2015 is nearly three weeks young and I am afraid we are going to see more of the same exposures as we did in 2014. Not much has changed in organizations. They are fundamentally following the same tactics and techniques to 'defend' against adversaries as they have for the past several years. There are 12 areas that continue to cause problems for the CISO and information security as a whole. Here they are:
1. The CISO still reports to the CIO in most organizations seeing security still as a technical issue. CISOs battle the CIO quietly trying to move security to the forefront only to be pushed to the back of the pack in the name of features and functionality.
2. CISOs continue to beg for financial table scraps and the scraps they do get are used to double down on existing technology.
The same technology that is failing them now but with a new twist or new buzzwords describing really what they cannot do. And since organizations still see the issue as a technology problem, the CISO gets a budget that is a single digit percentage of the overall IT budget.
3. There are also CISOs in positions at major firms who do not have the credentials necessary to be in those positions. Whether through outright lying, gift for gab, opportunistic timing, cronyism, nepotism, verbal berating techniques, companies who have dumped them quietly or just plain foolishness, these CISOs are false prophets leading their organizations down the path of data loss doom. Their resumes rife with false statements, LinkedIn full of modifications, and embellishments of the most minor infraction.
4. Many organizations continue to give information security lip service but avoid embedding information security at the beginning and throughout each and every corporate project. Not just IT but each project. Information security vulnerabilities discovered during the SDLC of a project are not treated as defects but separately identified as vulnerabilities that require a waiver to remediate (this while code defects slide through the process without issue). In fact, most vulnerabilities identified during the SDLC and even thereafter with vulnerability scanners are configuration errors made by IT staff since they follow no build guide, configuration standard, have root access to change configurations (and do so) outside the change / release cycle.
5. What amazes me still is the limited access by CISOs to corporate leadership or boards. Treated as the corporate scapegoat, CISOs in most organizations are not included as part of the corporate brain trust. They are still seen as the messenger deserving of disdain and bullet wounds for issues 'packaged' as security problems.
6. This leads us to the age old problem of IT administrators of any platform, infrastructure or software not securing what they own. They do not believe security is their responsibility. While at the same time they do not believe security is theirs, they do not allow information security into the process to examine information security. CISOs are still the red-headed step child of the organization.
Sign up for CIO Asia eNewsletters.