CISOs Can't Afford to Be Too NostalgicFinding Ones "Worth" in Change
CISOs today can't afford to be too nostalgic.
See Also: Passwords Alone Aren't Enough
A decade ago, like many chief information security officers, Eddie Schwartz focused his information security efforts at Nationwide Insurance at defending the perimeter. His thinking has changed with the times. Not all CISOs, though, have adjusted.
"If I came into this job thinking the way I once thought, I'd be worthless," says Schwartz, who for the past 13 months has been CISO as security products vendor RSA. "If your playbook as CISO has not changed in last seven years ... you're in deep trouble."
Schwartz, in a conversation I had with him (the audio will be posted shortly), cautions his fellow CISOs not to be tied too closely to specific guidance and processes developed at a time when different types of threats dominated.
"If you're just trying to match up your security programs to ISO 27001, and that's your sole objective, or follow some methodology that's 10 year old, it's not going to get you where you need to go necessarily relative to facing up to advance adversaries," Schwartz says.
"Now, I'm not saying you drop ISO 270001 or you drop your firewall, but what I am saying is that ISO 27001 is great for helping you establish a benchmark for prebreach tooling, but it shouldn't be the full factor in determining what you should spend your time and money on in your security program."
RSA recruited Schwartz as its CISO after a massive, advanced persistent threat breach against the security vendor's SecurID two-factor authentication product in 2011 [see RSA Says Hackers Take Aim At Its SecurID Products]. Schwartz had been serving as the chief security officer at NetWitness, a networking security provider that, like RSA, is owned by EMC, the data storage and services company [see RSA's CSO Tells Why He Took the Job].
To mark a year at RSA, Schwartz agreed to an interview. The first part of our conversation has been posted: CISO Success Requires Collaboration. Be on the lookout for part two of the interview: Eddie Schwartz on His Year as RSA's CISO, which will be posted in the coming days. I'll provide the link once that interview is activated on our website.