Most IT and security professionals are all too familiar with the term “CISO.” But for all you non-security b2b tech professionals out there, the word CISO (Chief Information Security Officer) was originally dubbed back in 1996 by Steve Katz. He joined Citicorp/Citigroup to head up the security department, and voila, the title emerged. So what’s changed over the last 20 years and how has this role evolved?
Phillip Miller, CISO of Brooks Brothers, addressed this loaded question to a room full of Infosec 2017 attendees last week during his keynote: “Hacking the Internet of Things (IoT): Driving Security When Everything is Connected.” In his presentation, he explained three types of CISO personalities you don’t want to have as the threat landscape continues to evolve.
His keynote comes at an interesting time. Thanks to the infamous IoT and increased number of vendors connecting to the Internet for everything from baby monitors to automobiles, cybersecurity has often been an afterthought to design. This month is the one-year anniversary of the Mirai-fueled IoT botnet responsible for distributed-denial-of-service (DDoS) attacks against DNS provider Dyn. Remember this one? You should if you live on the East Coast— half of the Internet was wiped out. Your Netflix show probably stopped playing because Mirai compromised a number of IP-enabled cameras, DVRs, home networking gear and other connected devices from Level 3 Communications.
Everyday items in homes are now in a constant state of being hacked. It’s up to CISOs to stop that from happening – the buck stops with them. But what bad habits have been picked up along the way, and what attributes are least attractive in this all-important executive?
- The friend you can’t stand watching sports with
When Sunday Night Football rolls around, this is the friend you never invite over. Why? Because this person can’t stop talking about mistakes players made once the play is over. He couldn’t tell you how Tom Brady could have prevented that interception, but he’ll tell you all the terrible possibilities now that the other team has the ball. This type of person resembles the CISO who isn’t forward thinking. One who doesn’t look at threats and hacks from a proactive standpoint, but rather from a reactive one.
- The friend who overparents in her sleep
This is the same person who constantly lectures her third-grade son on reasons not to talk to strangers, but allows them to dress up in a costume, knock on random doors, and take candy from those same strangers every Halloween. This is the CISO who is too caught up in her own actions and advice, and is often blindsided by outside factors. This excessive involvement in day-to-day activities while lacking perspective on the big picture is an open invitation to hackers everywhere.
- The friend who always gets into bar fights
Despite never taking a self-defense class in her life, this friend insists on challenging the first person that shoots her a dirty look at the bar. This friend is too full of pride to realize she might be putting herself in serious danger, and isn’t fully equipped to handle the consequences. This is the ‘fallen hero’ CISO, whose hubris gets in the way of everyday responsibilities.
Silver lining: Choose ‘none of the above’
CISOs can sit on the wrong side of a data breach, play catch up in the aftermath or suffer from a false sense of confidence, but they also can come out on top.
By developing written policies around IoT, classifying IoT devices in the correct environment (consumer vs. industrial), prioritizing which devices are critical, communicating with senior leadership, and finding a trusted partner to bounce ideas off of, the CISO’s role is now bigger than just running the security department — it’s the glue that keeps the company together.
So, how many of the CISOs who attended Infosec 2017 identified with one or more of these personality traits? That’s like asking how many licks it takes to get to the center of a Tootsie Pop. The world may never know.