Category Archives: CISO

Compliance risk, the risk management trump card

Bookmark This (opens in new window)

Organizations that perform risk management are generally aware of the laws, regulations, and standards they are required to follow. For instance, U.S. based banks, brokerages, and insurance companies are required to comply with GLBA (the Gramm Leach Bliley Act), and organizations that store, process, or transmit credit card numbers are required to comply with PCI-DSS (Payment Card Industry Data Security Standard).

GLBA, PCI-DSS, and other regulations often state in specific terms what controls are required in an organization’s IT systems. This brings to light the matter of compliance risk. Sometimes, the risk associated with a specific control (or lack of a control) may be rated as a low risk, either because the probability of a risk event is low, or because the impact of the event is low. However, if a given law, regulation, or standard requires that the control be enacted anyway, then the organization must consider the compliance risk. The risk of non-compliance may result in fines or other sanctions against the organization, which may (or may not) have consequences greater than the actual risk.

The end result of this is that organizations often implement specific security controls because they are required by laws, regulations, or standards – not because their risk analysis would otherwise compel them to.

Excerpt from CISA All-In-One Study Guide, second edition

What security professionals can learn from Eliot Spitzer

Bookmark This (opens in new window)

Eliot Spitzer, the [soon-to-be-former] governor of New York State has resigned due to his being involved in a highly publicized sex scandal.

Corporate security professionals, time to sit up and take notice. I’m talking to CISSPs, CISAs, CISMs, and those in positions of ISO, ISSO, CISO, as well as Manager / Director / VP of IT Security.

As I have opined before, we are obliged to lead our organizations by example, in terms of prescribing and demonstrating desired behavior of employees on the protection of all corporate assets, including information. Leading by example means working transparently, of working every hour as though others are watching.

Eliot Spitzer gave in to his carnal desires and indulged in prostitution because he thought that he could keep it hidden. But behavior is like pouring water onto a sponge: for a time the sponge will soak up the water, keeping its presence hidden; eventually, however, the water – like the illicit behavior – will overflow and be impossible to hide. But like a frog in boiling water, Gov. Spitzer probably indulged in small ways at first, but proceeded slowly until he was no longer in control of his behavior / addiction.

Security professionals, there are steps that you can take to avoid falling into a trap of undesired behavior:

1. Be accountable. Pick two or more peers with whom you can meet every week to discuss your activities. These individuals must be trustworthy and themselves above reproach.

2. When you feel the tug of undesired behavior, confide in these accountability partners. Then, listen to their advice; if it is sound, heed it.

3. When you partake in undesired behavior, confess it to your accountability partners. Listen to their counsel; if they are loyal and have personal integrity, they will not chastise you for your behavior but instead help you to get back onto the right track.

4. Keep no secrets. Tell your accountability partners everything that you do. Keep nothing back. Share even the deep recesses of your “thought life” – which is the kernel of future behavior.

While it will be convenient to select accountability partners from the workplace, you should not choose your superiors or your staff. Instead I recommend that you choose individuals in your organization who you do not work with routinely or, better yet, choose individuals who do not work in your organization.

You can only be accountable to others when you allow yourself to be accountable to you.

Some principles of behavior:

A. If you were an outsider and would judge or criticize your own behavior, spend more time seriously considering what you are doing, and get yourself onto a path of change.

B. Do not be afraid to ask for help.

C. Learn to forgive yourself for your mistakes.

D. Do not give up.

There is an old saying: “There is no such thing as a complete failure; they can always be used as a bad example.” Gov. Spitzer may be a bad example today, but his example should help others to be introspective and re-examine their own behavior.

Remember the security professional codes of ethics:


Other postings:

CIA Triad also the basis for our ethical behavior

A call for character and integrity

Principles that guide the Christian security professional

Personal integrity the keystone in an information security career

Integrity begins within: security pros lead by example (Computerworld)

Form your own CISO-level peer group

Bookmark This (opens in new window)

A frequent complaint that I used to hear from fellow CISOs was that there were not any good associations or events that they could participate in, where they could network and share ideas. The events and associations that were available either attracted too many tactical-level security professionals who wanted to talk about firewalls and pen testing, or they were thick with predatory vendors. We just wanted a place where we could discuss our issues away from vendors and practitioners.

Pacific CISO ForumThe solution? We formed our own group: The Pacific CISO Forum (occasionally referred to as the Pacific Northwest CISO Forum). We organized in early 2003, and today we have over 60 participants.

Here are many of the secrets of our success:

  • Do not formally organize. We are not an association; we are not incorporated; we have no officers, dues, or members. The primary reason for this is to enable public-sector participants to speak freely about their issues without being subject to FOIA. Were we an official organization, then public-sector participants could be compelled to document discussions that could be disclosed later on. So, we do not have “members”, but instead we have “participants”. We are just a bunch of people who know each other and hang out and talk about matters of mutual interest and importance.
  • Do not use NDAs. When we first got together, we developed an NDA, but this was quickly met with resistance from many of our participants’ Legal departments who refused to permit us to sign them. Instead, we…
  • Adopt Chatham House Rules. In other words, what is said here, stays here. The formal definition of Chatham House Rules is: “When a meeting, or part thereof, is held under the Chatham House Rule, participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed.
  • No vendors or consultants. Vendors and consultants are not among our ranks. Criteria for participants is that they have strategic-level responsibility for data security in their organization.
  • Build a bond of trust. In our early days, as we struggled with the NDA issue, we got to know each other and a bond of trust began to form. Soon, we realized that the NDA was a form of artificial trust that was soon unnecessary.
  • Meet as often as needed. In our first year, we met every month, but attendance suffered. At the end of our first year, we wondered if we would survive. A small number of us had some “come to Jesus” discussions where we re-examined our principles and re-invented the Pacific CISO Forum. We changed to quarterly meetings, scheduled far enough in advance that we could get it on our calendars.
  • Grow through invitation only. The quality of our group is a result of quality networking. We invite people we know who have strategic-level security responsibilities in their respective organizations. When we have a new prospective participant, the sponsor sends an e-mail to the rest of the group, describing this person: who they are, where they work, what they do there, and wait for other participants to respond. Only 2-3 times in the past five years have we declined a participant’s joining us: they were either vendors, consultants, or were tactical and not strategic.
  • Determine and meet the needs of participants. In every meeting, we open the floor to everyone, so that we can talk about our respective security issues and discuss them openly. We always ask, what topics would you like to hear in future meetings? This helps us to figure out our agenda from one meeting to the next.
  • Use inside and outside speakers. Many in our group are experts in several subject areas, and half or more of our speakers and presenters are our own participants. This provides opportunities for participants to share their successes, failures, and challenges. It also gives us opportunities to hone our public speaking and presentation skills. Similar to the rules for participation, we do not invite vendors to speak at our events.
  • Start a private website or listserv. We are fiercely private and do not disclose any information about our members. Primarily we do not want vendors to have access to our names or e-mail addresses.
  • Leverage other events. Frequently, we will schedule our meetings to coincide with regional ISSA meetings and other events. This helps keep participation up by recognizing that we can’t attend all of the events that we want to – that we must instead pick and choose which events we will attend throughout the year.

Since we formed five years ago, we have become a respectable group of professionals. We help each other, we encourage each other, and we share information among participants that would otherwise not reach many of our participants. Some of the information that you’d see on our mailing list includes:

  • Positions wanted
  • Position openings (we do not permit recruiters to post on our list, but we will sometimes post for a recruiter who is looking for a strategic-level security person)
  • Training events
  • Trade association meetings (e.g. ISSA, InfraGard, CTIN)
  • Cyber security incidents
  • Help with local and national cybercrime cases

If you are considering starting a group like the Pacific CISO Forum and have questions, please write to me by filling in a comment in the form below. Your question or comment will remain confidential and will not be posted on this site (unless you want it to).

Pacific CISO Forum in the news:

Peer to Peer (Information Security Magazine)