7. Law enforcement staff have their place but the continued see-detect-arrest paradigm is auto-fail. Anyone who argues just need look at the last 15 years of information security fully built on that foundation. A foundation of after-the-fact information security with huge investments in process, procedure and technology that supports the failed paradigm.
8. We need defensive technologies and we need incident response but a double down financially and organizationally on failed structures supported by the majority of the IT and Information Security vendors in the industry just does not make sense. If you have law enforcement as your leadership, be prepared for tactical programs focused on immediate short-term gains. Liken it to entering a room with the goal of getting to the other side. Go half way, and the half way continually. You will never get to your goal.
The theme of advanced persistent threats, kill chains, and incident response as the main focus of the organization is another auto-fail. There is no such thing as an APT. That is made up to sell product. Even though the USAF coined it, it is a falsity. If you can't define it, you certainly don't know how to deal with it.
The kill chain that so many vendors and organizations tout is just a method to detect and stop activities after they have penetrated your perimeter. Meaning you have already given up and it is too late. It may prevent the ship from sinking but not until massive data leakage has occurred. Oh and my favorite that still amazes me is the mentality of the cyber janitor. Backed by the APT myth and the kill chain model, today's incident response groups are the cyber janitors of the industry with a whole supporting industry built to back fill the janitors who by day are IT admins.
9. When you hire military intelligence analysts, be sure they know how to spell cyber. Just because they are analyst trained does not mean they have a clue in the information security arena. They need to have a solid indoctrination in industry and the information security space. Establish programs to get them there. They will get the job done for you if properly trained.
10. Why is it that CISOs need a multitude of certifications and CIOs don't need squat? There are complete programs at colleges and universities around the globe built for training information security staff yet nary a one I can find that is completely dedicated to creating CIOs (CIOs with information security as a standard, required pedigree). Each CIO needs to have three to five years' time in security grade, time in security service before consideration as a CIO. They cannot be the CEO's buddy, the CFO's junior staff or from the outside auditing firm who audits your books while another segment of the same firm performs IT audits.
Sign up for CIO Asia eNewsletters.