Sony and Chase: Don't blame the CISO

No chief information security officer has ability to stop all attacks all the time.

Over the last couple of weeks, I have read numerous news stories about the widely publicized security breaches at Sony and JPMorgan Chase. It seems as if everybody is a Monday-morning quarterback, with every other reporter voicing an opinion on how these breaches should have been prevented. In particular, I read two articles that specifically blamed the information security organizations at those companies for failing to properly stop the attackers. That's not fair.

What bothers me is the assumption that the "security guy" has a magical ability to stop attackers in their tracks. Those of us in the profession know that it's not that simple.

Attackers have always had their choice of vectors for attacking networks. Microsoft operating systems and products, for example, are full of security holes, not all of which are patchable. The same is true for Web servers and other Internet-facing software and servers. Firewalls have lots of ports opened up to allow various services to work, and remote access systems are prevalent in every organization. It only takes one security hole for an attacker to gain a foothold in any network. And even in the best-defended networks, there are always several security holes.

How can an information security team effectively block every possible attack, when the technologies we use are never going to be 100% secure?

One article I read last week specifically blamed Chase's information security team for "failing to upgrade" a server to two-factor authentication. I don't know how it is in your organization, but at my company, I don't upgrade servers. My information security team does a lot of things, but not hands-on management of data center servers. IT does that. And the dynamics are complicated. I find vulnerabilities and notify my company's IT team about them, and then follow up over time to convince the IT guys to make the changes I want. It's not easy, and it's not always successful. Implementing two-factor authentication, in fact, is one of my current challenges.

So it's hard for me to see how blaming the chief information security officer is the right way to look at these breaches. It is highly likely that the IT organizations in companies that suffered significant breaches over the last year should bear some of the responsibility.

Another article I read said Sony's CISO chose a relatively high level of risk regarding the company's information security posture.

This strikes me as even less fair. I can't believe that the CISO "chose" a high level of risk. The much more likely explanation is that the level of risk was imposed by outside forces. There are always other factors in play, such as resource availability, funding and general organizational support for information security risk reduction. I can name many things that I would change at my company, and the reason I haven't done them yet is not that I have "chosen" to leave them the way they are. Sometimes, change requires a lot of patience, persistence and effort. We can't always just flip a switch and make things happen. I think it's fairer to say that the company as a whole has chosen a specific risk posture.

And even if we could make all of the changes that we want to, how can we expect CISOs to make every network 100% attack-proof? This is a question I think about every day. No matter how many servers I harden, how many security technologies I bring in to my network, and how many "best practices" I implement, vulnerabilities will always be present in the operating systems and software my company uses. What this seems to imply is that determined attackers will always be able to break into targets of their choice, because they have so many vectors to choose from. In other words, it's not possible to be 100% secure. And where does that leave us? We do our best with what we have, and hope for the best.

This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at

Join in

Click here for more security articles.

Join the CSO newsletter!

Error: Please check your email address.

Tags JPMorgan ChaseJP Morgan ChaseMicrosoftsecurityCISOsony

More about ClickMicrosoftSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By J.F. Rice

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place