Articles by David Sheidlower

September 6, 2017

By David Sheidlower
CISO, Turner Construction

In my 10+ years as a CISO, I've noticed a trend that appears to only be increasing. What I have observed is a proliferation of job titles that rhyme with CISO. But rather than describing the Chief Information Security Officer, these new titles swap out the word “chief” and come up with something else to describe something different.

There’s the BISO, or Business Information Security Officer, who has some level of responsibility for a specific part of a firm’s business. They are expected to be part of the business unit they are responsible for. In other words, knowing the business is as important as knowing security.

The BISO is not to be confused with the TISO, or Technical Information Security Officer. This individual is more technically focused and might serve multiple BISOs in complementing the BISO’s business acumen with their technical expertise.

You might see a Network Information Security Officer, or NISO, where the word “network” can mean minding security for layers 1 through 4 of the OSI stack or refer to the NISO being a kind of mega-BISO who takes care of an interconnected group of business entities within a complex Enterprise.

If the business is divided into divisions, you might find a DISO and, likewise, if the structure is regional, you might find a RISO. To be fair, I’ve never seen a RISO title. Usually, the regional security heads are called by names like “CISO for EMEA” or “Deputy CISO, APAC region.”

And then there are the companies that are bashful about appointing a CISO and give their head of Information Security titles like “Director of Information Security.” To them we say, either call that person a CISO – and give them the commensurate responsibilities – or go get one. As I’ll argue below, there’s something that can get missed in this game of “ISO scrabble.”

Some CISOs I know responded to this sprawl of ISO job titles by adding “worldwide” or other descriptors as a preface to their title. After all, there should be one Chief and it is important to make sure that there is no confusion about it.

Human Resources, Executive Management, and sometimes even the Board has a direct say in all of this, of course. We can’t simply pin the existence of so many ISOs on the CISO. In fact, some of these ISOs might not report directly to the company’s CISO. Sometimes, there are so many dotted lines, you’d think that the org chart was printed out on an old, cheap dot matrix printer.

The first thing to emphasize about this jumble is: there’s more than enough work to go around. Call yourself Dr. Faustus for all anyone cares, just protect the Enterprise. Organizing that work is one reason these sub-CISO titles came into being. The titles legitimately describe and put limits on a function. You, X-ISO, need to focus on “X” and leave the rest to someone else (Y-ISO, Z-ISO, etc.?).

Then there’s the need to satisfy the ambitions of people with these positions. Consider it a compromise between where they are and where they want to be. “You are not the CISO, but, hey, this is close to being the CISO (just squint when you read your business card).”

Ending job titles in “Information Security Officer” is attractive to everyone involved. The security frameworks (ISO/IEC 27001:2013: 5.1 and 5.3 and NIST Cybersecurity Framework ID.GV-2, for example) all demand that roles and responsibilities be defined such that  people are committed to staffing the security program. And nothing says commitment and, as applicable, compliance better than dedicated resources, and nothing says Information Security resources are dedicated better than making them Information Security Officers.

Now I’ll get to the point.

I would argue that the letter at the END of the acronym is way more important than the letter at the beginning. It’s the “O” for “officer” that matters most. Being an “officer” needs to mean something.  This is where things get lost and too fuzzy sometimes.

It is important that people manage processes and teams. When they do that, regardless of their title, they are “managers.” It is important that work is directed and prioritized. People who do that are functioning as “directors.” People with the title Manager or Director can be at any level in the organization. Of course, there may be job classification schemas in an organization that dictate where they fall, but the functions do not limit the level. Likewise, being an “officer” does not mean you are at a particular level.

What being an officer does mean is that you are responsible for the objectives of the security program. Sometimes that means you manage, sometimes you direct. Sometimes you analyze, sometimes you observe and sometimes you consult. Sometimes you approve and sometimes you reject policies and their exceptions. Sometimes you might roll up your sleeves and configure a firewall (hint: “permit ip any any” is bad).

Being an officer should mean that the objective is more important than the tasks at hand. You can’t stand on ceremony if your job is to stand between the threats and what you’re protecting. The Information Security Officer owns protecting the company’s information assets. If a vulnerability or risk to the organization and the assets you’re protecting is in your view, then it is in your purview.

If an organization wants someone to solely manage a team or process, then they should call that individual an Information Security Manager. If they want someone to solely direct a function or set of functions, then they should hire an Information Security Director. If, on the other hand, they decide someone should be called an Information Security Officer, then expect and accept that that person’s scope goes beyond just managing or directing. 

There might be more important organizational considerations when evaluating the security function in an Enterprise. “Who does the CISO report to” is discussed a lot more than who has what job title. But to the extent that job titles reflect roles and responsibilities, it’s worth considering just what makes an “officer” an Officer.

July 10, 2017

By David Sheidlower

I have gone back and forth for a long time.  Should security be risk-centric or data-centric.  Outside of security professionals, you sometimes meet people who believe security should be compliance-centric and others who believe security should be audit-centric (which is a type of compliance-centrism). 

Certainly there used to be network-centric views of security but they have mostly eroded in the face of mobile devices and the rise of cloud applications.

July 4, 2017

By David Sheidlower

Security professionals feel no great joy in being right about patching.  The past two months have been a period of “I told you so” moments for anyone who has ever had to have the conversation with a sys  admin about the importance of patching. It’s been a long time for me but the memory lingers.)  

January 24, 2017

By David Sheidlower
Global Media and Advertising CISO

In this series I take a close look at the Framework for Improving Critical Infrastructure Cybersecurity which NIST first published in February of 2014. Read Part One 'All Infrastructure and the NIST Framework' and Part Two 'Hackers Are Not Afraid of Frameworks.'

There I was preparing part 3 of my close reading of the 2014 Framework for Improving Critical Infrastructure Cybersecurity from NIST and then I realized it was almost three years old. Soon, it will be under a new administration and version 1.1 is due for release anytime. 

July 11, 2016

By David Sheidlower
Global Media and Advertising CISO

Is that news?  No, of course it isn’t.  In fact, deterrence (fear) may seem like an odd concept for cybersecurity. Arguably, except for highly visible physical access controls, virtually all other cybersecurity controls are designed to keep an incident from happening (i.e. protective/preventive) or detect and then respond/recover when it has. 

June 15, 2016

By David Sheidlower
Global Media and Advertising CISO

Each infrastructure is critical to someone.  Go ahead: ask a CIO if they are in charge of something other than “critical infrastructure” and see what they say.  In fact, the increasing criticality of all aspects of infrastructure underlies all our assumptions about security and privacy.  

March 29, 2016

By David Sheidlower
Global Media and Advertising Company CISO

I tell users all the time “Forget everything you learned in Kindergarten.”  It always gets a laugh, gets their attention and gets my point across.  

It’s not nice to share (your password).  Secrets are really ok (your IP address).  Not only should you not take candy from strangers, you should not take strange candy from people you know (probably a phishing attack).  

January 11, 2016

By David Sheidlower
Global Media and Advertising Company CISO

In August of 2010, Huping Zhou who had served as a researcher at the UCLA School of Medicine and had since been terminated, was sentenced to jail time for inappropriately looking at the medical records of his immediate supervisor and some notable celebrities including Drew Barrymore, Arnold Schwarzenegger, Tom Hanks, and Leonardo DiCaprio. 

November 16, 2015

By David Sheidlower
CISO Global Media and Advertising Company

Focus is over-rated when you’re starting out.  The original idea for my presentation at The Privacy & Security Forum in Washington, D.C. was to talk exclusively on how security controls relate to the frameworks that sweep them up and organize them.   It was to be “how controls become a framework” in the spirit of the grammar school lesson ”how a bill becomes a law.” 

It ended up rather differently.  

October 28, 2015

By David Sheidlower
CISO Global Media and Advertising

Privacy folks and security folks were finally intermingling by design and not by accident or through one or the other being adventurous.  I’m a huge proponent of the two being intermingled (my post Security and Privacy walk into a bar is an example).

So I was glad to attend the inaugural Privacy & Security Forum hosted at George Washington University and organized by Drs. Daniel Solove and Paul Schwartz. "The Privacy + Security Forum went incredibly well in Year One.  We had amazing presenters, an impressive audience, and an exciting interchange exchange of ideas at sessions," Schwartz said.

Page 1 of 3 : First   1 2 3 Last

The Human Factor: Gain new insight into the ways attackers exploit end-users' psychology​​

About Security Current | Privacy Policy | Subscribe to our newsletter