Advice for Aspiring CISOs

There are many skilled and intelligent people who aspire to become a Chief Information Security Officer (CISO). I have some career advice for them: Don’t aspire to be a CISO. Instead, seek to be the best professional at each step in your career. Those of us who do become CISOs do so because we have a…

Details

What Is at the Center?

I have gone back and forth for a long time.  Should security be risk-centric or data-centric.  Outside of security professionals, you sometimes meet people who believe security should be compliance-centric and others who believe security should be audit-centric (which is a type of compliance-centrism). Certainly there used to be network-centric views of security but they…

Details

Patch Yours

CISO Security professionals feel no great joy in being right about patching.  The past two months have been a period of “I told you so” moments for anyone who has ever had to have the conversation with a sys  admin about the importance of patching. It’s been a long time for me but the memory…

Details

Security Metrics Can Make or Break a Security Program; How to Present to the Board

CISOs are often in a situation where the CEO or a Board member asks them, “Just how secure are we?” Or “Are we secure enough?” These questions sound simple, but are quite difficult to answer accurately. The quick answer to the question would be, “We are more secure today than we were before and are…

Details

Marketing Information Security at Tractor Supply

To Michael Mangold, the CISO of rural lifestyle retailer Tractor Supply Company, located outside Nashville, Tennessee, the most important skills for a CISO are not only technical. While his background includes technical qualifications and certifications, and the ability to evaluate new and emerging technologies and risks, Mangold also relies on his background and training in…

Details

Privacy By Design Is Still Imperative

Each year brings more large-scale security and privacy breaches, leaving the general public questioning to what extent companies could be trusted with their sensitive information. Retail, health care, banking, entertainment, governments – no industry is left untouched. Security and privacy must remain top of mind within every organization as both are essential in safeguarding data, protecting…

Details

NIST Cybersecurity Framework, Beyond Version 1.0 – Part 3

In this series I take a close look at the Framework for Improving Critical Infrastructure Cybersecurity which NIST first published in February of 2014. Read Part One ‘All Infrastructure and the NIST Framework’ and Part Two ‘Hackers Are Not Afraid of Frameworks.’ There I was preparing part 3 of my close reading of the 2014 Framework for…

Details

The Human Element of Incident Response – Part Four

There is an extraordinary amount of money and time spent on detection and response relative to cybersecurity, and much of this conversation is technology focused.  In this series of articles, DocuSign CISO Vanessa Pegueros explores a different aspect of incident response — the human being. She asserts that people ultimately orchestrate incident response and the…

Details

How to Unlock Cybersecurity Talent

Today the cybersecurity sector is fraught with the challenge of a diminished talent pool. Cisco’s report, “Mitigating the Cybersecurity Skills Shortage,” highlights the worldwide shortage of one million information security professionals. It sends out a disturbing warning to the cybersecurity industry to bridge this gap immediately or face consequences with significant costs. There is no…

Details