Or listen in your favorite podcast app
Dan Blum is an internationally recognized expert in security and privacy, he is also the author of the book Rational Cybersecurity for Business. On this episode of IT Visionaries, Dan has an honest and thoughtful conversation on why the role of the Chief Information Security Officer is often buried within IT departments, the importance of buy-in among leadership and why zero-trust is often not the best answer in every use case.
3 Key Takeaways
- The role of the Chief Information Security Officer is often buried within IT departments and therefore isn’t receiving the resources that they may need
- It’s common for zero-trust philosophies to be implemented, but they are often not the best path to take in every scenario
- There is no streamlined one-size-fits-all approach to risk management — you need to understand your technology, company and the risks associated with each and make the best decision possible
For a more in-depth look at this episode, check out the article below.
Dan Blum is an internationally recognized expert in security, privacy, cloud computing and identity management. During a career that has included stops in the private sector and as a consultant, Dan has dedicated his career to helping companies manage risk and improve security leadership. He joined IT Visionaries and discussed how the role of the Chief Information Security Officer has been slow to catch-on, why a zero-trust philosophy is not always the best method, and his new book, Rational Cybersecurity for Business.
“As I got back into consulting projects for large companies, I rediscovered something I’d seen earlier in my career,” Blum said. “The extent to which the technical projects I was on struggled because of organizational issues and office politics, budgets and stakeholder buy-in and things like that and that’s why I decided to get into my latest project.”
That latest project is Blum’s new book, Rational Cybersecurity for Business, in which he interviewed more than 60 business and security experts. The book is an effort years in the making and throughout he operated with the goal of understanding how businesses can better align their efforts with security. From those conversations with thought leaders, Blum identified common threads.
“The common themes that I came up with were that you have to focus on the basics,” he said. “The basics are important and that’s why a control baseline was part one of my six priorities. Those basics that folks talked about in addition to security hygiene and keeping the doors locked, were also just basic integrity.”
Throughout the research of the book, one of the key questions that continued to grab Blum’s attention was how companies were managing risk at varying degrees.
“Information risk is a unique animal,” he said. “It includes the risks of IT outages or losing the ability to employ your IT technology on behalf of the business. It also includes the risk of cyber-attacks and other threats or bad effects that cybercriminals can create against your company — that is all information risk.”
What he quickly found is that a strong majority of companies that he was speaking to were not investing in CISOs. Instead what Blum observed was that oftentimes organizations were placing the role deep within the IT structure and not tying the responsibilities into leadership.
“There’s a real gap there if you don’t have someone that has that CISO title and actually lives with that title,” Blum said.
Blum went on to say that 38% of Fortune 500 companies fail to employ a CISO, stating that it’s time companies start taking their security issues more seriously.
“If you’re a large company with a certain amount of security pressure — meaning you have some threats —you really should have someone that has the CISO title and actually has the access and authority that title would imply,” Blum said.“But a lot of companies don’t get this yet.”
The key reason that most companies don’t employ a chief security strategist is that more times than not, companies fail to have buy-in within the C-Suite and they don’t have any investment in security.
“At some level, cybersecurity is everyone’s responsibility — everyone has some kind of role to play in it,” Blum said.
From there, Blum began to talk about zero trust — a principle rooted in the idea that you should not trust a device or grant access to an IT resource based solely on where the device that’s accessing is coming from. With more employees deploying work from home strategies, Blum began to wonder if zero trust was really the appropriate strategy.
“It’s not suitable for all the use cases that you may actually have in place today,” he said.
“You have to still have layered architectures and solutions that you ideally would not have in a pure zero trust architecture. You have to look at the use cases and decide where it fits and where it doesn’t fit.”