cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
TonyDS
Newcomer II

Synopsys CISO Report

Hi all,

 

I recently read a very interesting paper, the 2017 Synopsis CISO report.

https://www.synopsys.com/software-integrity/resources/analyst-reports/ciso.html#form

 

I found it very thought provoking, particularly in the way that CISOs, or organisations, have been grouped into 4 tribes, based on their outlook on Security.

 

I wondered whether anyone else here had read it, or whether there are any other good resources available, perhaps books or other research, on the topic of assessing the security culture of an organisation.

 

Cheers..

3 Replies
Ravenshroud
Newcomer III

I have worked at over 40 organizations in my IT/Security career as a long-time consultant and contractor.  I tend to rate my experiences with organizations on a maturity model like CMMI.

 

I am currently at a level 0 organization and I have been there before.  Now typically you rate applications, functions, tasks, etc for maturity and not the whole organization, but it is just a shortcut in my mind, so hopefully I don't offend anyone with this conceptualization.

 

A level 0 organization has numerous functions sub-ad hoc.  Meaning not only do they not have consistent or documented processes, but they often have no idea how to even find their equipment and no one to admin them if they do.  SCARY!!

 

But I take these jobs primarily to help them dig out of these holes as a program manager.

 

Here's what I have seen in my last 3 gigs as a cybersecurity program manager contractor:

 

  1. IT and Security teams have a very challenging time communicating and a harder time taking joint responsibility for success and failures.
  2. Security teams are quickly maturing faster than IT due to senior leadership risk appetites. (meaning security budgets are getting approved, but of course I wouldn't be there if they weren't)
  3. Security team members work together more successfully than than IT counterparts. (BIG generalization)
  4. The lack of qualified security professionals is a huge incentive for current and upcoming professionals to find a really good opportunity and thus keeping employees is going to be challenging.
  5. Security is outsourced/off-shored MUCH less often than IT.
  6. Very few organizations know how to secure in the cloud.
  7. Too many organizations are still not looking at security from a data-centric point of view.  So combine this skill and a strong cloud education, and any privacy management experience and you are a golden child in security.
  8. I would rather work with security than IT, because when security breaks often people have no idea.  When IT breaks you spend a lot of hours working outages with pissed off customers.  That being said, there are MANY instances where security professionals have to work long hours and there is a really bad breaking point in security where your company gets sued for not doing due diligence or due care and everyone loses their job, or in Equifax's case, all leaders get a bonus.
  9. Work projects instead of ops.  It is a lot more fun. 🙂

I guess I am saying I find these truths to be recurring across numerous organizations and culture-types.  Private and public, large and small, mature and immature.

TonyDS
Newcomer II

Good stuff Ravenshroud,

 

Have you worked at any Level 4 or 5 firms and was that enjoyable?

 

Or does the satisfaction come from helping organisations to step up in their level of maturity?

Ravenshroud
Newcomer III

Well of course there really is no level 5, as level 5 is a temporary state given the changing goals, particularly security and privacy goals, these days.

 

Even level 4 is very challenging to reach.

 

I managed the largest technical team for Dell's largest services customer a few years back and I created a report for my executive director that showed how many people would be required to keep different technologies at different maturity levels.  

 

But here is the problem....

 

IT staffing at organizations tends to be kept at KTLO-levels (Keep the Lights On) or just above it.  It is very hard to get past level 2 with that mentality and budget.

 

Security staffing, I am finding, is ramping up quickly but because there are so many vectors of attack, it is hard to keep 20 tools online and optimized. (Firewall, IDS/IPS, Vulnerability Scans, Antivirus, heuristics engines (FireEye, Carbon Black, etc), application scanners, patch management, email security gateways, web browser gateways, PIM, etc. etc.) and this doesn't include compliance or risk management.

 

Level 3 maturity should be everyone's goal for critical technologies (business or IT).  Level 2 is good enough with limited staffing for everything else.  Level 4 and 5 are stretch goals when staffing is accessible.

 

I am finding global organizations saving money by hiring in Poland, Columbia, Malaysia, Bangladesh, etc.  Those companies are going to have a real advantage once they ramp up their staff, if they can hold onto them!