2007 Incite: CSO Next
A new breed of CSO emerges in 2007, focused on running security as a business. High visibility, setting milestones, communicating progress, prioritizing fiercely, outsourcing strategically, managing vendors aggressively, and embracing advisors and coaches are the hallmarks of “CSO Next.” This Pragmatic CSO needs to look more like an MBA-type than a code jockey, which creates many challenges for the current generation of technically oriented CSO.

2008 Incite: It’s time for an audit revolution
Contrary to popular belief (and desire), compliance is far from dead and remains a major buying catalyst (and funding source) for all sorts of information security tools, services and the like. Yet, the acrimonious relationship between the auditor and the audited continues to create problems and needlessly burn resources. Forward-thinking security professionals jump on the bleeding edge of innovation treating the auditor as a peer and viewing the audit as a learning opportunity.

Back in September, I addressed a chapter of the Institute of Internal Auditors. My goal was basically to help them understand the mindset of the security professional, and how the technical CSO needed to transition into the CSO Next (described in 2007’s Incite) and why the auditor was a key cog in that wheel.

It worked. This was one of my favorite speaking gigs the entire year. The internal auditors where both shocked and appalled at how difficult it is to be a security professional, and how so many counter goals and incentives are in place, which makes the job of security a lose-lose endeavor all too often.

The auditors also empathized with how acrimonious the relationship between security and audit had become. Kind of like the image at left. That's what most security folks feel like when they get out of the audit. But the conflict and friction took it's toll on the auditors as well. They felt it every time they sat down with the security folks and for the most part, they couldn’t pinpoint why it’s gotten to that point.

Just as last year’s Incite was a call to the masses to get past our technical heritage and start thinking about security within a business context, the 2008 Incite is a similar call to action. We, as security professionals, need to understand auditors are on the same team as we are. We both want the same outcome, and that’s to have a strong security posture and protect the critical assets of the organization. It’s as simple as that – it really is.

Security folks tend to be proud people. We fight the bad guys every day, and as every good warrior is prone to do – we don’t like to admit weakness or ask for help. Unfortunately that usually ends up with the security person being thrown out of the car at a high rate of speed once something goes south. It’s a pretty unpleasant experience.

It doesn’t have to be that way. We can (and must) start treating the auditors as peers. We need to realize they see a lot more stuff than we do. That means they can actually help. We need to stop being perceived as infallible, which results in a largely defensive position. We need to start asking questions and listening.

Sure, the auditor may be wrong, but then again – maybe they aren’t. If you have your blinders and earmuffs on and your head in your backside due to some misplaced sense of hubris – you’ll never know. Since we are coming up on Valentine's Day, maybe get your auditor a box of chocolate or something. OK, I'm sort of joking, but not really. If you start the audit on a positive note, it goes a lot better.

Finally, I’ve also made a significant “evolution” of my position relative to compliance. For the past number of years (actually as long as I can remember), I projected compliance was a flash in the pan. And it really should have been. You don’t buy compliance, you buy (and implement) security. I always advocate a “Security FIRST” mindset, because if you are secure (to the degree that’s possible, anyway) – then you are very likely compliant as well.

Now I’ve come full circle, largely driven by being thumped on the head for years about my compliance position. I’m finally ready to embrace what many of you probably figured was inevitable. There always seems to be a new regulation coming down the pike. There will always be auditors showing up and assessments relative to a specific regulation to complete. So compliance is a fact of life for the security professional, we may as well make the best of it and figure out how to best use the compliance budget to get what we really need with is good security.