CSO Perspectives (Pro) 3.20.23
Ep 103 | 3.20.23

The emperor has no clothes - RSA conference prep.



Journey: (Singing) When the lights go down in the city... 

Rick Howard: You're listening to one of my favorite songs, "Lights," by one of the greatest rock bands of the '70s and '80s, Journey, with the evocative lead vocalist, Stephen Perry, singing about the city by the Bay, my favorite city, San Francisco, which is a reminder to you all that the RSA Security Conference is coming up in April. And I love that conference. 


Journey: (Singing) So you think you're lonely. 

Rick Howard: It's held annually, usually in the springtime. And I've been attending and speaking there on and off for over a decade. It's one of the biggest security conferences of the year, but it's not a hacker conference like, say, DEF CON or Black Hat or even one of the many BSides conferences. The RSA Security Conference is for security practitioners, the unsung heroes who defend their organizations in cyberspace. This is their chance to meet and exchange ideas on the latest developments within the cybersecurity landscape. Last year, about 21,000 people attended, which is pretty decent since we were all just emerging from COVID lockdown. Before COVID, the conference averaged about 50,000 attendees, and I expect that will be about the size this year. So for this episode, I'm going to talk about the conference specifically and about the presentation I'm giving with my pal Todd Inskeep called "The Emperor Has No Clothes: The Current State of the CSO." 

Rick Howard: My name is Rick Howard, and I'm broadcasting from the CyberWire's secret sanctum sanctorum studios located underwater somewhere along the Patapsco River near Baltimore Harbor, Md., in the good old U.S. of A. And you're listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. 

Rick Howard: Since it's held in San Francisco, near Silicon Valley, practically every security vendor on the planet mans a booth in the RSA Security Conference Expo. I worked for one of those vendors in my last job, and the chief marketing officer said that if the company didn't show a presence on the vendor floor at RSA, the customer base would notice and wonder why. They would see it as a sign that the company was failing in some way. 

Rick Howard: But it's not cheap. According to our own CMO at N2K, Emily Bradford, the current booth space prices for this year's conference ranged from $16,000 for a booth the size of a mini-truck-bed to $144,000 for a giant monstrosity the size of a small house, complete with two stories. And that doesn't include the design and build of the booth plus travel and shipping costs for equipment like computers and monitors, marketing materials, those giveaways and booth babes. And before you write in to complain, that's not a sexist comment. The running joke for the conference is that all people who man the booth are booth babes. Just picture me, an old and slightly overweight white guy wearing a polo shirt with the company logo and handing out tchotchkes, as a booth babe, and you will see why that's funny. 

Steve Winterfeld: And, folks, with that comment out there, let's send our comments and complaints to csop@thecyberwire.com. Let's just call all of that a significant investment especially if you're a startup with a tiny booth in the back of the expo hall. But for the attendees, the atmosphere is electric and fueled by a sense of camaraderie and community. It's kind of a cross between Mardi Gras and your local high school reunion - Mardi Gras with the flashy lights and loud music from the booths, and high school reunion because many of the people that you've worked with in your career usually attend. I've told this story many times before, but there's a guy I used to work with that I run into every year, Kevin, usually on the corner of the Moscone Convention Center and the W hotel, where we pick up the conversation right where we left it from the last time we ran into each other. I love that. 


Tim Allen: Oh, yeah (laughter). 

Rick Howard: At last year's conference, I ran into another old buddy of mine, Todd Inskeep, the founder of a consulting company called Incovate Solutions. Todd and I have been friends for a long time, and we got to talking about his business and the latest development in the CISO career path, something called virtual CISOs or fractional CISOs. I had him come on the show last year to talk about it. It's Episode 5 from Season 11. The main idea behind the fractional CISO concept is that some companies have decided that they don't need a full-time CISO on their staff. What they do need, though, is somebody with CISO experience to come in and help them get their fledgling InfoSec program going and maybe check in every once in a while. In other words, they would contract the CISO work out. 

Rick Howard: This isn't a new business idea. It's just new to the security community. It started with fractional CFOs, chief financial officers, back in the 1980s. Fortune 500 companies began outsourcing their back-office functions to countries with lower labor costs such as India and the Philippines. In the 1990s, the trend of outsourcing expanded to include smaller businesses that could not afford to hire a full-time CFO. Instead, they turned to an outsourced CFO, who could provide strategic financial guidance and help them manage their finances on a part-time basis. Other fractional executives emerged in the wake of that success - chief marketing officers, CMOs, chief operating officers, COOs, chief information officers, CIOs, and chief human resource officers, CHROs. The fractional CISO is just late to the game. 

Rick Howard: If you listen to that episode with Todd, you can hear that I didn't see that coming. When I started this CISO gig back in the day, I expected that the role would keep moving up the leadership chain and would eventually end up on the executive staff as a matter of course, and not the exception. I always thought that CISOs would eventually become a peer to the CFO, the CTO and the chief legal officer. Today, except for a few minor examples in big companies, mostly in the financial vertical, that hasn't happened. 

Rick Howard: What has happened is that some senior organizational leaders have decided that a part-time CISO is good enough. Consequently, some veteran CISOs - CISOs who have been in the saddle in one or more organizations - have moved in to fill the need. They formed their own companies and started offering fractional CISO services. A famous example is the Krebs Stamos Group - KSG. Brian Krebs (ph) is the former director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, CISA. Alex Stamos was the former Facebook chief security officer and the Yahoo! CISO. And that's what Todd's company does. 

Rick Howard: After he and I did the interview last year, we got to talking about the current state of the CISO position, and it was a fantastic conversation. At the end we said, hey, this would make a decent RSA talk. So we submitted a proposal to the conference selection committee and much to my surprise, we got accepted. It's called "The Emperor Has No Clothes: The Current State of the CISO," and it's scheduled for Wednesday afternoon, 26 April from 2:25 to 3:25 San Francisco time. If you're in town, please join us. 

Rick Howard: For those that are not making the journey to San Francisco this year, I thought I'd give you a preview of what the session is going to be about and how we put it together. It's called "The Emperor Has No Clothes" because the role of the CISO is really not the chief of anything. CSOs have the title and nothing else. When you hear other titles like CEO, CMO and CTO, you know that the people who hold those titles are on the senior executive team. When you hear CISO or CSO, though, you might assume those people are part of the executive staff, but that isn't the case at all. 

Rick Howard: There are exceptions, but in the best circumstances, those people are senior vice presidents in charge of cybersecurity, usually buried in the leadership bureaucracy, one or more levels down. In other less than ideal circumstances, they don't even have the CISO title and are managers or directors of security. But when they announce themselves at parties, they say something along the lines of, I don't have the title, but I'm essentially the CISO. To prove my point, one metric to look at is the number of CISOs or CSOs listed on corporate leadership team webpages for the most successful businesses. Let's pick three categories of business to demonstrate - Fortune 500 companies, Fortune 500 financial companies, and the top security vendor companies. 

Rick Howard: For the top five Fortune 500 companies - Walmart, Amazon, Apple, CVS Health and United Health Care Group - no CISOs are listed on the leadership team's webpage. For the top five financial Fortune 500 companies - JPMorgan Chase, Fannie Mae, Bank of America, Wells Fargo and Citi - again, no CISOs are listed on the leadership team's webpage. For the top five security vendors by revenue - Palo Alto Networks, Fortinet, Cisco, CrowdStrike and Zscaler - only Cisco and CrowdStrike list their CISOs on the company leadership team webpage - Brad Arkin for Cisco and Shawn Henry for CrowdStrike. Now, using leadership team webpages is not a perfect metric. I mean, it doesn't prove a trend or anything. But it's one data point that supports the theory that CISOs are mostly CISOs in title only. They really aren't wearing any chief clothes at all. 

Rick Howard: You might ask that if CISOs sit on corporate boards, would that mean they have reached the right level? Well, according to Claudia Glover at the Tech Monitor website, out of 321 CISOs surveyed in 2021, only 12 of them actually have sat on those seats, about 4%. And those would be the exceptions. But she also says that Gartner predicts by 2025, 40% of companies will have a board member sitting on a subcommittee dedicated to overseeing cybersecurity risk. That would be the good news. 

Rick Howard: That said, I advise approaching that stat with some caution. Even if those positions do emerge in the next couple of years, it doesn't necessarily mean that a CISO or former CISO would fill it. Most of us have no idea how to calculate cyber risk. In fact, we've published multiple shows over the last few years on that topic, showing how to do it. The links are in the show notes. And I've even written a book with a chapter dedicated to the process. You can pre-order it now on Amazon. It's called "Cybersecurity First Principles: A Reboot of Strategy and Tactics." The point is that a board committee position that oversees cyber risk will likely look for business risk experience, not CISO experience. I'm just saying. 

Rick Howard: The role of the CISO started off well. Citibank hired Steve Katz to be the first ever chief information security officer in 1995 in response to one of the first-ever cyberattacks against the financial sector. Interestingly enough, Katz was not part of the Citibank leadership team when he took the position, but he was board approved and had their attention because of the breach. Back then, my peers in the industry who weren't CISOs yet because there weren't any - I didn't get my first corporate CISO gig until 2012, over a decade later - thought it was just a matter of time until CEOs elevated the CISO position to the leadership team. But that's not what happened at all. 

Rick Howard: When CEOs started hiring CISOs, they logically thought that they needed a leader who understood the tech. So they pulled from the technical teams to find those people. What happened immediately was that the technicians who managed networks, endpoints and help desk teams found themselves in charge of security with a lofty title of CISO. And that was fine for a time, but it shortly became clear to leadership that most of these people don't speak business. They spoke in terms of ones and zeroes, firewalls and defense in depth, not quarterly analyst reports, GAAP and non-GAAP financial measures and EBITDA. These new CISOs came into leadership and board meetings spouting stats on unpatched vulnerabilities, malicious code and zero-day exploits, and the leadership team looked at them like the famous RCA dog Chipper looking confusedly at the sound coming out of the phonograph speaker in the 1950s TV commercials. 


Unidentified Person: As low as 27.95 at your RCA Victor dealer. 

Rick Howard: Like Chipper, they had no idea what the CISO was talking about, and CISOs didn't know what to say to make them understand the risk to the business. We didn't have the words for it. Most of us still don't. After a few years of this, CEOs started pushing CISOs further down the bureaucracy, usually to work for the CIO. Senior leadership knew that they needed somebody watching cybersecurity for them, but they needed a nerd buffer between them, someone who could translate the bits and bytes into business terms that they could understand. 

Rick Howard: The first-ever cybersecurity compliance law enacted anywhere was the United States Computer Fraud and Abuse Act in 1986, but it was designed to give law enforcement a way to arrest cybercriminals. In the late 1990s and early 2000s, though, we started seeing the first compliance laws passed designed to impact corporate environments. In 1996, we had the U.S. Health Insurance Portability and Accountability Act, HIPAA. It requires health care providers to protect the privacy and security of patients' health information. In 1999, we had the U.S. Gramm-Leach-Bliley Act. It requires financial institutions to protect the confidentiality and security of customers' personal information. In 2002, we got the U.S. Sarbanes-Oxley Act. It requires publicly traded companies to maintain accurate financial records and establish internal controls to prevent fraud. 

Rick Howard: In 2002, we got the U.S. Federal Information Security Management Act, FISMA. And it requires federal agencies to develop and implement information security programs to protect government information and systems. And in 2004, we got the global Payment Card Industry Data Security Standard, PCIDSS. And it requires organizations that accept credit card payments to protect the security and privacy of cardholder data. The result was that if one or more of these laws impacted your organization, somebody had to manage the internal compliance process. In many cases, especially in the financial and medical verticals, these tasks fell to the CISO. 

Rick Howard: Around the same time, a rash of high-profile data breaches became public knowledge, like the 2000 breach of egghead.com, the 2004 breach of ChoicePoint, the 2005 breach of CardSystems Solutions and the 2007 breach of TJX Companies. Compliance requirements and these worrisome data breaches may have also instigated the idea that instead of one CISO at the top of an organization by themselves, individual business leaders needed their own security officers, their own business information security officers, or BISOs. For example, at Amazon, let's say, the security needs for the retail website might be a lot different from the AWS product. Amazon business leaders might hire one BISO for the retail business and another one for AWS. They might report to the overall Amazon CISO to ensure that every organization in the company is following the same first principle strategies, but each BISO might select different first principle tactics that will have the most impact to their organization. A BISO is typically a midlevel manager or director for a specific business unit and communicates with the CISO to ensure that the business unit security initiatives align with the organization's overall security strategy. 

Rick Howard: After the break, we'll take a look at some of the relatively newer job positions that are available to people with CISO experience. Come right back. 

Rick Howard: Amazon launched AWS in 2006, and other vendors like Microsoft, 2008, and Google, 2009, quickly followed suit. And Apple released the first iPhone in 2007. The impact to organizations was that IT and security professionals, as well as business leaders, had to manage a Cambrian explosion of new technical innovation and data storage locations across multiple data islands, like mobile devices, cloud environments and the still existing and locally controlled data centers and headquarters locations. This was a scramble. Security practitioners went from managing one security stack within their own digital corporate landscape to multiple security stacks on each data island that they didn't explicitly own. It's what we call in the biz as a paradigm shift. We thought that security was hard before. The Cambrian explosion exponentially exploded the complexity in our security environments, not to mention the complexity in our general purpose IT architectures. 

Rick Howard: CISOs and BISOs were now designing and implementing security stacks in all of these environments that didn't necessarily talk to each other. The cloud and mobile devices may have made employee and customer access convenient, but combined, they made it almost impossible to manage in the way we had been doing it before, with a lot of manual toil. Before the Cambrian explosion, if you wanted to update the tool configuration in the security stack, somebody logged into the device and made the change. That was fine when you only had three tools in the security stack, but with the Cambrian explosion, that number has multiplied. In a survey conducted by Panaseer in 2021, out of 2,100 security decision-makers across multiple verticals, the average number of security tools they buy and install is about 76. It's impossible to manually manage that tool set efficiently. Enter DevSecOps. 

Rick Howard: The DevOps movement really got its start in the early 2000s with Amazon and Google building infrastructure as code systems to support their growing businesses, but we didn't give it a name until 2009 or so when it emerged as an industry best practice out of three converging ideas - a 2009 Velocity conference talk called "10+ Deploys Per Day" by John Allspaw and Paul Hammond, the Agile development method from the early 2000s and the Eric Ries book "Lean Startup" in 2011. But the InfoSec community has been slow to adopt the methodology to manage the security infrastructure. Instead, we adopted helper tools like SEAMs, security information and event management, and SOAR, security, orchestration, automation and response. We've pursued security orchestration platforms from big firewall companies that gave one interface to manage all the tools in the stack from a single vendor. But we didn't embrace the idea of infrastructure as code like our IT peers did, and the DevOps community completely forgot about us until the mid-2010s. John Willis, one of the authors of "The DevOps Handbook," said in an interview in March 2021 that everybody involved in the DevOps movement was patting themselves on the back by creating this great thing, but we almost completely forgot about security for eight years or so. People were talking about DevOps and security, but not with any detail. 

Rick Howard: And then around 2017, Shannon Lietz, then working for Intuit, staked a claim for the DevSecOps phrase. She created a foundation and a website dedicated to the purpose of putting security into DevOps. There was a little bit of controversy there because many in the movement thought they had invented the idea of security in DevOps. But according to Willis, none of that matters. By creating the foundation, she got the idea front and center again in both the IT and security communities, and DevSecOps started to gain traction. But even in 2023, DevSecOps is still almost at the starting line. In 2019, Gartner placed it as just coming out of the trough of disillusionment on their hype cycle for application security and gave it five to 10 years to reach the plateau of productivity. That said, DevSecOps is the answer to manage the complexity of the Cambrian explosion. If you have the resources, automation is the strategic first principle to pursue, and DevSecOps is the first principle tactic to get it done. In my first principles book, I dedicate an entire chapter to the subject, and the CyberWire has published two shows about it. Links are in the show notes. 

Rick Howard: On my first day as the CSO of Palo Alto Networks in 2013, I thought my work would focus solely on securing the Palo Alto Network's internal infrastructure. What happened immediately, though, was that the CEO started sending me out to customer meetings and speaking opportunities that he either didn't want to do or was too busy to do because, you know, he was the CEO. It turns out that from the sales side and marketing side, there was and is an inexhaustible need to have company executives go out in the field and explain what the company was doing and how the product set might help potential customer executives. Fast-forward to the end of my tenure, six years later, I had 15 former CISOs around the world doing that kind of work. Back then, there were a handful of security vendors hiring people for that role. Today, though, it's almost common practice for security vendors. The most famous example is probably Wendy Nather. She is currently the head of advisory CISOs for Cisco. And another frequent guest to the CyberWire Hash Table is Bob Turner, former CISO of the University of Wisconsin at Madison, but now is the field CISO for education at Fortinet. So if you like to travel - like in my six-year tenure, I did over a million miles on United Airlines - and you like to talk to customers about their security plans and you like speaking at conferences, the CISO evangelist role is another career opportunity. 

Rick Howard: In 2014, Jack Freund and Jack Jones published their book, "Measuring and Managing Information Risk: A FAIR Approach," and basically said that we were all doing it wrong. Instead of focusing on patching, compliance and the Cambrian explosion, we should instead be thinking about risk to the business. Soon after 2016, Doug Hubbard and Richard Seiersen published their book "How to Measure Anything in Cybersecurity Risk," and the die was cast. CISOs started to rethink their approach to measuring the effectiveness of their InfoSec programs. Instead of presenting to the board the number of unpatched vulnerabilities, we began learning how to calculate the probability of material impact to the business due to a cyber event as a first principle strategy and deciding which first principle tactics will have the greatest impact in reducing that probability. In fact, I've done four podcast episodes on the topic, and links are in the show notes. I'm particularly fond of the "InfoSec Teams Risk Assessment" and "Risk Forecasting With Bayes Rules" episodes. They tell you exactly how to forecast the probability of material impact to your organization due to cyber events. And of course, I dedicated a chapter in my first principles book to the subject. 

Rick Howard: The point is that this is a new kind of CISO - a CISO who embraces the idea of uncertainty and is comfortable with using analytical techniques like superforecasting and Fermi estimates to forecast business risk not with extreme precision but with enough precision to make resource decisions with in terms of the people-process-technology triad. 

Rick Howard: In recent years, the InfoSec community has seen a raft of high-profile supply chain attacks from common software applications like SolarWinds, Okta and GitHub, just to name three. We've learned that cybercriminals, spies and hacktivists might have an easier time coming through a backdoor provided by a trusted software vendor than they would coming directly at us. Instead of the attack sequence including a phishing attack targeting the victim's employee base, the hackers compromise a service like Okta and ride through the victim's cyberdefenses camouflaged as product update deliveries. This has the added benefit that the hackers now have access to many victims, not just the one. 

Rick Howard: Software vendors have realized this too. And in order to shore up trust with their customers, some have started to roll out the position of chief security product officer, or CSPO. These positions require expertise in the software development lifecycle, secure coding principles, threat modeling, risk management, research and development and evangelism. According to Vince Arneja, a member of the Forbes Technology Council, the CISO and CSPO have similar skill sets but vastly different responsibilities. While the CISO's knowledge domain is wide, the entire enterprise, the CSPO's is narrow, one or more products. Think of the CSPO as the security advisor to the chief product officer. Besides the traditional CISO experience, the CSPO must oversee the security design decisions across the entire product lifecycle. This is a relatively new position, but a new way station on the cybersecurity career path. In fact, one of our regular visitors to the CyberWire Hash Table, Helen Patton, just recently took a CSPO position. She is the CISO for the Cisco Security Business Group. 

Rick Howard: I've been doing cybersecurity now for 30 years. When Steve Katz took the first CISO position back in the 1990s and the corporate world started to follow suit thereafter, I knew that was the job for me. I always thought it was the pinnacle of being an InfoSec professional. You learn the ropes by working the jobs in the various alleyways of the InfoSec community, and by the time you take the CISO gig, you're leading the people-process-technology triad for an entire organization. I knew that this kind of work was important and just assumed that corporate leaders would eventually come around to it, too. I assumed at some point, as a matter of course, that the CISO position would be part of the executive leadership team. For the most part, that's not the norm today for the majority of organizations around the world. As I said, there are exceptions - like for example, I'm on the executive leadership team here at N2K, but for the bulk of us, CISOs have not risen to that level of our organizations. 

Rick Howard: That's why this RSA presentation coming up in April is called "The Emperor Has No Clothes." The CISO is not the chief of anything in the same way that the CEO, the CFO and the CMO is. But I'm not sure that matters. I've loved cybersecurity since the late 1980s. The journey to get the experience necessary for a CISO job and the actual CISO job in particular is a fantastic career path. I will tell you this - it's never boring. 


Journey: (Singing) When the lights go down in the city... 

Rick Howard: And that's a wrap, not only for this show but for the entire season, Season 12 of "CSO Perspectives." We'll be on hiatus until after the RSA Conference, while we drive the interns down in the bowels of the Sanctum Sanctorum on researching and creating Season 13 that starts in May. In the meantime, if you're attending the RSA Conference, please come see me. I would love to see you there. 

Rick Howard: The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design and original score. And I'm Rick Howard. Thanks for listening.