Column

CISOs and the false sense of security

Ira Winkler

A recent report by market researcher Enterprise Strategy Group (ESG) makes some interesting points about the usefulness of a CISO. The report polled 227 North American security executives in organizations larger than 1,000 employees. Based on the results, ESG concluded that organizations with a CISO are more secure than those that don't have a CISO.

While I would say that the "results"-- and I use that term very loosely here -- are very useful to CISOs in justifying their positions, the reality is this is just another way for the market research firm to create news. Worse yet, it gives companies a false sense of security that a job position somehow makes an organization secure. The real revelation is that organizations with CISOs believe they are more secure, not that they are more secure.

ESG asked security executives whether their security technology was sufficient to protect their organizations. Frankly this is one of the weakest facets of security, as its is much more a process than a technological implementation. The best technologies in the world are pretty useless if they are not implemented properly.

Technologies are like placing bandages on a body when you have no clue as to what is wrong with it. Maybe there is a trivial skin wound, and a bandage is perfect. Maybe, however, you kicked an artery and a bandage is temporarily aesthetic. Maybe there is internal bleeding that you never see, that will leave you dead in minutes,

    Requires Free Membership to View

regardless if a bandage is present or not.

More from Ira Winkler

The case of Shawn Carptenter: A cautionary tale

Hacker hiring session morphs into Mitnick melee

An execrpt from Spies Among Us: How to Stop the Spies, Terrorists, Hackers and Criminals You Don't Even Know You Encounter Every Day

Frankly, the better the security program, the more insecure they think they are. Good security programs regularly find incidents to show that their technologies are not sufficient to prevent everything. They have strong intrusion detection and misuse and abuse detection in place to monitor when the appropriate information has been compromised. Strong security programs are strong, not because they don't have incidents, but because they have proactive programs in place. While they do better protect information than weaker programs, their strength is in their ability to detect and respond to problems.

If a survey wants to be useful, why don't we see questions that addresses whether or not organizations have the fundamental components of a good security program?

Why doesn't a research firm, for example, ask whether or not organizations have data classification programs in place? Why don't they ask for the resources put into security awareness programs? Why don't they ask about the internal and external monitoring technologies and procedures in place? What about vulnerability management technologies? Is there an incident management process defined and tested?

If an analyst firm or any other company wants to produce useful information instead of press releases, they should start breaking their surveys down to real indicators and ask the respondents if their organization had various components of what is generally considered to be a strong security program. Then they could have determined whether organizations with CISOs had more desirable components.

Ira Winkler is president of the Internet Security Advisors Group. He has over 20 years of experience in the intelligence and security fields, and has worked for the National Security Agency, and consults to a wide variety of Fortune 50 corporations. The author of Spies Among Us, he is an occasional contributor to Security Wire Perspectives.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: