Hackers worldwide are on a tear, and breaches occur at a quickening pace. If something goes wrong, the chief information security officer, or CISO, gets the blame.
WASHINGTON — The paycheck is big. The career security is great. But the headlines are a headache.
The job is to guard the key digital secrets of a major organization, perhaps proprietary manufacturing methods of a company, or health records of a hospital system. Or credit-card information at a major retail chain. Tolerance for failure is nil.
Yet hackers worldwide are on a tear, and breaches occur at a quickening pace. If something goes wrong, the chief information security officer, or CISO, gets the blame.
“Being a CISO means keeping that résumé polished,” said Chase Cunningham, a security and risk analyst at Forrester, a technology-research company in Cambridge, Mass.
Most Read Business Stories
- License plate scanners were supposed to bring peace of mind. Instead they tore the neighborhood apart.
- Medicare Advantage is cheaper for a reason — beware
- As housing costs climb, another Seattle apartment project tests a new way of building
- As climate concerns threaten air travel, aviation industry banks on technology solutions
- Washington state recovers $500,000 in stolen jobless benefits from bank where fraudsters channeled millions more
Equifax, one of the nation’s big three credit bureaus, announced Sept. 7 that it had been hit by a massive breach, and a week later it said its chief information officer and chief security officer had resigned. That didn’t calm the storm for Equifax, which guards the personal financial history of half of the U.S.; CEO Richard Smith was forced out Monday.
It is little wonder that some qualified people won’t take jobs as chief information security officers. Among them is Cunningham, who has a doctorate in information security, a background at the top-secret National Security Agency and an acute sense of how to fend off the bad guys. He said the job involves “guaranteed failure.”
“It’s about the only executive-level job I can think of where you are 100 percent accountable for the failures to come, even though it’s a guarantee that (they) will happen at some point,” Cunningham said.
“It’s like playing chess with a blindfold on,” added Cunningham. “You cannot win.”
Tech honchos blame their higher-ups — the bosses who don’t understand the threats, don’t want to spend money in an area that has no apparent return and don’t want to take responsibility when things go awry.
The job of CISO (pronounced see-so) used to be the digital equivalent of stocking the moat around the castle with crocodiles and making sure the drawbridge functioned.
“In the past, it was about defending the perimeter,” said Godfrey R. Sullivan, a former chief executive and current chairman of Splunk, a San Francisco company that produces software to analyze high volumes of machine-generated data.
But Sullivan said hackers now most likely have gotten past the perimeter and reside in target networks.
“The bad guys are in your building,” Sullivan said. Information security officers nowadays have to hone their skills at continuous analysis of the data both entering and leaving the networks, he added.
Indeed, breaches may be inevitable. “The longtime folks have been saying, it’s not ‘if’ but ‘when,’ ” said Rich Barger, director of security research at Splunk.
CISOs get in trouble, Sullivan said, when they discover breaches and don’t act quickly. That may have happened at Equifax.
According to security researcher Brian Krebs, one of the vulnerabilities of Equifax was at its Argentine operations, when hackers discovered they could access its website by typing in “admin” at login and “admin” at password. Another vulnerability involved failure of Equifax to patch a known security hole in its website application software that came to light in March.
For those caught by headline-grabbing breaches, job security may be shaky. But a shortage of experts in cybersecurity is such that landing another job is nearly assured. “It’s not hard to get another job, as there are plenty of them out there,” and honestly it’s ‘good’ if you have been through a breach, but it sure isn’t painless, Cunningham said.
Adding to the difficulties of guarding digital storehouses, experts say, is a deluge of threat intelligence reports. Alerts come in all day long of potential vulnerabilities in software and types of malicious code.
“There’s a ton of cyberthreat intelligence out there,” said Christopher Wlaschin, the CISO at the Department of Health and Human Services, noting that some of it is little more than snippets of suspect malicious code. Wlaschin spoke at the recent ICIT Cyber Intelligence Briefing in Washington, D.C.
Hackers are constantly evolving, and adopting new techniques, targeting new things, making successful defense a temporary — and perhaps unnerving — condition. “So it’s constantly a game of whack-a-mole,” said Ron Plesco, who works in the cyber-response service at KPMG one of the big four global auditing companies.
When a serious breach comes to light, executives want someone to blame.
Travis Farral, director of security strategy at Anomali, a Redwood City, California, said information security officers who manage the techies on their team with appropriate caution about the gamut of threats often do better.
“They are responsible for the culture of security within an organization. They have the ability to have a voice with senior leadership,” Farral said. “Those who are effective at doing that stay out of the news.”