While the importance of the Chief Information Security Officer has been in constant growth over the past few years, organisations that employ a CISO/CSO are still far too few.
As the latest breach at broadband provider TalkTalk descends slowly into farce, the perils of relying on the CEO to fill these shoes become apparent. Almost one week on from the initial attack many important questions still remain unanswered or answered in unacceptably vague or contradictory terms.
The “significant and sustained” attack against TalkTalk was initially characterised as a Distributed Denial of Service attack. Commentators rightly pointed out that a DDoS in itself does not lead to information theft and that there must have been another element to it. Later reports appear to confirm that the theft was the result of a simple SQL injection attack. At a technology company! Affecting 4m people! In 2015!
TalkTalk are still unable to confirm which and how much data was encrypted. In addition to personal information including name, address, date of birth and email address, the breach also exposed financial data. The CEO initially said that they “didn’t know” if this data was encrypted or not (How can this be the case?). Now, it appears that “only” the first and last digits of credit card data may have been exposed. Of course this still carries risk, think how often those “last four digits” are requested as verification data. Since then Baroness Harding has even gone as far as the last refuge of the wicked, legislation, claiming in an interview with The Sunday Times (paywalled) that TalkTalk is under no obligation to encrypt credit card data. Really? I think that the PCI-DSS may well dispute that point with you, not to mention your customers.
Ah yes, the customers… Those four million people who will now be finding that their names, addresses, contact information and dates of birth are far more difficult to change than their credit card details (or their broadband provider) and that a year of free credit-monitoring involves entrusting yet another corporate with all their extremely sensitive information.
The handling of the breach illustrates that the role of the CISO is never a purely technical one; the CISO also owns the breach response plan, an important aspect of which has nothing to do with technology and everything to do with communications. How do you inform your customers and when? How do you engage law enforcement or forensics? What information do you need always to have to hand about the care and sensitivity with which you treat the information that has been entrusted to your organisation and how do you sensitively, accurately and promptly convey this?
Rule 1: It’s not all about you. To say, “I’m a customer myself of TalkTalk. I’ve been a victim of this attack” is crass and insensitive in the extreme. To include an assertion in your FAQ that you have not breached the Data Protection Act is both short-sighted and ill-informed, as I addressed in this piece for The Guardian.
This apparent lack of plan, this visible lack of any senior Information Security management team could well be the eventual downfall of TalkTalk, time, the markets, the regulators and their customers will decide. We could be watching the first major corporate disintegration as a result of data breach. Welcome to the future.
So, assuming you have or are planning to hire a CISO, to whom should they report? In too many organisations the CISO is still reporting to the CIO despite the frequent pitfalls. This reporting structure can be counter-productive. The question of reporting lines is often a source of friction and can really only be answered if you have managed to effectively differentiate and delineate your CIO and CISO roles.
Job descriptions are slippery amorphous things, so in the interest of impartiality I’ll use Wikipedia’s definition. CIO is “a job title commonly given to the most senior executive in an enterprise responsible for the information technology and computer systems that support enterprise goals”, whereas CISO “is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy and program to ensure information assets are adequately protected”.
When put this simply, the conflict of interest in having a CISO report to a CIO becomes very clear. The person responsible for ensuring organisational information security can not be subordinated to the person responsible for technology selection and implementation. Rather the two should operate as a team, driving operational and information security up the boardroom agenda. An effective CIO/CISO team will take board level strategic directions and translate them into technological and process requirements for the organisation. The CIO ensures that best of breed technologies are selected and architected in the most operationally beneficial manner, the CISO ensuring that those technologies meet the security requirements of the business on an ongoing basis; neither one being able to pull rank on the other.
In the case of a conflict arising between the two, which cannot be resolved through discussion the final say must comes down to business risk and operations, requiring the involvement of COO, CRO or even CEO depending on the organisational structure.
Security should be a regular boardroom agenda item and it is only through the checks and balances of the independent CIO and CISO that it can be effectively addressed.