Ineffective CISOs Foster Shady Vendor Practices

Wednesday, November 23, 2011

Boris Sverdlik


I know I have become a bit lazy in keeping up with my rants and various positions I have taken within the industry, and for that I apologize.

I have become somewhat preoccupied with work, life, conferences and most importantly the podcast. I will try to balance all going forward because I believe my passion for information security drives me to be the best I can be across the board.

With all that self promotion baloney behind me, I'd like to address some of you that have made claims of my move to the dark side (vendor). I am still the guy who goes by the mantra of "Don't Buy it!", and that will never change.

I for one strongly believe in the proven flow of People, Processes, Technology. There has been a lot of debate back and forth on the concept of the inexperienced CISO, regardless of what side of the fence you are on you must at least acknowledge that we have a serious problem in the industry.

"After a breach the right thing to ask your vendor for is the morning after pill not a condom."

While I am fairly new to the industry in terms of marketing and sales, I am just appalled at some of the expectations inexperienced CISOs make of vendors. I am almost willing to believe that shady vendor practices were born through shady client requests. We are all in the business of making money, and I get it.

If you don't take the clients money then someone else will. As greedy as we are as individuals, we provide almost no value to the consumer and the industry as a whole when we engage in these types of practices. 

As security professionals we are used to money getting tossed our way after an incident... I like to call them reactionary dollars which are for the most part used to bring a feeling of warmth and goodness to the cockles of C level individuals.

The question remains how much faith is too much to put in the hands of your vendors? Without a thorough analysis of the inner workings of your organization, it is impossible for any external entity to make recommendations on where your reactionary dollars are best spent. 

A recent incident at an organization has led the CISO to reach out with an open ended request, that for the shadier vendor would instantly shine dollar signs. "We think we might of had a breach, we're not sure when, how or why, but we need you to come here and monitor  the network for everything"

How do you approach that? Do you take advantage of the organization and sell them your (Insert magic Anti-Apt, Blinky, Cyber Monitoring Unicorn Here)? Who is really to blame for the path our industry has taken when it comes to magic? 

An experienced CISO would take a step back and first determine the problem. Identify weaknesses in his processes and take steps to remediate and implement an effect risk management program. This is where experience comes into account and will allow your organization to make strategic decisions based on risk and not based on fear, uncertainty and doubt.

Reactionary dollars will run out and when they do can you definitively say that you have done what you could to reduce your organizations' exposure? 

In a perfect world you would have infinite resources to implement security controls that address every potential threat against your organization. This is not a perfect world. and resources are limited.

Don't rely on your product vendors to tell you where you need to spend your dollars. Every organization will in some way shape or form be popped... It's the cost of doing business in the global economy, and as such we must adapt to the threat and act accordingly.

As an organization you need to depend on your CISO to keep a level head and make informed decisions both day to day and during a breach.  If your CISO doesn't understand that warm and fuzzies aren't bottled by (insert product vendor here), then use the incident to reconsider the strategy for the position. 

Cross-posted from Jaded Securty

Possibly Related Articles:
Enterprise Security Management Budgets Vendor Management CISO Information Security Remediation
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.