The paycheck is big. The career security is great. But the headlines are a headache.
The job is to guard the key digital secrets of a major organization, perhaps proprietary manufacturing methods of a company, or health records of a hospital system. Or credit card information at a major retail chain. Tolerance for failure is nil.
Yet hackers worldwide are on a tear, and breaches occur at a quickening pace. If something goes wrong, the chief information security officer, or CISO, gets the blame.
“Being a CISO means keeping that resume polished,” said Chase Cunningham, a security and risk analyst at Forrester, a technology research company in Cambridge, Massachusetts.
Equifax, one of the nation’s big three credit bureaus, announced Sept. 7 that it had been hit by a massive breach, and a week later it said its chief information officer and chief security officer had resigned. That didn’t calm the storm for Equifax, which guards the personal financial history of half of America, and chief executive Richard Smith was forced out Monday.
It is little wonder that some qualified people won’t take jobs as chief information security officers. Among them is Cunningham, a cyber ninja with a doctorate in information security, a background at the top-secret National Security Agency and an acute sense of how to fend off the bad guys. Cunningham said the job involves “guaranteed failure.”
“It’s about the only executive-level job I can think of where you are 100 percent accountable for the failures to come even though it’s a guarantee that (they) will happen at some point,” Cunningham said.
“It’s like playing chess with a blindfold on,” added Cunningham. “You cannot win.”
Tech honchos blame their higher-ups — the bosses who don’t understand the threats, don’t want to spend money in an area that has no apparent return and don’t want to take responsibility when things go awry.
The job of CISO (pronounced see-so) used to be the digital equivalent of stocking the moat around the castle with crocodiles and making sure the drawbridge functioned.
“In the past, it was about defending the perimeter,” said Godfrey R. Sullivan, a former chief executive and current chairman of Splunk, a San Francisco company that produces software to analyze high volumes of machine-generated data.
But Sullivan said conditions have changed. Most likely, hackers have already gotten past the perimeter and reside in target networks.
“The bad guys are in your building,” Sullivan said. Information security officers nowadays have to hone their skills at continuous analysis of data entering and leaving the networks, he added.
Indeed, breaches may be inevitable.
“The long-time folks have been saying, it’s not ‘if’ but ‘when,’” said Rich Barger, director of security research at Splunk.
CISOs get in trouble, Sullivan said, when they discover breaches and don’t act quickly. That may have happened at Equifax.
According to security researcher Brian Krebs, one of the vulnerabilities of Equifax was at its Argentine operations, when hackers discovered they could access its website by typing in “admin” at login and “admin” at password. Another vulnerability involved failure of Equifax to patch a known security hole in its website application software that came to light in March.
“They say that happened in March. Well, what happened between March and now?” Sullivan asked.
For those caught by headline-grabbing breaches, job security may be shaky but a shortage of experts in cybersecurity is such that landing another job is nearly assured. “It’s not hard to get another job as there are plenty of them out there, and honestly its ‘good’ if you have been through a breach, but it sure isn’t painless,” Cunningham said.
Adding to the difficulties of guarding digital storehouses, experts say, is a deluge of threat intelligence reports. Alerts come in all day long of potential vulnerabilities in software and types of malicious code.
“There’s a ton of cyber threat intelligence out there,” said Christopher Wlaschin, the CISO at the Department of Health and Human Services, noting that some of it is little more than snippets of suspect malicious code. Wlaschin spoke at the ICIT Cyber Intelligence Briefing in Washington this week.
Hackers are constantly evolving, and adopting new techniques, targeting new things, making successful defense a temporary — and perhaps unnerving — condition.
“So it’s constantly a game of whack-a-mole,” said Ron Plesco, who works in the cyber response service at KPMG, one of the big four global auditing companies. “This is my opinion. I look at the cameras and smile because my corporate overlords are going to be watching.”
When a serious breach comes to light, executives want someone to blame.
“Fingers point to the CISO,” said Travis Farral, director of security strategy at Anomali, a Redwood City, California, cybersecurity company that offers a threat intelligence platform. “Who’s the CISO, you know, and what did they do? Is there evidence of their pounding their fist and saying, ‘Hey, we need to fix this?’”
Farral said information security officers who manage the techies on their team with appropriate caution about the gamut of threats often do better.
“They are responsible for the culture of security within an organization. They have the ability to have a voice with senior leadership,” Farral said. “Those who are effective at doing that stay out of the news.”