Hiring a CISO is not enough to fix security

There seems to be a trend of elevating the Chief Information Security Officer (CISO) to the same level of the Chief Information Officer (CIO). This is a direct result of high profile breaches at places such as large big box retailers. There is some justification of this approach. Having a C-Level executive focused on security shows that the organization is serious about their customer’s personal data and provides a high level of focus on this significant challenge. However, it creates a challenge for the CIO department in the forms of technical requirements and organizational structure.

One commonality between the NSA and enterprise security is the thirst for actionable data. Security professional want as much data and metadata as possible. To support this desire, the CISO is asking for the ability to do things such as see the flow of credit card data from the application that resides on the disk on the server to the transport of the data over the internal network.

The idea is that if a pattern of malicious activity is detected in any parts of the information technology infrastructure the CISO can take action. It can include shutting down a web server or shutting down a particular communication between the application and a suspicious end user without affecting the overall service.

The challenge is that the traditional IT infrastructure is siloed by both technology and organization boundaries. This seamless data monitoring is technically impossible in today’s infrastructure. Providers such as VMware believe abstraction of the data center is a method to provide a technical solution to the problem.

As mentioned technology is just a part of the problem. The other parts of the problem are the silo’s in most enterprise IT operations. The group that administers the application is different from the group that manages the physical server which is also separate from the group that manages the network. You throw into this mix the capability of the CISO’s ability to monitor or shutdown parts of the infrastructure without interaction (or knowledge) or the supporting groups becomes the actual challenge.

Creating an elevated CISO role within an enterprise is just one step in a comprehensive security strategy. In order to really address enterprise security a re-evaluation of the entire IT organization’s technologies and structure has to take place.

Published by Keith Townsend

Now I'm @CTOAdvisor

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: