We’re giving so much kudos to the bad guys who can convince people to click on a single link. But that’s not the real social engineering skill we should be impressed by, said Wendy Nather (@451Wendy), Research Director of the Enterprise Security Practice at 451 Research.
“If you get 1,000 people to stop clicking on links then I’ll be impressed,” replied Nather, “Because that’s what a CISO has to do all the time.”
Nather and I spoke right after her panel discussion about the psychology of the Chief Information Security Officer (CISO) at the 2013 RSA Conference in San Francisco. Her firm had just finished a huge report which was the result of 500 conversational interviews with CISOs about how they do their job.
I asked Nather what were the most surprising results from those interviews and she said that the majority of CISOs claimed their business showed no particular strengths as a result of their IT audit function. That simple answer made her realize that many CISOs simply didn’t understand the value of their audit function.
More importantly, what Nather learned from the interviews were the multitude of skills a CISO must possess in order to be successful at their job. They have to have great tech skills, business acumen, social engineering skills within their organization, and they also have to have thick skin.