ArtFamily - Fotolia
Re-examining the CISO-CIO reporting structure could play a key role in bolstering an organization's cybersecurity efforts, according to Tarah Wheeler, information security researcher and founder of Red Queen Technologies. Wheeler spoke with SearchCIO at the 2017 ISSA International Conference in San Diego about top cybersecurity concerns facing an organization's CISO and CIO. In this Q&A, she also offers advice on how to train the C-suite to handle incident response, highlights the importance of implementing cybersecurity basics and sheds light on how to prevent attacks like the Equifax data breach.
What are the biggest cybersecurity concerns facing the CISO-CIO roles?
Tarah Wheeler: The absolute number one concern for any leader in today's modern cybersecurity climate is: What aren't you hearing from your people? That's the absolute number one thing to be concerned about. Part of the reason why is we've built a structure in America where often people doing security are reporting to the people buying the infrastructure. That's really problematic. CIOs need to recognize that people who are there to regulate them probably shouldn't report to them.
Tarah Wheelerinformation security researcher and founder, Red Queen Technologies
When it comes to CISOs, don't take jobs if you have to report to the CIO, report instead to a higher point in the leadership structure. That makes sure that incentives are properly lined up for you to do a good job as someone who regulates the use of the technology in your firm and not merely enables the use of it without necessarily having control over the purchasing process in terms of security.
How should security professionals prepare the C-suite for incident response?
Wheeler: One of the greatest things you can do is put people together in a room and assign them random roles. Do a role-playing exercise where someone has discovered a breach, and then make sure that the people who are usually in charge of decision-making are the ones who are discovering and reporting the breach. All of a sudden, you find out that there are holes in your process you didn't know existed.
In addition, if you are a company that is really devoted to making sure that people stay safe, and especially if you protect personal information, you need to make sure that everyone down to the janitor has the ability to say, "Something deeply wrong is happening." And for that to really work, you have to trust your people. Train them well, educate them well, and make sure that when someone says, "We need to stop everything and fix this problem," you believe them and you listen to them. Don't let it get wrapped up in some compliance update three months down the road. If you've got an emergency, treat it like one.
With new tech being introduced, how important is it to re-examine existing data security and privacy processes?
Wheeler: It's more important to secure existing data and existing security processes than it is to introduce additional products. The exploits that are being used right now to break down the walls between criminals and 143 million people that just had their information stolen from Equifax was a six-month-old breach in Apache Struts. That is an old technology, and knowing how to patch technology that you have been using for a decade and ensuring that you have a continuous secure process is far more important than trying to buy the newest, cool tool. We need to make sure that our fundamentals are handled first. That protects the most people for the least amount of money. After that, you can go crazy with the new technology.
What should CIOs and CISOs do to prevent security breaches like Equifax in the future?
Wheeler: I'm going to call back to what I originally said [about the CISO-CIO reporting structure], which is that a CISO who reports to a CIO is hampered in making sure that they are capable of telling the CIO that they're screwing up. When we talk about preventing breaches like this in future, the absolute number one thing that CISOs and CIOs need to do is understand who their customers are and whether or not there is an incentive there to protect their security. There wasn't one there in the Equifax breach. That's where the problem lies.
Who should the CISO report to?
Can the CISO-CIO partnership bolster cybersecurity?
How to organize the CISO reporting structure?