Today’s CSOs Must Confront Cybersecurity

• By Steven Titch
• Nov 15, 2007

File this one under “Missed Opportunities.”

In a three-part report that ran November 11-13, the San Jose Mercury News extensively detailed the increasing threat, cost and liability U.S. enterprises face from cybercriminals.

In the second part of his report, titled “How Well Are We Protecting Ourselves?” author Ryan Blitstein recounts a telling anecdote.

When Rick Wesson founder of Support Intelligence, a cybersecurity consulting firm, determined that online criminals were hijacking several Oracle computers into robot networks, or “botnets” and using them used to distribute malicious email to PayPal customers -- most likely “phishing” schemes aimed at fraudulently acquiring account information and passwords -- he notified Oracle’s chief security officer. Her course of action was to direct Wesson to the Oracle’s physical security group that, in Blitstein’s words, “manages the door locks and cameras, and watches the parking lot.” In the end very little was done about the intrusion.

Perhaps Oracle’s CSO thought she was doing the right thing. But the greater lesson here is that a C-level security manager at one of the largest high-tech companies in the country did not understand the significance of the attack nor seemed to be properly prepared to handle it.

At the same time, I think Blitstein was a bit harsh in dismissing the security operation as merely door locks and cameras. Anyone in this industry knows that enterprisewide physical surveillance and security is a sophisticated task. Nonetheless, it’s clear that that’s where the Oracle CSO saw as the boundaries of her job, and that’s where the organizational flaw was.

Cybersecurity and physical security are two sides of the same coin. Just as pertinent to this story is the fact that when Wesson picked up the phone he called Oracle’s CSO, not the CISO or the vice president in charge of Information Technology. CSOs still manage the first line of defense of their enterprises. Wesson, an IT security expert, acknowledges that by his choice of contact.

This presents both an obligation and an opportunity. The obligation is to understand the nature, extent and significance of cyberthreats, even a botnet. A few computers sending out spam may seem harmless to many organizations, Wesson tells Blitstein, but compromised corporate machines could allow thieves to access documents containing trade secrets, insider data in executives’ e-mail, and databases of private employee information.

Moreover, an attack is not a sign of weakness or poor security, and should not be held against a CSO. The CSO must be part of the solution. The challenge of cybercrime is that as fast as vulnerabilities can be countered, new vulnerabilities are discovered an exploited. Symantec estimates 4 percent of malicious Internet activity comes from networks of the nation’s 100 largest companies.

The opportunity for CSOs, already experts in building physical perimeter defenses, is to understand how the growth of cybersecurity threats expands their role in the defense of virtual perimeters -- namely the computers and servers that comprise an enterprise’s gateway to the global information network.

The tools are different, but the same strategies apply. IT managers understand the threat and tools, but don’t always appreciate the strategy. CSOs, on the other hand, grasp the strategy, but sometimes are intimidated by the tools. Suffice it to say: For everything that CSOs do in the physical world -- surveillance, identification and authentication, intrusion detection, response and isolation, there is an analogous function in the IT realm. The learning process requires understanding these tools and functions and how to apply them -- but that’s purely tactical. Dollars to donuts, I would say a CEO is more receptive to a plan that addressed enterprisewide security -- physical and virtual -- than a jargon-heavy document that IT departments often try to substitute for clear thinking.

The real problem at Oracle was that the organization failed to see cybersecurity as part of the CSO’s role. It’s up to the CSO to know that security threats have changed, and that begins by understanding and communicating to an organization and culture that today’s enterprise security takes in more than door locks and cameras.

The San Jose Mercury News’ series on Cybercrime can be found at http://www.siliconvalley.com/ghostsinthebrowser/ci_7408419.