December 18, 2018

Virtually all companies like to say they take their customers’ privacy and security seriously, make it a top priority, blah blah. But you’d be forgiven if you couldn’t tell this by studying the executive leadership page of each company’s Web site. That’s because very few of the world’s biggest companies list any security executives in their highest ranks. Even among top tech firms, less than half list a chief technology officer (CTO). This post explores some reasons why this is the case, and why it can’t change fast enough.

KrebsOnSecurity reviewed the Web sites for the global top 100 companies by market value, and found just five percent of top 100 firms listed a chief information security officer (CISO) or chief security officer (CSO). Only a little more than a third even listed a CTO in their executive leadership pages.

The reality among high-tech firms that make up the top 50 companies in the NASDAQ market was even more striking: Fewer than half listed a CTO in their executive ranks, and I could find only three that featured a person with a security title.

Nobody’s saying these companies don’t have CISOs and/or CSOs and CTOs in their employ. A review of LinkedIn suggests that most of them in fact do have people in those roles (although I suspect the few that aren’t present or easily findable on LinkedIn have made a personal and/or professional decision not to be listed as such).

But it is interesting to note which roles companies consider worthwhile publishing in their executive leadership pages. For example, 73 percent of the top 100 companies listed a chief of human resources (or “chief people officer”), and about one-third included a chief marketing officer.

Not that these roles are somehow more or less important than that of a CISO/CSO within the organization. Nor is the average pay hugely different among all three roles. Yet, considering how much marketing (think consumer/customer data) and human resources (think employee personal/financial data) are impacted by your average data breach, it’s somewhat remarkable that more companies don’t list their chief security personnel among their top ranks.

Julie Conroy, research director at the market analyst firm Aite Group, said she initially hypothesized that companies with a regulatory mandate for strong cybersecurity controls (e.g. banks) would have this role in their executive leadership team.

“But a quick look at Bank of America and Chase’s websites proved me wrong,” Conroy said. “It looks like the CISO in those firms is one layer down, reporting to the executive leadership.”

Conroy says this dynamic reflects the fact that revenue centers like human capital and the ability to drum up new business are still prioritized and valued by businesses more than cost centers — including loss prevention and cybersecurity.

“Marketing and digital strategy roles drive top line revenue for firms—the latter is particularly important in retail and banking businesses as so much commerce moves online,” Conroy said. “While you and I know that cybersecurity and loss prevention are critical functions for all types of businesses, I don’t think that reality is reflected in the organizational structure of many businesses still. A common theme in my discussions with executives in cost center roles is how difficult it is for them to get budget to fund the tech they need for loss prevention initiatives.”

EXHIBIT A: EQUIFAX

Common or not, the dominant reporting structure in corporations runs the risk of having security concerns take a backseat when they get in the way of productivity, and often leaves the security team without someone to advocate for the proper budget.

Take the mega breach at Equifax last year that exposed the personal and financial data on 148 million people. Much blame has been placed on lax software patching practices at Equifax, but the cause of the intrusion was ultimately a people and organizational structure issue, argues Lance Spitzner, director of security awarness at the SANS Institute.

“When you bring up the Equifax breach, most people respond that it was a patching issue, the bad guys exploited a Struts vulnerability that Equifax knew about and should have patched,” Spitzner wrote in a breakdown of a damning report released last week by lawmakers on the House Oversight committee.

But why wasn’t it patched? And why did it take them two months to identify the breach? Spitzner says the House report shows the ultimate reason was because the CSO Susan Mauldin did not report to the CIO, but was buried underneath the Chief Legal Officer.  IT was siloed from security; the two rarely communicated or coordinated, leaving gaping holes in the organization.

The reason for this organizational divide? Spitzner notes:

“Ten years prior, the CSO reported to the CIO, however they had strong personality conflicts.  Since the two could not work together, the CSO was moved under legal.  However, when Equifax’s new CIO David Webb and new CSO Susan Mauldin came on board, this split was never resolved.  (Full details of this strategic failure start on page 55 of the report. I feel this is one of the most critical findings.)  As a result, the CSO is now the CISO and that individual reports directly to the CEO at Equifax today.”

Indeed, despite its myriad security and management foibles since announcing its historic data breach last September, Equifax has apparently taken this particular lesson to heart. Prior to announcing its breach last year, a CISO or CSO was noticeably absent from the ranks of Equifax’s Corporate Leadership page. Not anymore. Here’s looking at you, Experian and Trans Union.

EXECUTIVE SILOS

Workforce experts say the main reason many firms don’t list their security leaders within their top executives is that these people typically do not report directly to the company’s board of directors or CEO. More commonly, the CSO or CISO reports to the CTO, or to the chief information officer.

“You need to make sure that your heads of security are on equal footing with the heads of tech, otherwise there is an inherent conflict at play,” said Anthony Belfiore, chief security officer for insurance company Aon PLC, in a Wall Street Journal story this month about the rising prominence of security leaders at major companies.

Source: Accenture.

Alissa Valentina Knight, senior analyst and colleague of Conroy’s at the Aite Group, said we’re in the middle of a changing of tides — where the CISO function once seen as a technology problem is now moving to a boardroom problem and bringing about a gradual shift in reporting structure.

“Historically, you’d see the CISO reporting to the CTO and despite the company having a CISO, that individual wasn’t listed on the company’s web site, [and] while they had an officer title, they weren’t given that privilege,” Knight said.

But she added that many companies — despite having a CISO — will not list them on their web site’s leadership team page, even when that reporting structure changes from the CTO to the CEO or Board of Directors.

“Some companies are even moving the cybersecurity function to report up through the CFO,” Knight said.

According to a survey released this summer by Accenture, two-thirds of companies said their chief executive and board of directors now have direct oversight of cybersecurity. The survey also found CIOs also had less control over cybersecurity budgets in 2018, 35 percent in 2017 to 29 percent this year, the survey found.

Companies can minimize conflict between the CSO/CISO and other top executives by having their security leader(s) report to the head of operations, or to the company’s general counsel, Belfiore told The Journal. For example, those that have CISOs reporting to CIOs can mix in reporting lines to legal, risk or the CEO office to offset potential conflicts.

*Calculated based on number of top 100 companies with available leadership data (see these Top 100 and Top 50 spreadsheets).


65 thoughts on “A Chief Security Concern for Executive Teams

  1. Dave

    Excellent article. I just passed the CompTIA CySA+ recently, and they teach that whoever is in charge of security, be it CTO/CISO/CSO or whatever it is called, should report directly to the CEO. Company security policies should be in place and there is no gap between security and the top executives. I’ve been saying that corporate USA will not take IT Security seriously until some legislation along the lines of Sarbanes-Oxley is passed and bites the C-Suites in the rump. Again, excellent article Brian. Thank you.

    1. Deniz

      Dave, I happen to agree with you. I too hope that Congress passes legislation that regulates the degree to which companies are undertaking initiatives to mitigate cyber security risks. Having a CTO or CIO in the C-Suite would be one requirement.

      1. Scott Wright

        No such legislation will ever be passed. The C-suites collectively own the politicians and nothing of any consequence will come from them, for the same reasons that egregious data breaches, using a personal phone or mail server for government business, government agencies lying to judges, and waterboarding are still not illegal…

        1. TreFunny

          A c-level pretty much took music therapy classes and has no real understanding of…. wait for it… “the cyber”

  2. AJ North

    As many have suspected, there IS gambling going on in the casino! (And the ‘players’ truly are an international group… .)

  3. Harry Stoner

    Is “Chief Risk Officer” included in your security-related tally?

      1. dmarc

        Chief Risk Officers is a broad title that doesn’t necessarily have a thorough understanding of all the technology risks. The title covers a wide area of operational, insurance and financial risks too. They may rely on staff (experts) & dept heads reporting from a variety of areas in the company to provide clear explanations and specific info in order to assess the overall risk to the company.

        1. CyberPatch

          Agreed! Furthermore, because the CRO lacks the specific skill set needed to effectively communicate cyber risks, they cannot speak for or represent the CISO/CSO. Additionally, they are not directly accountable for cyber security.

          1. CyberPatch

            I think that is the biggest issue – who is at the table communicating the security issues to the BOD and Executives? It should be the person responsible for the security program, e.g. your CISO/CSO.

            We are witnessing an evolution of the CISO role, similar to how other critical positions, such as Chief Human Resource Officer (CHRO) developed.

            Comparatively speaking, the CHRO role really didn’t start to take form until the early 20th Century. It was referred to as “personnel management” and continued to evolve to what it is today.

            The CISO has to be at the table and have the ability to clearly articulate security risks and strategically partner with the executives & BOD to help navigate the organization to success.

  4. Tom

    As a CIO, I would prefer to be unlisted. Knowing my name could tell you a lot about my network; after 10years of consulting in the same space. Mitigate what you can. My name and title is irrelevant to the public.

    1. A Hidden CIO

      Agreed. Hiding in plain sight is fine, but don’t call it out and make me a target (or my family, friends, etc.) Same as some critical infrastructure leaders in other operations (think beyond banking or security. think defense)

      1. securitybywhat

        funny to see so many security people hide behind security by obscurity when these very people are usually the first to point out when others are trying to do the same. sorry but if your the cso or ciso of a major company you don’t get to hide this fact.

        1. qbit

          Right! If your concerned about your profile being public, you’re the wrong person for the job.

          1. Anon404

            Does the same apply to law enforcement who limit social media presence, if they have any at all, and that of their families for protection? Cybercriminals see security folks as barely a step down from law enforcement. Id rather criminals had to work a little harder to profile me.

            1. Troy Frericks

              > Does the same apply to law enforcement who limit social
              > media presence, if they have any at all, and that of their
              > families for protection?

              Wow! Yes! Law enforcement are public servants and paid by the public. The public has access to their information. The info is available by request, published in the media, posted in the phone directory inside police stations, worn on their lapel, available in on-line court filings, etc.

              BTW, your premise is incorrect, law enforcement do not limit social media presence. Some individuals in law enforcement do. But, some individuals in law enforcement use social media as a way to engage the public and change perceptions.

              Back to the main point, publishing the business profile of a Security focused C level exec on the company’s web site is not a security risk. To the contrary, as pointed out above, it gives the perception of a mature and stable company that is interested in it’s customer’s security.

              Troy.
              #

          2. Brian

            I don’t know that I agree with this sentiment. Security by obscurity shouldn’t be your primary method of defense, but including obscurity as a strategy in combination with other, more significant, technical safeguards makes your organization that much more robust.

        2. SkunkWerks

          That’s uncharitable. Also disingenuous.

          In a system you have designed (or oversee), it’s probably fair to observe that you should never rely on security-by-obscurity.

          In a system you didn’t design, don’t oversee (read: Society- political, social and bureucratic), and only VERY recently realized that “holy crap, SSNs are kinda public knowledge and maybe we shouldn’t use them as a critical datapoint for verifying people,” it’s not really fair, or even comparable to make this observation.

          In that system, you take what you can get for security, and not all that infrequently, obscurity is about all you’re left with for options.

      2. Gretchen

        I agree. I can’t even find an infosec job and already have gotten a ton of phishing emails that I know are as a direct result of my resume floating around out there with “DoD 8570 IAT Level II” on it. I never wanted any type of web presence indicating that I’m even slightly interested in cybersecurity but am having a hard time finding employment. At this point I might as well just put a giant bull’s-eye in my backyard for threat actors to shoot missiles at, because I’m definitely a target now even without an infosec job.

      3. neutralist

        Especially if you travel aboard, you don’t want to make yourself a target.

    2. sqlmojoe

      I am a strong proponent of defense-in-depth. I just don’t see what real impact “hiding” the CISO/CSO of a company will bring. Not listed on the execs page does not make the person hidden. This isn’t even security by obscurity (which doesn’t really work); you’re not obscure at all.

      Google, Bing or Duck any Fortune 1000 company and see how many won’t yield CISO names. So whatever threats you’ve identified in your personal threat model, I hope you’ve employed mitigations (if any) with the assumption that you are already well known (assume already breached?).

    3. Anon404

      I kinda feel the same about this. Im not C-level but any Security position is really only a step down from law enforcement in the eyes of cybercriminals. Id rather criminals not know my name so as not to make myself or my family targets of attack. A police officer would likely feel the same way about social media presence, and Ive known at least one who did.

    4. carding forums

      Over the years I have dealt with a number of CEOs, CTOs and IT Directors. Their IT ignorance has often been shocking. A couple told me that they wanted Macs because they did not know or want to know anything about computers.

  5. Ian

    I’ve never worked at a company where the CTO position was considered an IT role, it’s always been an engineering role with a focus on our product. Wouldn’t CIO be a better role to check for? And CIOs normally aren’t publically listed because that just becomes a vector for vendor spam.

  6. Arnold Layne

    In your article “What the Marriott Breach Says About Security” you mention “The companies with the most clueful leaders are paying threat hunters to look for signs of new intrusions. They’re reshuffling the organizational chart so that people in charge of security report to the board, the CEO, and/or chief risk officer — anyone but the Chief Technology Officer.” I realize this article is more about Board representation, but there is quote here regarding Equifax indicating that it would have helped if their CISO reported to the CIO. This one also ends noting advantages of having the CISO report to the CIO.

    Where is the proper place for Security? Does it depend on program maturity? Other dependency?

  7. B

    Glad to know I’m not the only security professional who does not want to be listed in Linkedin.

    1. StaleSodaCracker

      I would not suggest having CIO on the company executive vanity “who are are” page, security people should not be known externally in my mind.

  8. WhatIsACISOAnyways

    Some companies in the top 100 are too large to have technical CISO’s/SVPs/VPs listedon NASDAQ or marketing pages. Dig into LinkedIn for better insights. For example, Amazon has 2 CISOs (one for AWS, one for the rest of Amazon) working for each-one’s CEOs (they have 3 CEOs technically). Their CISOs are deeply technical engineering VPs.

    1. BrianKrebs Post author

      I’m going to guess you didn’t read past the first three paragraphs. Here’s paragraphs 4 and 5:

      Nobody’s saying these companies don’t have CISOs and/or CSOs and CTOs in their employ. A review of these companies via LinkedIn suggests that most of them in fact do have people in those roles (although I suspect the few that aren’t present or easily findable on LinkedIn have made a personal and/or professional decision not to be listed as such).

      But it is interesting to note which roles companies consider worthwhile publishing in their executive leadership pages. For example, 73 percent of the top 100 companies listed a chief of human resources (or “chief people officer”), and about one-third included a chief marketing officer.

    1. Gnecht

      What types of articles do you find more interesting? And, most interesting Krebs article ever?

      1. Harry the D.

        I’m gonna guess articles relating to bad actors getting exposed and perps being arrested.

      2. The Sunshine State

        More internet security related and research into cyber-criminals and their activities.

        1. Anonymous Coward

          If you do not see how this article is internet security related then you don’t understand internet security very well.

  9. Jack Minard

    You think this is bad? I used to work for an organization that offered an online service that many companies in all different industries used. Including security companies, black-hats, cyber security, law enforcement, and private investigation firms. In creating these online account and linking some form of payment – credit card or bank account – these security companies would use the most obvious passwords, including in a few cases “password,” and security-validation questions – What company do I work for? What is the founder’s name? What is our address? etc. And about half of them had the nerve to get upset when I disabled online access until we had better security. These were security companies who’s primary purpose was to help ppl improve security. Yikes.

  10. Philip

    This merry-go-round won’t change with security departments reporting to Boards. I can’t shake the feeling that the bottom line about all of this is there’s no money. Also, when did CEO’s (let alone Board members) or CFO’s know anything that’s being reported by these departments. I’d say more than half wouldn’t know what they were reading; even after the CISO’s et Al, explain it. Honestly, I’ve heard all too often; “Thanks we’ll take it under advisement”. It boggles my mind how they even function. I’m almost certain hardly anyone on a Board (or CEO) knows anything beyond how to set a 6 digit password but sure, let’s let them make cyber security budget decisions.

  11. Petepall

    Data security or lack of same is a marketing issue? IMHO, the general public has become tone-deaf to the drumbeat of failure after failure, which fails are partially caused by the organizational problems you have raised.

  12. Steve C#

    Unfortunately most companies, no matter what the size, see IT as an expense to minimize. They do not see IT as an asset for production, protection or to reduce costs long term. Most C level execs and too many IT Directors for that matter, do not undestand IT and how it can benefit their companies long term.

    I think the technical term is clueless… an IT guy with an MBA

  13. Steve C#

    Over the years I have dealt with a number of CEOs, CTOs and IT Directors. Their IT ignorance has often been shocking. A couple told me that they wanted Macs because they did not know or want to know anything about computers.

    1. SkunkWerks

      And here again, I suggest that the lack of emphasis on these roles isn’t really the problem, so much as a symptom of the problem.

      Because yeah, another common way of “coping with the perceived need for an emphasis on tech and security” is to name some random dude (usually someone you think of as a “good” or maybe even “smart” guy) into such a role- whether he knows anything about it or not.

      e.g.: Naming Rudy Giuliani your campaign’s head of Cybersecurity.

      You have the advantage of ~appearing~ to take the matter seriously, without ACTUALLY taking the matter seriously.

  14. Readership1

    In smaller businesses, the IT/security guy is the person who tells the boss what computers she should buy, keeps them connected, hires a vendor to get the website up, and manages the email system.

    This IT/security person is invariably an American, educated locally, and answers directly to the boss, with whom he eats lunch at least once a week.

    As businesses grow, instead of hiring more Americans, they cut costs by using temps and visa winners. Their IT/security guy manages a team of foreigners, who have no company loyalty and curse him in other languages behind his back.

    By this point, the boss is making so much money, she moves her office to another floor, where the IT/security guy rarely visits.

    Occasionally, the CEO laments that she’d love to hire more Americans and have a more secure business. She fails to see the irony that she’s helped to create a lucrative market for foreigners, while undercutting Americans who want to be IT/security experts.

    1. SkunkWerks

      Well, I mean- aside from being cheaper- from the Executive point of view, hiring foreigners for these roles creates a nice, more plausible alibi for “not understanding whatever sort of garglemesh he’s talking”.

      Overall though, I feel like the lack of an executive tech rep in many companies is more a symptom of the problem (an indicator of how much they value this dimension of their business), rather than the cause.

      It needs to change, but there’s a lot of groundwork that needs laying.

      For instance: reducing the number of times the phrase “I don’t believe” is used to open an argument against any given, very black-and-white sort of matter a tech rep might raise as a cause for concern.

  15. SkunkWerks

    It’s my experience that executive leadership typically doesn’t want to hear from their highest ranking tech representative.

    This is usually for one or more of the following reasons:

    1) I can’t understand that guy.
    2) No, really. What sort of garglemesh is he talking?
    3) When he opens his mouth, I can feel my profits being dumped (into what are probably entirely reasonable measures that we have been neglecting for years).

  16. Matt

    Great article. As to the visibility of Risk Manaers, CISOs, CIOs, CTOs, CROs; the visibility tends to occur after the fact (versus highlighting positive things prior to an incident). While elements of this are to not ‘brag about cybersecurity preparedness (see Sony CISO commentary prior to both incidents); the focus has to be more towards awareness and preparedness of these folks in the CSuite conversation (which is happening). Also, as a general rule, any company’s leadership or individual that doesn’t want to be listed in a public setting…shouldn’t be and probably shouldn’t be representing themselves as leadership if that is the case.

  17. Gretchen

    I passed my CompTIA Security+ CE in July (the 501 exam) and am finding it impossible to find an entry-level cybersecurity position where I live. I was looking into taking CISSP and reading about how you need to have experience in so many of the domains, but I can’t figure out how to get anyone to hire me to get that experience. There isn’t even an ISC2 chapter in my whole state! I started studying cybersecurity because I really find it interesting and was looking to change careers. I see things that I feel to be security concerns in all kinds of businesses I go into. When I do find a cybersecurity position open in my city they want several years of experience. This is so frustrating, because not only do I really want to work in the field and studied very hard to pass the Security+, but also because there is definitely a huge need for more security everywhere. I don’t live in some small town either.

    1. Ty

      Look for other orgs in your area. Is there an ISSA chapter? How about an OWASP chapter?

      Look for cons in your area too. B-sides conferences tend to be a good way to meet fellow security folks, many of whom I’m sure work for companies who are looking to hire someone passionate. Plus there are almost always vendors and companies with tables or booths set up who are looking to hire. If you’re not far from cities where larger cons are go to those as well. Meet people and get your name out there. Lots of jobs are gained because one knows someone who knows someone who is hiring.

      If you’re open to moving and leaving your area (not always easy/possible) the hunt becomes a lot easier. It’ll also help a lot to have a good idea of where your passion in the industry lies. Are you passionate about pen testing? About securing networks? How about security education/awareness? Being able to clearly articulate that will help you drive discussions and find the right people.

    2. ntayhs

      Also, look at government! We are hiring cybersecurity in government!
      Federal, State, city, county, local, schools, etc.

  18. Fabian Soler

    Way to go Brian. Great topic to research and checkpoint across business domains. Everybody is impacted by cyber security but (as demonstrated by your other note about the CEO who vaguely threatened you for outing his compromised system) far too many companies STILL don’t get the basics of the reality they live in.

    Well done!

    Fabian

  19. rich

    Interesting. I have an engineering background (EE degree, programming, hardware, embedded systems, DSPs) and over the last 10 years have gone into the security arena. I’m actually looking to move from government back to private industry but I agree there are some issues.

    Someone like me would prefer the shadows and not being well known (not exactly uncommon for engineering types and those coming from the IC).

    Also defense is always harder than offense when it comes to quantifying its successes/failures. If you are some kind of hacker (legal or illegal) you know when something is successful since you’ve gained access to the system and/or data.

    On defense what is success? If you block 100s, 1,000s, millions of attacks? If you stop intrusions prior to getting to the data? At some point it is likely to have some kind of issue (nation state, insider, careless user), does that mean security is a failure?

    Also most senior execs are not technical and have no understanding of the complexity of networks and security. As an example a military network guy was telling me how a senior officer was always giving them a hard time about how long it took him to set up a secure system (IPSEC, specialized routing, etc.) because he was comparing it to a simple plug in a router/cable modem at home.

    I’m curious what I will encounter in the interviewing process and what actually goes on in some of these companies. Sadly just the online application process is a mess.

    1. neutralist

      Same thing with football, or any sports really. It is human nature. The focus is always on the quarterback, or the person who score the points. Everyone else does not matter.

  20. Bonnie Gall

    I have worked in credit unions for over 30 years. This article brings back memories; about 10 years ago all you would have to do is switch the job title from CTO to Compliance Officer. When compliance came to credit unions, I hoped it would be their wake up call. Compliance changed everything for them. More work, more employees, more regulatory and examiner scrutiny, more costs, no revenue. Some credit unions didn’t make it through. In order to get credit unions to comply regulations needed to be revised and/or enforced. Now Security has come. More work, more employees, more cost, no revenue. More scrutiny. Hopefully, credit unions will wake up and realized the importance of being proactive and start thinking and planning strategically. If not the future is looking mighty dim for them. But more importantly, our regulators need to be more proactive and for once enforce our regulations.

  21. Anonnut

    From the report:

    Prior to 2005, Equifax’s CSO reported to then CIO Robert Webb (no relation to David Webb).

    This reporting structure resulted in Robert Webb having responsibility over the IT
    security function led by the CSO.

    An internal restructuring altered this reporting relationship during Robert Webb’s tenure. Following this change, the CSO reported to the
    Chief Legal Officer instead of the CIO.

    Richard Smith was hired as the company’s CEO in 2005.Tony Spinelli was also hired in 2005 to fill the role of CSO, at the direction of Smith.

    Equifax executives knew growing security risks and compliance requirements necessitated
    an overhaul of the company’s security stance. Spinelli was tasked with establishing the first company-wide IT security standards.

    Spinelli presented the Equifax Board of Directors with a three-year, $15 million plan to reorganize IT security across the enterprise.

    The working relationship between CIO Robert Webb
    and his subordinate CSO Tony Spinelli
    devolved due to “fundamental disagreements,”
    so the significant decision was made to move the security function out of IT and into the legal office.

    Sounds like the problem started in IT (CIO) years ago, and the CEO failed to deal with the internal problem properly in the past, and did not address the issue when both had left the company, things were left the way were when new people came on.

    Equifax had a problem from the beginning with both IT and Security. Ad ultimately it is the responsibility of the CEO to facilitate all “working relationships” for both business and security objectives. The only thing that mattered to Equifax was the business, and the consumer in the end is the one who always gets screwed…..

    1. Geoff

      I think the fact Susan Mauldin had no IT qualifications and had only studied music composition would have meant that even if she was reporting to the CEO they still would have been hacked.

  22. vb

    If the cost of loss prevention is greater than the cost of the loss, there will be no loss prevention.

    Keep in mind the most of the cost of a breach is a cost for the customer, employee, or users of a system. The company who breached the data has little cost, if any at all related to the breached data.

  23. Peter

    I have to share an additional gaffe by Equifax, as I was one of the people affected by the breach. Equifax gave me a free subscription to Trusted ID Premier, which is a credit monitoring service. So far, so good. But do you know how you can log in to that service to obtain your credit report? An email and a password. That’s it. So before I had this “protection,” I had to answer a series of fairly obscure multiple choice questions to get my report. But now all it took was my personal email address and my password, which to me seemed far less secure than the previous approach. I canceled the service.

  24. Fazal Majid

    Siloing the CSO/CISO from IT is not a solution, as shown by Equifux.

    As long as there is no liability for breaches (unlike in the EU, for instance), CEOs will make the rational and self-interested calculation that the security budget is better spent on their own bonuses. That’s why a CSO reporting to the CEO is no solution either. Reporting and accountability should go straight to the board. In that light, it matters little who’s the manager of the CSO.

  25. Michael Thelander

    Great article. It’s worth pointing out that, yes, Everyone will say the Equifax breach was caused by an unpatched Apache Struts vulnerability. And this is largely true.

    But:

    Defense in depth is real and meaningful. The attackers were in the EQFX network for 2 1/2 months and touched over 50 databases. Equifax did have a traffic inspection device in place to see network anomalies, but according to the GAO report the TLS certificate that allowed that device to authenticate itself and decrypt and inspect traffic — and alert InfoSec teams — had been expired for almost a year. It was a dramatic failure of machine identity protection.

    Two things to note here:

    1) Yes, a CISO is absolutely required, if only to insure that not only are tools in place, but that they’re appropriately configured and used in a programmatic and continuous way.

    2) Machine identities matter. More than ever. Yes, we spend $8 billion a year on human identity authentication, but if we don’t start taking seriously the need to continuously corroborate and verify machine identities, as well — meaning TLS certificates, SSH keys, code signing and API keys — we’re leaving gaping holes in our defense-in-depth strategies.

  26. Teri Radichel

    Yes. I wrote a response to the Equifax breach for Dark Reading called “Why Patching is Hard” and part two is all about organizational issues. I also have some presentations on slide share about how security needs to change coming a background that includes 25 years of business, operations, security, and software development experience and a whole bunch of certifications, if that matters.

  27. Mak

    Publicly listing CISO itself creates a security exposure by naming a target for hackers?

  28. Vitaly

    posting a ciso/cso name on web site is not only anyhow a representation of security maturity of organization, but also an obvious security risk.
    not to mention, that all somewhat technical executives are prone to annoying sales/marketing calls

  29. Jeff

    You can argue endlessly about Corporate Titles , who reports to whom– until you are blue in the face.
    The ONLY thing companies really respond to– is a hit to the shareholders or quarterly reports.
    Until they actually take a FINANCIAL hit for lax security-practices, they have no reason to care. The only people being hurt are the users– and obviously they could care less about the little guy’s finances being damaged or even destroyed by their negligence. They probably allow for such losses as a ‘business expense’ .

    So call me a cynic.

Comments are closed.