What should a CISO be doing in today's business and security environment? At the recent Black Hat Conference in Las Vegas, CSO Magazine had the opportunity to interview Nuix's Chief Information Security Officer, Chris Pogue about his experiences in protecting the Australian security company's operations.
Over his career, Pogue has been an officer with the US Army Signal Corps, an instructor with Trustwave SpiderLabs as well as being a member of the IBM/ISS X-Force incident response and ethical hacking teams. He holds a Master's Degree in Information Security and is also an adjunct cybersecurity professor at Southern Utah University.
Pogue's main advice to security managers it to hire a great team. “As a CISO I have an eclectic bunch of people, I cater to their crazy and the results are tremendous. Hire the crazy, because you need them. Those are the ones that don't think outside the box, they burn the box and stomp on the ashes. That's what you want.”
Along with being able to manage a diverse and crazy team, being able to talk the language of other executives is an essential CISO skill Pogue believes, “understanding both sides of the house is important – understanding the financial risks and being able to communicate those to the CFO, understanding the business risks and convey that to the chairman of the board and the CEO, what the reputational risks are and convey those to the head of marketing or PR. It needs to be quantifiable.”
“I would say to other CISOs communicating to board members, know your target audience and know how to take those technical concepts and communicate effectively to that specific group and you will be successful. Understand what motivates them.”
“You can't just say 'security is good' and everything else is bad because everyone speaks their own language, understand who your target audience is and address them in the language they are going to hear.”
For company boards and managements, high profile breaches in recent years like Target's and Sony's have bought home the seriousness of information security, “the pucker factor has kicked in.” Pogue says, “boards are looking at this and discovering the average breach costs three and a half to four and a half million dollars and I have this entire risk factor to be aware of. I want someone on this – fix it.”
Pogue says understanding these risks puts more onus on executives across the business, “this is a legitimate global problem that's not going to go away and it's not all those IT guys being the doom and gloom sayers. It's a business problem that affects every part of the business, there's an HR components, there's a legal component.”
“Executives need to understand this is a real honest to goodness risk and it needs to be addressed you need to have a CISO, a risk officer, you need to have people who understand this landscape who can help guide the business, just like a general counsel,” Pogue advises. “I don't want to run the business, or keep it from making money, I want to provide enough advice and information so the decision makers can make smart decisions.”
“Understanding that's the CISO's role and give him free reign to do that, don't half ass it. If you are going to hire him, empower him and him everything he needs to accomplish his mission. All he's gotta do is be wrong once.”
Having a probably qualified professional in the CSO or CISO role is also essential says Pogue, “all executives and boards should look at their CISO in a similar way and say this is a cyber expert. Don't put a lawyer or accountant in that spot, put a cyber expert who's put finger on keyboards, has fifteen to twenty years experience who's going to point you in the right direction.”
In Pogue's view, the security landscape is becoming far more dynamic, “the old way of doing things has been very static, let's focus on IoC's – indicators of compromise – and let's not focus on tactics, techniques and procedures. Someone can change between attacks, they can use one tactic on one machine to the next there could be two dozen IoCs in one attack.”
Given the weight of alerts and the shortage of skilled staff to interpret warnings, Pogue believes that software analysing an organisation's security status and the behaviour of potential intruders is essential that doesn't “ just vomit alerts all over everyone saying 'here's ten thousand indicators of compromise alerts, you tell me which ones are important.'”
Overall, Pogue believes that attracting good security staff is a matter of providing a work environment that they enjoy. For himself, he'd show up regardless of the money as long as the stimulation is there. “I spent eight years at IBM where I was number 8Alpha149, I didn't have a name, just a boring serial number and I had no influence over anything whereas if you take a bunch of experts who are passionate we're in this industry because it's what we love. It's not what we do, it's who we are.”
“If I won the Powerball tomorrow I would show up for work on Monday because this is just how God wired me.”