You have /5 articles left.
Sign up for a free account or log in.

Create Free Account

“A Tough Corporate Job Asks One Question: Can You Hack It?”

No, it is not the recommended tomato/tomato pronunciation of CISO.   And it is not even the failure of the Times to recognize that in this area, higher education has long been ahead of the curve … a result of the early DARPA/Internet collaboration that recognized network and technical security as a distinct area of expertise long before the role became instantiated in the private for-profit sector.  It is the implicit reductionist assumption that the “Internet” is only a technology.  The cure to its criminal ills is therefore thought to be singularly technical.  No wonder the story ends with the well-worn three-envelop joke that concludes with the predictable “prepare three envelopes.”

Every CISO who does security can recite the “confidentiality, integrity, and access” mantra.   If your CISO does not also whisper the trope “administrative, technical and physical” in their sleep, hand them the third envelope.  Technical security without administrative and physical controls protects next to nothing in the contemporary Internet.   The Internet is not singularly a technology but a communication medium for information valuable to criminals because it is valuable to the global economy.

Administrative, technical and physical control without governance, compliance and risk management intertwined in its everyday practices is most assuredly a losing game not only for the CISO but also for the institution.   Those controls require a harmonize business environment to be meaningful.  And governance, compliance and risk management without training, education and communication are too insular.  Think of nesting dolls to reach the weakest link of your user base when scoping out the security mandate.

It is strange that the article did not even mention the word privacy, strange because the private, for profit corporate world has long hired Chief Privacy Officers and incorporated privacy practices in its business process for all kinds of business intelligence, intellectual property and compliance reasons. “Information stewardship” is the missing piece to this puzzle.

Billions of dollars and many pink slips later, I guess we all still have a lot to learn.  And so I will conclude with my own hackneyed joke, the one about getting to Carnegie Hall.   In the midst of this challenge, we must continue to practice, practice, practice.

 

 

Next Story

USA’s Michael Phelps competes in the Men’s 200m Individual Medley Semifinal during the swimming event at the 2016 Olympic Games at the Olympic Aquatics Stadium in Rio de Janeiro
Opinion
Career Advice
No Limits: Failing and Winning Like Michael Phelps

Adriana Bankston provides advice for how to turn setbacks into opportunities and other guidelines for approaching you

Written By

Tracy Mitrano

More from Law, Policy—and IT?

A group of college students surrounding their instructor, in front of a screen with the name of the course on it.
Opinion
Blogs Law, Policy—and IT?
Final Exam for Surveillance and Privacy

How would you answer it?