The late, great Robert Garigue posited two models of the CSO - the Court Jester model and the Roadkill model.
The Court Jester:
Sees a lot
Can tell the king he has no clothes
Can tell the king he really is ugly
Does not get killed by the king
Nice to have around but…how much security improvement comes from this ?
Then we have the Roadkill Model:
Changes happened faster that he was able to move
Did not read the signs
Good intentions went unfulfilled
A brutal way to ending a promising career
Sad to have around but…how much security improvement comes from this ?
These are from a talk Garigue gave in 2004, the models still resonate today. CSO behavior often fall into one of these groups. And unfortunately so too does the knock on effects as to the efficacy of often muted, short and long term improvements made by security team.
So the roles are similar. What has changed, if you compare to 2004 to today, is the orders of magnitude more time, attention and resources that go into security. To cite just one recent example,
"Cybersecurity was something Ciena Corp.'s chief financial officer could usually delegate when he joined the network provider six years ago. Now, he spends as much as 10% of his time making sure Ciena and its technologies are protected from hackers, cutthroat competitors and other potential cybercriminals."
Suffice to say, back in 2004 CFOs were not dedicating anywhere near 10% of their time to infosec!
So businesses are putting way more time, attention and resources into infosec, but has the security organization really evolved? Are we giving better answers, ideas, and solutions? Are building and operating better software? More to the point of this post - are there ways to get better value out of the increased attention from the business side, and at the same time avoid the Court jester and Roadkill role models?
Robert Garigue had some pearls of wisdom here as well - a better model for the CSO: CharlemagneKing of the Franks and Holy Roman Emperor; conqueror of the Lombards and Saxons (742-814) - reunited much of Europe after the Dark Ages.
He set up other schools, opening them to peasant boys as well as nobles. Charlemagne never stopped studying. He brought an English monk, Alcuin, and other scholars to his court - encouraging the development of a standard script.
He set up money standards to encourage commerce, tried to build a Rhine-Danube canal, and urged better farming methods. He especially worked to spread education and Christianity in every class of people.
He relied on Counts, Margraves and Missi Domini to help him.
Margraves - Guard the frontier districts of the empire. Margraves retained, within their own jurisdictions, the authority of dukes in the feudal arm of the empire.
Missi Domini - Messengers of the King.
The clarity of thought in Garigue's example is instructive. Focus on education, decentralization, and communication. I simply do not see this model being followed enough. Its Why We Train but the lessons go well beyond that, working to ensure security teams are focused on the important things not just the urgents; building real partnerships with business, dev and ops. This integrated approach makes the security team a long term strategic partner.
For me, Garigue's insight into security teams, process, and why certain technologies were important connected a lot of dots. But his work resonated even more in that he did not just talk about the what, he also gave great ideas on the how. With all that's remained the same in terms of roles in the nine years since Robert Garigue gave this talk, and all that's changed in terms of opportunities to do it better, I really would love to hear what he would have to say today.