Advice for the modern CISO

What should a CISO be doing in today's business and security environment? At the recent Black Hat Conference in Las Vegas, CSO Magazine had the opportunity to interview Nuix's Chief Information Security Officer, Chris Pogue about his experiences in protecting the Australian security company's operations.

Over his career, Pogue has been an officer with the US Army Signal Corps, an instructor with Trustwave SpiderLabs as well as being a member of the IBM/ISS X-Force incident response and ethical hacking teams. He holds a Master's Degree in Information Security and is also an adjunct cybersecurity professor at Southern Utah University.

Pogue's main advice to security managers it to hire a great team. “As a CISO I have an eclectic bunch of people, I cater to their crazy and the results are tremendous. Hire the crazy, because you need them. Those are the ones that don't think outside the box, they burn the box and stomp on the ashes. That's what you want.”

Along with being able to manage a diverse and crazy team, being able to talk the language of other executives is an essential CISO skill Pogue believes, “understanding both sides of the house is important – understanding the financial risks and being able to communicate those to the CFO, understanding the business risks and convey that to the chairman of the board and the CEO, what the reputational risks are and convey those to the head of marketing or PR. It needs to be quantifiable.”

“I would say to other CISOs communicating to board members, know your target audience and know how to take those technical concepts and communicate effectively to that specific group and you will be successful. Understand what motivates them.”

“You can't just say 'security is good' and everything else is bad because everyone speaks their own language, understand who your target audience is and address them in the language they are going to hear.”

For company boards and managements, high profile breaches in recent years like Target's and Sony's have bought home the seriousness of information security, “the pucker factor has kicked in.” Pogue says, “boards are looking at this and discovering the average breach costs three and a half to four and a half million dollars and I have this entire risk factor to be aware of. I want someone on this – fix it.”

Pogue says understanding these risks puts more onus on executives across the business, “this is a legitimate global problem that's not going to go away and it's not all those IT guys being the doom and gloom sayers. It's a business problem that affects every part of the business, there's an HR components, there's a legal component.”

“Executives need to understand this is a real honest to goodness risk and it needs to be addressed you need to have a CISO, a risk officer, you need to have people who understand this landscape who can help guide the business, just like a general counsel,” Pogue advises. “I don't want to run the business, or keep it from making money, I want to provide enough advice and information so the decision makers can make smart decisions.”

“Understanding that's the CISO's role and give him free reign to do that, don't half ass it. If you are going to hire him, empower him and him everything he needs to accomplish his mission. All he's gotta do is be wrong once.”

Having a probably qualified professional in the CSO or CISO role is also essential says Pogue, “all executives and boards should look at their CISO in a similar way and say this is a cyber expert. Don't put a lawyer or accountant in that spot, put a cyber expert who's put finger on keyboards, has fifteen to twenty years experience who's going to point you in the right direction.”

In Pogue's view, the security landscape is becoming far more dynamic, “the old way of doing things has been very static, let's focus on IoC's – indicators of compromise – and let's not focus on tactics, techniques and procedures. Someone can change between attacks, they can use one tactic on one machine to the next there could be two dozen IoCs in one attack.”

Given the weight of alerts and the shortage of skilled staff to interpret warnings, Pogue believes that software analysing an organisation's security status and the behaviour of potential intruders is essential that doesn't “ just vomit alerts all over everyone saying 'here's ten thousand indicators of compromise alerts, you tell me which ones are important.'”

Overall, Pogue believes that attracting good security staff is a matter of providing a work environment that they enjoy. For himself, he'd show up regardless of the money as long as the stimulation is there. “I spent eight years at IBM where I was number 8Alpha149, I didn't have a name, just a boring serial number and I had no influence over anything whereas if you take a bunch of experts who are passionate we're in this industry because it's what we love. It's not what we do, it's who we are.”

“If I won the Powerball tomorrow I would show up for work on Monday because this is just how God wired me.”

Join the CSO newsletter!

Error: Please check your email address.

Tags Trustwareblack hatCISOsCISOCFO CareersIT training and developmentIT managementCFOcyber securityCEOIT professionalsIT training

More about CSONuixSonyTrustwaveUS ArmyX-Force

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Paul Wallbank

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts