Skip to content ↓ | Skip to navigation ↓

I recall engaging into a conversation with a fellow security professional this year on the subject of where the CISO role should reside and to whom they should report. My opponent’s opinion was very much contrary to my own, vocalising the value of the CISO having full alignment with the main board and the company executive.

I, on the other hand, feel they (the CISO) should be far removed from any potential exposure, by implication of conflict of interest.

Here, I have a number of real life examples that I will elaborate upon later where operational security, compliance, and governance of the implicated companies were, at best compromised, and in the worst cases, resulted in culpable acts of criminality.

However, prior to presenting the shady side of operational life, I wish to focus on the landscape subject of the ethical challenges we as a society have encountered up to 2015 – at which point I will then underpin my argument to promote avoidance of any manifestations of osmosis between the membrane of robust and trusted security and that of the commercial aspirations of leadership of the organisation.

In order to achieve the required level of understating, we need first to appreciate the complexities and foibles of the homo sapien. First of all, unlike a robot, we as a biological units are not restricted by predefined logic, and thus in the norm, we enjoy a continuous state of reassessment to underpin our personal wellbeing.

Thus, in the area of self-served-interest of others, I have observed at close hand what I assess to be a realignment of focus of some who were seeking corporate self-survival – here exemplified by two case of two security executives at the potential cost of the organisations they were responsible to secure.

We should also accept that, like it or not, the human race can (and do) suffer from conditions of greed, corruption and culpable decisions that implicate the mass to the advantage of an individual, groups, or the organisation.

As we are all now aware, up to 2015, we have suffered an ever increasing state of adverse revelations originating from well-governed brands and organisations. For example:

  • Insider trading
  • The fixing of Libor
  • The case of FIFA
  • Abuse of positions of trust (e.g. The Coop Bank debacle)
  • The use and abuse of insider knowledge in the highest house of government in the land, seeking to embarrass and destabilise an elected leader

When I move this conversation back to the importance of the segregated role of the CISO, using the aforementioned cases as a benchmark, I can align the disclosed events to some known occasions where the ethic got lost.

For example, consider the trusted automotive executive who abused their expenses system to the tune of £250,000 in one annual reporting period; the security consultants robbing the public purse by offsetting work against a cost centre number, when in fact no work was actually carried out – and this under the scrutiny of the head of the security practice.

But then moving up the stack toward the CISO position, which in one case, at a time of tension with their executive line management, saw the incumbent CISO actually attached a personal laptop to the corporate LAN, and downloaded sensitive data prior to them walking off site in a fit of tantrum – this really does bring the case of trust/ethic/segregation home to roost.

But then here we are encountering the human condition of the homo sapiens, which has been referred to above, seeking the higher ground of personal survival at any ethical cost. In fact, as amazing as it may seem, even after such untrustworthy acts, the CISO in question was actually allowed back to work upon resolving the said matter of conflict – they were of course very close to the main board, the executive and HR.

At the end of the day, the objective of the security professional must be to secure the enterprise, watch the people, and to avoid the opportunities for complicit engagements – and to ask the question: ‘Who watches the watchers?’

That said, it is worth remembering that, when it comes to human nature every high grade spy who has operated has enjoyed one important element – they enjoyed access to the source level of target materials as they were background checked, and security cleared to do so.

My ultimate conclusions must be that people will always be the weakest link – power corruption, and greed can sometimes overshadow the greater good, and with that knowledge, we need to defend our assets, trust and above all exercise a watchful eye and processes to avoid the contaminant conditions, which can corrupt and tarnish ethics and respectability.

 

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Title image courtesy of ShutterStock

Hacking Point of Sale
  • Segregated from whom, reporting to where? That's a lotta words, John, to be left none the wiser. However, how come the CISO has to be the moral guardian for all? Surely every role has to consider their own ethical position?

    As a career plan, CISO is the top job and yet it's a poisoned chalice. Average length of stay in the role is now down to 16 months. That's not much of a solid career to aim for with any level of comfort if you're constantly having to look over your shoulder, knowing you're going to have to take the fall for something that won't, in all likelihood, be of your creation. In one of your examples above, the Director of Assurance (clearly mis-named and mis-appointed) was in collusion with a cover up. To have three separate rolls creates too many verticals with clearly competing ethics and business drivers.

    We can't, as a profession, keep having all the requests for solutions directed to us whilst at the same time having all the blame in the event of a breach thrust at us. Culpability is a,group activity – that's what the VW tale will ultimately tell us. Notwithstanding that speaking up or out is invariably career limiting…

  • John Walker

    The above article is very timely when you consider the most recent debacle with the Experian 15m user breach. See below:
    https://krebsonsecurity.com/2015/10/experian-brea

    When you balance this against a company who offer post-breach services, you are left wondering if they are in the right sector to accommodate such a service. Eating, 'own' Dog food springs to mind.

  • John Walker

    As a response to Andrea – I can only comment that my observations are sadly from the real world – with one of the cases implicated seeing the same organisation suffer yet another big blow. I would really like to say all is well in the garden, but I can't.

    As for being wiser, I guess the message here is people are the weakest link, no matter how trusted their position are considered.

  • blackdragonltd

    Hi All. I myself have worked in the IOS QA world, as Quality Manager we attempt to guide and provide for the masses in and outside a company to provide assurances to standards. Your good selves are doing something similar I would suggest. In my world, while there is improving understanding from the Authorities of companies, many "Board" level stake holders have little or no understanding of "system" or "the nitty gritty" of business and therefore look for Holistic answers to specific questions. This lack of knowledge promote a blame culture as opposed to a team understanding of the problem which is often the fall back for any problems that arise.

    Quality, Security, anything of importance that is ignored until it goes wrong will inevitably become a thorn.

    Understanding is born from interactivity and familiarity, it is easy to avoid the responsibility if on a daily basis you think you pay for some one else to be responsible….

    So for professionals in any position of responsibility that is only as good as the collective effort, you can find yourself on a collective looser if the higher management have no interest in "regular interactivity" with these important subject.