If you’ve been around IT security for any length of time you’re familiar with the term “man in the middle”. Practitioners and students cramming for CISSP and GISP exams understand it as a crypto attack that’s always explained with the characters Bob, Mallory, and Alice. (Has anyone ever heard a description using different actors?) Alice thinks she’s talking to Bob, but in reality Mallory has inserted herself in the middle and is eavesdropping on or even modifying the messages as she relays them.
This attack used to be fairly innovative (Kevin Mitnick describes some uses of it in his engaging and readable Ghost in the Wires). But not so much anymore. Would-be attackers can buy the basic components “off the shelf” using ready-made toolkits like Ettercap, Mallory (I love the creative use of the classic MITM name), and dsniff. If you’d like a better look at how it works, this is a good video.
What I’m even more interested in these, though, days is the emerging man-in the-middle. The new man-in-the-middle, or what I think of as man-in-the-middle redux. And it’s not an attack. It’s a role.
The new CISO is the real man-in-the-middle. He is, quite frankly, caught between two worlds:
The Executive World, where he speaks in terms of:
- Business initiatives
- The critical soft art of Influence Without Power
- Profit, loss and EBITDA (if you know the abbreviation you’re already there)
- How IT risk translates to business risk
The Technical World, where he must continue to speak in terms of:
- Controls and control objectives
- CIS benchmarks, tests, and test results
- Attack surface
- Incident management
Many writers and analysts have tried to capture the dynamics of this changing role, but for my money none have done better than the writers of a survey report by IBM’s Center for Applied Insights. (You can download the detailed results here for free.) Aptly titled “Finding a Strategic Voice: Insights from the 2012 IBM Chief Information Security Officer Assessment”, it offers good data and useful findings.
Examples I found interesting:
Attention is shifting toward risk management. “In two years, security leaders expect to be spending more of their time on reduction of potential future risk, and less on mitigation of current threats and management of regulatory and compliance issues.”
Archetypes are real. CISOs and security leaders can be grouped into archetypes of Responders, Protectors and Influencers, and each persona has a very definitive way of working in and with and through their organizations and budgets. The report does a great job of not only defining these archetypes, but of providing insight on how to grow from one type to the next.
Global instead of local. “In general, the role of information security will be moving away from specific risks to global risks. The role will be much larger than it used to be.” (Emphasis mine)
Measures matter. “Although metrics can be a challenge to define and capture, that should not deter organizations from implementing them. Measurement may be imprecise at first but will improve over time – and the process itself can drive valuable insight.” Imagine: insight from the process of obtaining numbers, and not just from the numbers themselves.
I’ve seen a lot of reports this year on the metamorphosis happening in the CISO role, but this one is the best. In general terms it summarizes the choice almost all CISOs will need to make, now or in the immediate future:
- Continue being the middleman, translating up and managing down and never permanently landing on one side of the fence or the other (example: see the poor cow above)
- Like the pioneering CIOs and CFOs before them, assume their rightful place at the strategic table, learn the soft skills of executive leadership, and build sustainable teams that can manage the day-in-day-out work of information security with less and less oversight
I think most of them will choose the latter. We who call ourselves “security vendors” need to assist them in their transition.