Jeff Bardin doesn’t sound like an angry man, perhaps because he has a cold.
But on the line three days ago from California, the U.S. security consultant sounds terribly resigned at how chief information security officers (CISOs) are treated — at least in his country.
What prompted my call was his column last month for an IT security Web site where he protested that CISOs are scapegoats for security problems that aren’t their fault. I wanted him to expand on that.
“It’s not a thankful environment,” he tells me, which is why he isn’t a CISO any more.
“It’s a constant battle against traditional culture, it’s a battle where they (other staff) see you as a person of ‘No’ — and that’s not true, it’s, ‘Yes, but this way.’”
Bardin has 27 years of experience in IT security, including a year as director of the office of risk management at EMC, vice-president and chief security strategist for consulting firm Xa Systems and an intelligence officer for an army battalion that served in Afghanistan. He’s is now chief intelligence officer for Treadstone 71, a Washington, D.C.-area consultancy he formed with his wife that does risk analysis, benchmarks an organization’s information security and network security and teaches customers how to comb social networks for signs of an attack.
Most CISOs, he complains to me, still reports to the CIO.
“That is a major issue and a problem, because the CIO is under all kinds of pressure to deliver new features and functionality, and that does not always include security. So security takes a back seat to the features and functionality that’s coming down from the business, and the business doesn’t always get to see or hear [about] the security issues because they’re embedded within IT.”
“In addition, they still see it as purely a technical issue, and it’s not — it’s an information issue. And information is all over the corporation.”
So, he continued, many CISOs are cautions when talking to their CIOs, fearing they may be fired for trying to push an agenda counter to the CIO’s strategy, or that they may get shut out of certain conversations, “which I’ve seen over and over.”
What will it take to elevate the role of the CISO?
“I would have thought that after all these years and all the different breaches, things would change,” he said. “But we still continue to double down on the technologies that are not protecting us, we double down on the same organizational structures.
“I think it’s going to take time to weed out the current batch of CIOs and change the model where any CIO must have three to five years as a CISO before they can actually become a CIO,” and organizations understand information security is not just a technical issue.
“I’m just not sure how to get people’s attention on this to make them realize this cannot be embedded down into where it is today, it can’t be just a subset budget-wise, and that CIOs have to be measured on information security if they’re breached they’re fired. I’ve only seen a few CIOs fired.”
As a consultant, he has recommended customers change their structure. “Many times they say ‘OK, but we need to mature the program first.’”
That’s fair, he said, but inevitably nothing happens.
Some of that he blames on CIOs, who fear the CISO will say something to the C-suite that makes them look bad. Chief executives might not want another person in the C-suite, I suggest. There are other ways, Bardin replies — having the CISO report to the chief operating officer, for example, or the audit. But his point is the CISO should have a separate budget based on assessing corporate risk, and not on technology.
With an outlook like that, I tease, how does he get out of bed in the morning? Bardin laughs. “As a consultant, I don’t own it,” he says. “They don’t have to take my advice.”
On the other hand, he also faults some IT people for being ambitious enough to inflate their resumes or LinkedIn accounts to become CISOs.
“There are a few in very large Fortune 100 companies,” he says, who have managed to get by HR background checks. Some say they drove a project, when they were only a team member, or have created “phony metrics” on performance, or created a title like director of cybersecurity when they were only a IT director.
“It does a disservice to the CISO who has really worked to get there.”
Bardin also believes that too many organizations rely on defensive strategies — defence in depth, looking for evidence of penetration along the kill chain — rather than go on offence.
Security pros should be involved in cyberintelligence to learn who the organization’s adversaries are. By penetrating their online forums and gathering information passively on their skills and tactics, organizations can build their defences.
And, he adds, if necessary, they can go on a preemptive strike if necessary.
“I’m advocating — and this usually stirs up a lot of conversation — that corporations do this. How they do it, and what their liability is and whether they ask a third party to do it for them, this is their business. There’s ways to make sure there’s complete anonymity, it’s off your corporate network, you’re using methods to hiding the IPs where it’s coming from. But if you don’t sling back at these folks they’re going to continue to come back and hit you.”