Читать книгу Cyber Mayday and the Day After - Daniel Lohrmann - Страница 15

While there are numerous management actions competing for attention, one clear priority that cuts across the public and private sectors is ensuring the leadership skills and capabilities of your team –especially the CISO or equivalent leadership role. To achieve any measure of success at dealing with cyber incidents, a CISO with the required background, accountability, training, real-life experiences, relationships, and tools to do the job is a must.

One such CISO is Mark Weatherford, currently the chief strategy officer at the National Cybersecurity Center and CISO at AlertEnterprise. Mark served previously as the deputy undersecretary for cybersecurity in the U.S. Department of Homeland Security (DHS) and vice president and CSO for the North American Electric Reliability Corporation (NERC), in addition to other senior leadership roles in cybersecurity.

While Mark was the CISO for the State of California in the mid-2000s, he experienced what organizations should not be doing when hiring for this vital role.

Because Mark was the first CISO in the state, it was important to him to put a face to the name of cabinet secretaries and agency heads. As such, he made the rounds to visit each of them and also to tell them about the governor's vision of Mark's statewide role and what he hoped to accomplish across state government. Mark also offered his assistance in everything from procurement to policy development to technology infrastructure to staffing. His proactive outreach seemed to be well-received and generally met with enthusiastic support.

At the same time, Mark also met the security leaders and their teams at all of the agencies. During the mid-2000s, almost none had a formally appointed CISO, but most had someone they could point to and call their security leader.

One exception was a large agency with significant citizen privacy responsibilities. Chief privacy officers were even more rare than CISOs at the time, so privacy issues were typically part of the CISO's portfolio of responsibilities. When Mark met with the leadership of this particular agency, he encouraged them to fill the CISO/security leader role as soon as possible since they were accepting a significant amount of risk by failing to have a single point of contact to guide the security and privacy efforts of the agency.

Mark recounts what happened next:

“A few months after the conversation with this agency head, I received a call from someone who said they had just taken the CISO role at this agency and would be very interested in meeting with me to understand how they could quickly integrate into the statewide security leadership group. I remember thinking how odd it was that, even though I had no real authority within this agency and they were under no formal obligation to ask my opinion, they had hired a CISO without consulting with me about writing the job description or even being part of the interview process. Red flag number one.

“When I met the new CISO for the first time I was impressed by their attitude and enthusiasm to pitch in and help me, as we were educating the legislature, crafting statewide security policies, and realigning statewide procurement of security products and services. Once again, however, I remember having a strange feeling that this person didn't seem to really have the kind of experience you would expect for someone taking over the security and privacy responsibilities of a fairly large organization. Red flag number two.

“We developed a pretty good rapport and began speaking once or twice a week when one day several months later I called this CISO but they were out of the office. I left a message to call me back. A week later I hadn't received a call back so I called again and left another message. Another week went by and no call back so I walked over to the agency and asked a receptionist about the CISO. My antennas immediately began wagging when the receptionist appeared nervous and I could tell they didn't want to talk to me. This was truly odd and … red flag number three.

“I walked back to my office and set up an appointment to meet with the agency head. As I walked into their office the following day, I could immediately tell something was askew. The agency head told me in an extremely embarrassed tone that the CISO was no longer employed there. Of course I was shocked and employed my best negotiation skill of sitting quietly, saying nothing, and waiting for them to talk. The rest of the story was slowly revealed.

“In their haste to hire a CISO, this agency had posted a job description, interviewed candidates, and hired a CISO – all without ever conducting a background investigation. Several months after hiring the CISO, a law enforcement organization met with the agency head and informed them that their new CISO had just been released from prison after serving a term for embezzlement. The CISO job was their first employment following a multiyear prison term. The agency head was personally mortified telling me this story and I can only imagine the look on my face as I heard the tale. They kept saying how embarrassed they were since I had offered to help them with hiring a CISO and they simply forgot in the urgency of filling the role.

“This is easily one of the most extreme examples I've been involved with where a simple background check could have eliminated a serious headache, but it is also one that taught me a good lesson. Not checking all the boxes during a critical process like hiring can be very painful.”

No doubt, Mark's story highlights that building the right team to lead the overall cybersecurity program is a complex, difficult challenge. Beyond the CISO, most midsize and large organizations employ managers and/or directors to lead cybersecurity incident response and coordinate with the wider emergency management team throughout the enterprise.

We cover much more about this in Chapter 4.