Notebook: CISOs Talk About Backgrounds, Industry Threats

For the April issue of Waters, I put together a feature detailing the rise of chief information security officers (CISOs) at firms in the financial services industry.

I was fortunate enough to speak to seven CISOs at a variety of firms. When working on a feature, to pull a phrase from moviemaking, a lot of good material ends up getting left on the cutting room floor. So, instead of just letting all those good quotes go to waste, I figured it would be worth it to pull together a compilation of some of the best material that didn't quite make it into the story.

For the entire feature, click here. Also, be sure to check out its accompanying piece on the amount of value CISOs put into information sharing.

The background of a CISO

Bob Ganim, Neuberger Berman:

"I'm seeing more and more break between the CISO who is the total technologist, the engineer type, to the one who is the business person. The one who understands the way the firm works, the different businesses that the firm conducts and the risks of the firm. So, I'm seeing a bit of a break there. It's more of a business person, with a technical and security background, obviously"

Mark Clancy, Depository Trust & Clearing Corporation (DTCC)

"Generally, I think it's people who have come out of the IT universe from a technical role and they kind of gravitated to the security topic because of its intellectual interest. It kind of worked through either on the IT side or the info-sec side to getting towards the CISO world."

Jim Routh, Aetna

"My own perspective is that what's a necessary ingredient in the commercial sector for a CISO is someone that understands IT and the way IT is managed in the commercial sector. I think that's really helpful. About 70 percent of controls for information detection are directly related to core IT business practices, and so I call them IT hygiene. Good IT hygiene. In other words, if we bake controls into the critical functions and processes of delivering commercial technology to an enterprise today, that deals with about 70 percent of what the banks have to do well."

John Masserini, Miax Options Exchange

"There is the saying for security that 'Security isn't a technology problem; it's a people problem,' which is absolutely true, but it's also completely wrong. The reality is it is technology. We have to understand technology. We have to understand how infrastructures work. How networks work. We have to understand the basics of the attacks. Even if we have a team of ten people or 1,000 people, I still need to be able to articulate what is going on and what we're battling to my executives, my board members and my auditors, because they're not necessarily technical people. I think you need some sort of technical background."

Todd Scharf, US Securities and Exchange Commission (SEC)

"I know CISOs that have come up through the ranks and are very young and inexperienced technicians, but gain the security knowledge and rose up through the ranks. I think a lot of rising up through the ranks is because of their communication capabilities. I know others that are academics that come in and have been really very successful at running security programs.

"I think the backgrounds are varied, but I think the common set of skills that need to be brought into place are the skills that are being acquired as they move up through the ranks. A lot of those are the communication skills, business skills and understanding the business environment. I think it's critical. You can't adequately relay risk without understanding your business."

Threats to firms 

John Masserini, Miax Options Exchange

"I'll tell you that law firms are highly targeted right now and highly valued because they have all of the merger and acquisition information. A lot of firms will outsource their legal or at least hire outside counsel. It's few and far between when you have a legal firm that actually has a strong security program. So they're now targeted because any lawyer who gets an email with a PDF attached to it that says 'This is a court-ordered document,' they're going to open that document up. That's their job. It happens every day. So they're able to get into these places and then work backwards."

CISO at US hedge fund with over $10 billion in assets under management

"I do think hacktivist collectives, like Anonymous, have reasons to come after us now. Maybe not necessarily a legitimate reason, but, in their minds, they have reasons to come after us now. I do think the organized criminals are getting smarter about where the money is, and they all have reason to come after us.

"And I think insiders in general do too. Your insider threat is mostly employees who feel wronged by the organization and want some retribution. It is employees that are leaving and want to take sensitive information with them to their next job. Things like strategies, investor lists, etc. And that's a very real threat too.

"So while attribution is very tough during an incident. When you experience a breach, figuring out who did it is one of the hardest things to do. Following up on that with some kind of prosecution is even a million times harder."

Mark Clancy, Depository Trust & Clearing Corporation (DTCC)

"I use the Richard Clarke model for describing the types of bad guy: Criminals, Hacktivists, Espionage and War (CHEW). Every company faces all four of those groups in dissimilar amounts.

"If you have a ton of criminal threat activity, then you're going to bias your responses, rightly, to those types of threats because there are the things you see with high frequency and high impact, potentially. Whereas if you're in the oil company, maybe you don't really see that, but you see a lot of the nation-state-type threats. So you've got to create your capabilities to your threat profile in line with what your company's mission is about."