02-06-20 - When Are CISOs Responsible for Breaches?

When Are CISOs Responsible for Breaches?

February 06, 2020

CISO | Security Vendor Relationship Series

This week's episode of Defense in Depth

When Are CISOs Responsible for Breaches?

When Are CISOs Responsible for Breaches?

 On this episode of Defense in Depth:

Co-host Allan Alford and our guest is Norman Hunt, deputy CISO, GEICO, discussed:

  • On the onset, one may want to jump to finding liability. But a CISO's responsibility should not be isolated at the moment of the breach. There are more issues to consider, such as authority, accountability, efficacy, and expectations.

  • Be wary of assigning accountability if the CISO didn't have the authority to actually carry out his/her intended plan.

  • Often the CISO is seen as a necessary scapegoat when there is a breach. It shows an aggressive move by the company to make a change, but then they'll have to go ahead and hire another CISO, probably at a much higher salary (see last week's episode).

  • When are you measuring the performance of the CISO? Is it as they build the security program, or is it only at the moment of the breach?

  • How well does a CISO handle the breach when it happens and how well do his direct reports and the rest of the company handle it? That's a better measurement of the efficacy of the CISO.

  • CISOs are held to a higher level of expectation to prevent a risky event from happening. CIOs, CEO, and CFOs are not held to the same standard.

  • Even the best CISOs will suffer a breach. It's a single point in time. It sure is a very bad point in time, but what are the events that led up to this moment. Were they building out a security program and were there improvements or was staff education and leadership falling short?

  • The best standard of measurement of a CISO is how well do they communicate and implement security and risk decisions?

  • Failure may be at the definition of the role of the CISO. A CISO's role and its responsibilities are far from standardized.

Barry Caplin, Gartner on who owns security risk

Live recording of CISO/Security Vendor Relationship Podcast at BsidesSF on 2/23/20

After attending and filming at what I believe has been every single BsidesSF, I'm excited to announce that we've been invited to do a live recording of CISO/Security Vendor Relationship Podcast at the conference. Mike Johnson will be there and our guest will be Olivia Rose, CISO, Mailchimp.We would love to see you there. You'll need to get a ticket to BsidesSF to be able to attend the event, but we'll be going recording at 3:30 PM on Sunday, February 23rd, 2020. And for another first, we'll be recording inside a movie theater!Go ahead and register for BsidesSF. It's only $50 to attend. And then make sure you put our live audience recording on your schedule.We still have sponsorship opportunities open for this first ever event. Please contact me if you're interested in sponsoring.

Making Security Change Management Personal

Making Security Change Management Personal

Here’s a video of me being interviewed by Peter Hind, senior analyst at ADAPT, where I also did a live audience recording of CISO/Security Vendor Relationship Podcast in Sydney, Australia.

Peter and I talked about the origins of the CISO Series and why you need to make security change management personal if you want it to be effective for the organization.

Elliot Lewis, CEO, Encryptics on the overused "chased by bear" cybersecurity metaphor

SUBSCRIBE TO BOTH PODCASTS

Go ahead and click on any of these links to subscribe to the podcast feed of your favorite podcast catcher.

If you're already a subscriber, THANK YOU! If you like either or both shows, please tell all your friends on social media and write a review on iTunes.