lips.
  • Train security-conscious folks in development and operations to be your hands and eyes in their areas. If they have the knowledge, they can pass it along to others.
  • Use existing application performance management tools used by development and operations as an early warning system for security issues. Why reinvent the wheel, when tools that track impact on critical applications already exist?
  • Gain a true understanding of the security of all the data in use by all applications. In other words, classify your data.
  • Embrace the cloud; trust but verify.
  • Realize you cannot stop everything, but you sure can audit most things. Robust but useful auditing will find attacks earlier.
  • Realize security is an architecture, not a single product.
  • Most of all, all CISOs should take a step back and ask themselves whether they are involved with the future of the business or just playing Whack-a-Mole. If it is the later, get involved.
  • Put the KNOW in in-KNOW-vation.

Most CISOs want to be aligned with the business, but they get pulled in too many directions at once. They end up just firefighting. The solution? Take a breath, step back, and do some planning. Even if it is just an hour a day, you should not only be able to align with the business better, but also to plan your security architecture based on the direction of the business.
This is an important question—granted, one that started as a Twitter conversation, but it should continue. The burden of involvement is currently on security’s shoulders. With a bit of planning, we can shift this to the business, where it rightfully belongs. However, this is not easy to do: necessary, but not easy.
Are we past telling CISOs to be business aligned? No, not yet. But the next step is to be part of the solution, not an outsider. That will be the best way to transform security. How have you involved security in your work today? Ask them for advice; they may surprise you.