There was a lot of bustle about the LinkedIn data breach, and specifically about the lack of the CISO and CIO at the LinkedIn organization - which made me think... does an enterprise require a CISO, or even a CIO?
A story on the publication BankInfoSecurity makes it clear with a quote from a LinkedIn spokesperson - "We don't currently have executives with those specific titles, but David Henke, senior vice president, operations, oversees the functions".
The question becomes, does a company need someone with a CIO or a CISO title to have a well run IT organization and good security?
On the one hand, it's important to have information leadership in a singular role, separate from the role responsible from the security of the organization. On the other hand, if what your organization is depending on is a title and now a holistic cultural thinking, then you'll always have security as a bolt-on anyway.
Surely there are many types of organizations. Surely some need the rigor of having a formal information security officer (CISO) role defined and responsible for the security-related decisions of the organization.
In fact, I would argue that most organizations are of this type... and that when security isn't explicitly called out it can easily be relegated to the back corners of the operations functions or the architecture organization or worse.
When security isn't explicitly embodied in a warm body it's easy to push it out of your mind, I can certainly attest to that. Someone has to make the tough choices, push policy and be unpopular, right?
Someone has to be the fall-guy or fall-gal when things go wrong... and someone has to lobby for the protection of the organization. At least... if good security isn't part of the culture.
Are we then ready to accept that it's not OK for an organization to leave the role of the CISO out? I'm not sure I'm ready to go there yet.
What happens when an organization has no formal CISO? Can security still survive? Is a breach imminent like with LinkedIn? I don't think so, the situation in IT can't be that dire. Can it?
I don't buy it, I just don't buy all the cynicism. Not salting hashes is a mistake many organizations make... if you're willing to challenge that look inward first. I don't believe that the culture at LinkedIn is so poor that it requires the role of a CISO to insert security into the IT and business consciousness.
In fact, I don't believe that the culture in any organization I have known is so bad that defining a CISO (or not) will make a difference one way or another. The security of an organization just cannot come down to 4 letters - CISO.
I've been having a ton of conversations lately about how more often than not these days a CISO is set up to fail based on those 4 letters... so when he or she doesn't exist does it really matter if the organization simply doesn't care about security?
Are you can probably see - I'm torn. I'm clearly not a CISO cheerleader simply to have a role (we call that the Chief Fallguy), but if this is what drives better security (or any security) then you need to have the role.
Given that I don't know enough about LinkedIn's structure or organization (or at least not enough that I can write about) I don't think I'll be joining the outcry against their not having a CISO.
In the analysis of it, every organization needs to have someone responsible for the technology-based risk or "security" of the organization. Whether that's the Technology Manager, the CISO, or the "IT guy"... I just want to see better security, more resiliency, and less technical risk.
Isn't that what we all want?
Cross-posted from Following the White Rabbit