Written by Guest Poster Wade Woolwine

The Chief Information (Security) Officer* is a top level executive who is responsible for defining and executing a plan for identifying, cataloging, and protecting information assets throughout a company or government agency. Seems like a pretty important job, right? So why is it that so many public and private companies don’t have one? Sure, there might be a CTO, or legal team who claims that part of their mission within the company is data, but that simply isn’t enough.

In today’s world, just about every industry must maintain a certain amount of personal information about their customers even if the soul purpose is to be able to reliably discern one customer from another. In more extreme cases such as social networks, paid services providers, banks, or healthcare providers, the amount of PII (personally identifiable information) amassed in information systems becomes a huge liability for the company and consumers demand that this information be kept safe from criminals. Who bares the responsibility for this data? The CEO? Probably not, most CEOs are concerned with company performance, products, and marketing – in other words, making money for the company or share holders. How about the CTO? Perhaps, but when you’re also responsible for maintaining the availability of your product delivery platform, the focus on confidentiality and integrity of the data maintained within the platform is often lost to availability of products and services to consumers. Furthermore, data does not typically sit stagnantly on systems, it gets consumed by both customer facing applications and internal application such as trend calculation and other business intelligence purposes that are likely not under the authority of the CTO.

By the position title alone, we can determine that the CI(S)O reports up to the CEO and is a peer to other “C” level executives such as the CFO (Chief Financial Officer), CP/DO (Chief Product/Development Officer), CTO (Chief Technology Officer), and COO (Chief Operating Officer). Generically, and as I’ve already stated, the CI(S)O is responsible for identifying, cataloging, and protecting ALL information assets, whether this data is externally or internally sourced. As such, the CI(S)O must interface with other executives in order to identify, document, and classify data assets.

It feels like a good place for a quick tangent on data classification; each information asset within the company must be evaluated against a set of defined criteria to ensure that the level of protection applied to said assets is consistent with the risk associated with the loss or theft of the data. Incidentally, the responsibility for defining the classification levels and assigning appropriate properties to each level falls on the CI(S)O.

Once all information assets have been identified, solutions must be devised and implemented to ensure the data remains protected no matter where it travels or rests within the company’s (and partners) technical infrastructure. Partnerships with other executives are key to achieve this goal:

• The CI(S)O must interface with the CTO to ensure that solutions for network security/monitoring, host/server security, configuration/patch management, identity management, access controls, desktop security, and overall network and host health monitoring are in place. Please note that this is not an exhaustive list, just some key items to demonstrate the importance of the CI(S)O’s ability to interface with other executives and influence changes in other organizations within the same company.
• The CI(S)O must interface with the CFO to ensure that appropriate data retention policies are in place, and that software, hardware, and communications paths used to transport or store sensitive employee data have appropriate levels of confidentiality, integrity, and non-repudiation.
• The CI(S)O must interface with the COO to ensure that appropriate physical security controls, security awareness and security policy training programs, and employee accountability are in place.
• The CI(S)O must interface with the CP/DO on implementing a robust software security lifecycle for applications and products that collect or display sensitive information.

By no means is this meant to be an exhaustive list of CI(S)O responsibilities, but rather a select few to demonstrate that information security cannot be shared across multiple executive owners. With something as critical as securing consumer and corporate data against an ever growing number and diverse set of threats, accountability at the highest levels of the company is key to creating and enforcing good security policies, procedures, and solutions.

*For the purposes of this article, I’ve assumed that the titles Chief Information Officer and Chief Information Security Officer are one and the same. The CI(S)O’s roles is to ensure the security of information assets.

Wade’s Bio: An IT Security professional in the Washington DC area, Wade works for a large Web Application Service Provider as a Senior Engineer on the IT Security Assurance Team. You can find Wade on Twitter @wadew (you can also see him on our NovaInfosec Twits list), and can read more of what he has to say on his blog at WadeWoolwine.com.

o o o o o

Many thanks to Wade for this excellent post. We hope that you’ll follow Wade’s lead and contact us about becoming a guest poster for NovaInfosecPortal.com.

Update: The OWASP – VA Local Chapter infosec meetup taking place tomorrow has two newly added speakers for the panel portion of the meetup: @wadew and Nate Miller of Stratum Security.

For more information about the OWASP – VA Local Chapter, see its description in our Infosec Meetups section, or view our original post about the meetup.

Also, don’t forget to view our Calendar for a list of similar infosec events in and around the NoVA area.

###

Would you like us to keep these kinds of posts coming? Then help us help you by contributing to the improvements we’re trying to make to the site.

After a brief break in March, the OWASP – VA Local Chapter is back this month with a meetup and corresponding panel discussion on Wednesday, April 8th.

The panel discussion will be lead by NoVA’s own Wade Woolwine, and the 50-minute presentation will be given by Jeremiah Grossman of Whitehat Security.

Grossman will open the meetup with his talk, “How Penetration Testing Has Matured—A Modern Look,” and Woolwine will start his panel discussion—“Critical Answers to How Your Organization Should Use Penetration Testing”—shortly after Grossman finishes his presentation.

There’s some pretty interesting developments happening with pen testing right now, so if that’s your area of expertise, or something you’d like to learn more about, you will reap huge benefits from attending this meetup.

Want additional information about this meetup? Continue reading below.

• Who: Wade Woolwine of the Wade Woolwine Blog and Jeremiah Grossman of Whitehat Security
• What: “How Penetration Testing Has Matured—A Modern Look” by Grossman, and “Critical Answers to How Your Organization Should Use Penetration Testing” by Woolwine
• When: 04-09, 6:00 – 9:00 PM EST
• Where: Booz Allen, One Dulles Facility (13200 Woodland Park Road; Herndon, VA 20171)

For more information on the OWASP – VA Local Chapter, see its description in our NoVA Meetups section. View our Calendar for a complete list of infosec events in and around the NoVA area. Here is a link to the page with information on this meetup.

 ###

While it’s not pen testing software, we’d like to think that it’s just as valuable: A subscription to NovaInfosecPortal.
Why not view our subscription page to find out more about how you can help us help you?

There were some interesting blog posts from local NoVA infosec bloggers this week, discussing everything from customer service to what IT Security jobs will look like 20 years from now. But since we can’t highlight them all, we picked the best 3 blog posts of the bunch.

As always, be sure to tell us what you think by leaving a comment below. You can also send us a tweet @grecs.

#3 – Revisiting the Golden Rule: Depending on who you talk to, the ‘golden rule’ can mean many different things; to Wade Woolwine however, the golden rule that’s been missing from the security field is customer service. Wade writes, “when you’re involved in security, specifically for a product, or a company who builds products, you should be listening to your customers!” While that can sometimes be difficult for those of us who are a little reserved, Wade’s right: Part of dealing with people is helping them. While it’s easy to think that having a job in security means that you’ll never have to interact with people again, the reality is that you will. Even if you sit alone in a room with a computer for most of your day, chances are you still report to someone, work with someone on projects, or deal with outside companies or customers. Unless you’re one of the 1% of people who somehow manage to avoid all human contact, Wade provides some useful tips on how security professionals can polish their customer service skills. You can view Wade’s full blog post here.   

#2 – Security Careers for the Next Generation: Like everything else in the world, the security field is also changing. It’s unrealistic, as Richard Bejtlich points out, to think that the next generation of security professionals will be able to find the same positions that are available today. Why? According to Bejtlich, it’s due to a shift that’s happening not only in the security field, but the IT field in general. He writes, “I’d like to know which of you manage a 3G network? Chances are if you answer yes, you work for a telecoms provider. How many of you keep the operating system on your Blackberry or iPhone patched? If you answer yes you work for a telecoms provider or Apple.” Basically, Bejtlich believes that the next generation of security and IT professionals will find less variety of jobs to chose from, limited mainly to providers and vendors. You can read the full blog post on Bejtlich’s Tao Security blog.

#1 – A Little Extra Heat: It turns out that the “Cyber Security Coming to a Boil” blog post by Michael Smith of the Guerilla CISO created a fair amount of controversy. In case you didn’t read our post about it last week, Smith talked about the political side of cyber security. (And yes; anytime you involve politics in anything, it is bound to cause controversy). But in an interesting twist, Smith let one of his commenter’s (Ian99) write an entire post explaining why he didn’t agree with Smiths’ blog post. It makes for an interesting read, and it’s nice to see both sides of the issue. You can read Ian99’s response to Smith here.

Well, that’s all for this week; be sure to check back next week for more of the best from local infosec bloggers.

###

Speaking of local bloggers… we here at NovaInfosecPortal are locals too. If you’d like to support
 our site and keep the local infosec community going strong, why not consider subscribing to NovaInfosecPortal?