@nkeaton I do believe that ISACA is correct with that one.  Having the CISO under the CIO is very problematic, it limits the ability to conduct oversight as you are telling your "boss" that their primary systems are goofy.  The standard belief that CISO should fall under tech is slightly problematic after all we are based upon the tenants of people, processes, and technology.  To pigeon hole us into only tech might be part of the overall problem, so yes I definitely agree with placing us either under the CEO or under the board itself.  Kudos to ISACA for that one, as far as going down the rabbit hole of losses, 98% of all losses are directly or indirectly attributed to people or processes, while only 3% (rounding error) are caused by failed tech.

 

Cheers.

 

Ervin

I think a lot of people are missing the point here....this is NOT a certification problem. 

 

CEO's and CFO's should be LEGALLY liable for break ins. The CEO and CFO of Marks and Spencers and Jaguar Land Rover should be buying fake passports and getting ready to run out of the country right now, but thye won't. Why should a CEO do any certifications? It's totally pointless as they know they are untouchable and even in the unlikely event they get "asked to leave", they know they'll get a sweet parachute and regardless of how bad a job they've done, they'll move onto the next position. 

 

Security is a losing battle unfortunately in the modern capitalist setup. Until there are actual legal consequences (or the Luigi solution) for C-Suite then nothing will get done. 

 

A lot of the replies here also miss the point. When someone like Target does something stupid like store passwords in plain text, or (my pet hate) Developers decide to turn off firewalls because it makes their applications work or people ignore those of us with decades of infrastructure experience (purchasing AND security I'm looking at you), then stuff gets hacked and PEOPLE get hurt. I'm not talking about a slightly lower bonus for the C-suite or a shouting at for the security team..I'm talking people getting details stolen and loans taken out in their name or blackmailed or locked out of social media accounts that they desperately use to keep in touch with family around the World. 

 

LinkedIn requiring the same verification firm that EntraID gives firms the option to use to verify employees is the dumbest thing on the planet..the firm's link to remove your details doesn't work on their website AND they have in their T&C's that they can use your biometric and government ID data, mix it with other data they hold on you and sell it to data brokers. This stuff is serious. 

 

From the basics of the senior management being so stupid that I worked in a place where, when iPad 1 was replaced with Ipad 2, rather than just say to IT "I would like the new shiny one", we had a swathe of broken iPads and "GET ME A NEW ONE NOW!!" to senior management refusing to sign off anything because they'll have to take responsibility, this is fundamental in built stuff in the corporate world. 

 

Purchasing should NOT be allowed to over-ride my decisions on what to buy. 

Project Managers should NOT be allowed to over-ride my decisions on what to implement

Cybersecurity teams should NOT be allowed to force through decisions over the Infrastructure SMEs by scaring the management

HR should not be allowed within 100 miles of a technical job description

 

This is the nature of the world we live in. Hence, zero sympathy for M&S or JLR or any firm that offshores, outsources; that puts "shareholder value" above the long term viability of the company 

@vishybear   I do understand what you are saying.  It was more of a discussion on that we have certifications, and the leaders do not but also that they often do not have the experience or education.  Years ago DoD was the one that started this entire mess with certifications.  Private industry then followed.  Since DoD has changed their focus to what I believe is much more important which is experience and education.  Hopefully private industry will follow again.  I agree with you that the certification push got out of hand.  On the other end of it, people like me are who advise and influence upper management (although not always successfully).    

@vishybear @nkeaton   Here in New Zealand and within other countries CEO's and Directors are directly responsible for the financial fiduciary "A fiduciary is a professional who manages money or property for other parties and has a legal duty to act only in their client's best interests.  Including that of the organisation they manage etc.

 

CEO's and Directors can be prosecuted under the Companies Act  - https://www.legislation.govt.nz/act/public/1993/0105/latest/DLM319570.html

 

I assume most countries will have similar regulations and laws.

 

Regards

 

Caute_Cautim

Sorry to correct but ISC2 came about as a result of the work done by the Data Processing Management Association's Special Interest Group for Computer Security (SIG-CS) beginning in 1988, with ISC2 becoming an entity in 1989. The intent was to create a standardized, vendor-neutral certification for information security professionals.

 

Founding members included Hal Tipton, Mike Corby, ISSA, Rick Koeing and one other (whose name escapes me at the moment. These folk created the first CBK and the later (1994), the first CISSP exam.

 

This all happened prior to the DoD gaining interest.  

 

 

@Caute_cautim Your are absolutely correct, most countries have laws and regulations.

 

Canada as an example has several regulations and laws (PIPEDA and the Digital Privacy act (sorry working from phone so grabbing links is difficult (also in airport so bandwidth is terrible)).  As with New Zealand, corporate executives can be prosecuted.

 

d

 

 

 

@Caute_cautim. Thank you for sharing that. It is interesting to know what other countries and entities are doing in practice. It is good to be aware.

Caute,

in the uk i can guarantee you that regardless of laws, the CEO will get away with anything
Sent from my iPhone

@vishybear I started thinking after the New Zealand post and that you are from the UK that I was describing a very US-centric issue in my response to you and apologize for my narrow scope in a more international community.. In 2005 DoD put forth a directive that they wanted to create what they called WIP (Workforce Improvement Program). Employees in what I thought poorly named IA (Information Assurance) were categorized, and certain certifications were specified for each category. CompTIA’s Security+ checked more of the boxes than the others and didn’t require experience to earn. The employees in the middle to lower levels for the most part selected it. So that was the beginning of what I described as a certification mess. What happened next was that private industry started adopting this emphasis on certifications here. While not CompTIA’s fault, “schools” started putting forth what I call the big lie. They put out that anyone could get a job in this field. I still hear the ads now: lots of jobs (not at entry level), work from anywhere (definitely not at entry level), high pay (not at entry level), and pick own hours (very doubtful). CompTIA brags at over 700K Security+ certified. So here we have all of these people certified with no experience that have flooded the job market. DoD recently changed to what I feel is more appropriate which is experience and education. Hopefully private industry follows again, but the damage here exists. Very many people that have been told something not true that will sadly most likely never get a job in the field that spent a lot of money and time on something that cannot attain. It is sad to witness. I believe that a little has carried over to other countries but not to the extent that it is here.