Thursday, May 27, 2010

Notes: Profile for a CISO?

I was at the 4th International Forum on Cybercriminality and there was a conference about CISOs' professional profile.

I just took a few notes and, seemingly, there are three major kinds of personalities for a CISO:
  • The pilot,
  • The architect, IT urbanist,
  • The administrator.
I have no particular comment on this, except that I think I am doing my best to be all three of these :-\

I was also interested in this definition they gave: "The CISO is the one who defends the ITsec budget."

Finally, they described an evolution in the profile of CISOs:
  1. In the 1990's, people became CISO by opportunism,
  2. In the 2000's, people became CISO through competition,
  3. In the 2010's, people are becoming CISO by choice or by vocation.
I'm happy to record that I'm in the 2010's :-)

Wednesday, May 26, 2010

Monthly ITsec Leadership Quotes and Articles

I'm getting more and more convinced that the leadership style of Bruce Schneier is what made him so popular. There is more of personality than leadership in his case. In fact, my way to answer about "the mixture of security and feelings" is very close to his. Two examples:

A few quotes heard at the 4th International Forum on Cybercriminality :
  • "Nowadays you learn more about someone from Facebook than from Edvige." (Edvige is a nominative information file used by the French police.)
  • "The problem is not adapting to the digital world, it's adapting to the border-less world."
  • "In healthcare, IT security is a deontological requirement."
  • "Estonia is ahead of us [ahead of France regarding ITsec]."

Oh, by the way, I finally got a hint on why do they all emphasize on "Information Security" rather than "IT Security": I think it's because they want people to understand that it's not an IT-only problematic.

Thursday, May 13, 2010

Transparency the Next Big Topic? I Don't Think So :-(

Here is a recent Bruce Schneier interview "If you don't understand the people you'll never understand security, says Schneier". I really appreciate Bruce Schneier for his stick_to_the_fact and be_smart_not_an_automate approaches.

However, when he says during that interview that the next big topic for security will be transparency, I think it's more of a wishful thinking. I can see three main reasons why the move to transparency will be very slow:
  1. Good transparency requires transparency from both the vendor and the buyer. I think the buyer will never see the point of publishing data about (in)security. Even if that's more or less a kind of corporate social responsibility...
  2. Some major players among vendors and some managers in whatever buyer's hierarchy do not want to play the game by the rules. They prefer it the way it is, especially if they have a good ROI/good wages and not too much stress. So, unless there is some interventionism, I think they will do their best to slow the move.
  3. If you're going to publish things transparently, you might think of it as a possible bad advertisement for your company. And the weak point is: most companies, buyers or vendors, do not know where they stand among peers on the criteria of IT security. So they will not want to make the first move and risk publishing what might be seen as bad results.
To my mind, the whole business of IT security transparency is, as most of corporate social responsibility issues, a wicked problem. For this reason, it will require some good leaders to design new models and, probably, some interventionism from States and big corporate players. That is: it will move slowly (decades, to my mind).