Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
4 Basic Principles to Help Keep Hackers Out
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/9/2018 | 7:52:42 PM
Re: CIO-CISO conflict
@Christian: Alas, the trend of high-level execs simply outsourcing anything cybersecurity-related wholesale -- strategy and all -- without much forethought -- continues, as I recently observed for a Dark Reading sister site here: securitynow.com/author.asp?section_id=613&doc_id=738870

While I generally agree with you, I will say that one thing that concerns me about stereotypes and stereotypical perceptions is the generalized notion (certainly not all of them) of hackers and IT admins and devs pooh-poohing the lawyers and compliance peeps, which could be problematic for a CISO if that view pervaded to that level.

Of course, technically, security, compliance, and privacy are all three separate circles on the Venn diagram of data stewardship... perhaps we need a Chief Data Steward to oversee -- or, at least, help integrate -- all three.
RetiredUser
100%
0%
RetiredUser,
User Rank: Ninja
7/6/2018 | 3:26:53 PM
Re: CIO-CISO conflict
To Joe's point, as a past code-monkey I definitely was guilty of seeing CISO leaders as just another C-Level lackey.  I've been reading a lot more articles the last couple years that identify the role of CISO of suffering not only in that area, but also from the general perception that the real InfoSec knowledge sits with lower-level managers and hackers.  When I was younger, we saw the C-Levels pimping expensive software packages, trying to fill gaps in process with bloatware and 3rd party vendors.  From my perspective, the real talent reading whitepapers, following cutting edge tech from visionaries and testing out new code ideas in virtual environments were the grunts in the code trenches, not the C-Levels, not the CISOs, but the front-line cyber defenders who never slept, never wore a suit, and so on.  I could point to plenty of CISOs now who came up from those trenches and have earned respect and the right to be heard, but in the overall business model, I'm afraid the CISO is still not seen any differently than the rest of the often disposable and (frankly) figure-head C-Level roles.  I think if that role were carefully trimmed and only truly qualified and knowledgeable hackers were placed there, the idea of the CISO as a "lackey" or "underling" might fade and the industry also start moving away from the C-Level chains that so many Enterprise organizations still suffer from.
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
7/5/2018 | 2:28:26 PM
CIO-CISO conflict
Unfixed flaws and unpatched vulnerabilities will remain an issue as long as the CISO is treated as some sort of underling -- whether a direct report or not -- to the CIO. The CIO is judged against business agility objectives, which can run completely counter to the interests of the CISO's office.


COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...