Notes: Profile for a CISO?

I was at the 4th International Forum on Cybercriminality and there was a conference about CISOs' professional profile.

I just took a few notes and, seemingly, there are three major kinds of personalities for a CISO:

• The pilot,
• The architect, IT urbanist,
  
• The administrator.

I have no particular comment on this, except that I think I am doing my best to be all three of these :-\

I was also interested in this definition they gave: "The CISO is the one who defends the ITsec budget."

Finally, they described an evolution in the profile of CISOs:

1. In the 1990's, people became CISO by opportunism,
2. In the 2000's, people became CISO through competition,
3. In the 2010's, people are becoming CISO by choice or by vocation.

I'm happy to record that I'm in the 2010's :-)

Monthly ITsec Leadership Quotes and Articles

• Everything I Need to Know About Leadership I Learned as a Patrol Leader on the TaoSecurity blog.
• Forget ROI and Risk. Consider Competitive Advantage also on the TaoSecurity blog.
  Let me add a number 4: "Boss-centric approach" (whether your boss is CIO, CEO or CSO...)
  Security person: Hello boss. We need to implement our security program because it fits perfectly in your strategic points 1, 2 and 3 and helps you show just how well you deliver
  
• Antons Chuvakin's My Best PCI DSS Presentation EVER! on the Security Warrior blog, contains good pieces to address communication with non-security people.
• Survey about ITsec maturity criteria: What should be audited in order to evaluate an ITsec maturity level? Page 26 to 28 in this [FR] PDF, on the site Les Assises de la Sécurité et des Systèmes d'Information.
• Joking as a way to get people closer to security: The BOFH-like excuses.

I'm getting more and more convinced that the leadership style of Bruce Schneier is what made him so popular. There is more of personality than leadership in his case. In fact, my way to answer about "the mixture of security and feelings" is very close to his. Two examples:

• If You See Something, Say Something
• Worst-Case Thinking

A few quotes heard at the 4th International Forum on Cybercriminality :

• "Nowadays you learn more about someone from Facebook than from Edvige." (Edvige is a nominative information file used by the French police.)
• "The problem is not adapting to the digital world, it's adapting to the border-less world."
• "In healthcare, IT security is a deontological requirement."
• "Estonia is ahead of us [ahead of France regarding ITsec]."
  

Oh, by the way, I finally got a hint on why do they all emphasize on "Information Security" rather than "IT Security": I think it's because they want people to understand that it's not an IT-only problematic.

Transparency the Next Big Topic? I Don't Think So :-(

Here is a recent Bruce Schneier interview "If you don't understand the people you'll never understand security, says Schneier". I really appreciate Bruce Schneier for his stick_to_the_fact and be_smart_not_an_automate approaches.

However, when he says during that interview that the next big topic for security will be transparency, I think it's more of a wishful thinking. I can see three main reasons why the move to transparency will be very slow:

1. Good transparency requires transparency from both the vendor and the buyer. I think the buyer will never see the point of publishing data about (in)security. Even if that's more or less a kind of corporate social responsibility...
2. Some major players among vendors and some managers in whatever buyer's hierarchy do not want to play the game by the rules. They prefer it the way it is, especially if they have a good ROI/good wages and not too much stress. So, unless there is some interventionism, I think they will do their best to slow the move.
3. If you're going to publish things transparently, you might think of it as a possible bad advertisement for your company. And the weak point is: most companies, buyers or vendors, do not know where they stand among peers on the criteria of IT security. So they will not want to make the first move and risk publishing what might be seen as bad results.
   

To my mind, the whole business of IT security transparency is, as most of corporate social responsibility issues, a wicked problem. For this reason, it will require some good leaders to design new models and, probably, some interventionism from States and big corporate players. That is: it will move slowly (decades, to my mind).