BreachExchange mailing list archives
How Much is a Good CISO Worth?
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Fri, 30 Nov 2012 14:56:15 -0500
http://www.govinfosecurity.com/blogs/how-much-good-ciso-worth-p-1387 Would you take a job as a chief information security officer for $100,000 a year? It seems no qualified IT security manager wanted the job as CISO at South Carolina's Department of Revenue for that salary. While the CISO post stood vacant this past summer, at least one assailant hacked into the department's tax system, exposing the Social Security numbers and other personally identifiable information of nearly 4 million taxpayers. The breach will cost the state at least $12 million to address its aftermath [see Stolen Password Led to South Carolina Tax Breach]. A special state Senate panel held a hearing on the breach Nov. 28, and according to a report in The State newspaper, revenue department Director James Etter told the committee the agency didn't have a CISO for nearly a year because it could not draw candidates for a $100,000 salary, about half of what the private sector pays. According to the paper, Revenue Department CIO Mike Garon filled the security role, but he left the agency in September for undisclosed reasons unrelated to the hacking. After the hearing, the special investigative panel's cochair Sen. Kevin Bryant told the paper that he was upset that the department left the job open so long without asking for help from lawmakers, saying: "How many banks go 11 months without a security guard?" South Carolina isn't the only state with limited resources to fund IT security staff and equipment. To tackle the resources challenge, the state of Delaware has implemented a certification program that gives its departmental and divisional information security officer, many of whom hold other IT jobs, the skills needed to safeguard IT [see On the Job Training for ISOs]. With an apparent dearth of IT security expertise on hand, one must wonder if the South Carolina Revenue Department conducted a risk assessment prior to the breach. An investigation conducted for the state by the IT security firm Mandiant revealed that the agency failed to require multiple passwords to access sensitive data. Once inside the system, the hacker had access to unencrypted PII, including Social Security numbers. At the special committee hearing, Etters told the senators the state is spending $25,000 for a dual password system. Such a system - which requires users to input two passwords, including one that changes every minute - likely would have prevented the breach. "I almost fell out of my chair," Bryant said. "For $25,000, we wouldn't be here." _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges. Tenable Network Security (http://www.tenable.com/) Tenable Network Security provides a suite of solutions which unify real-time vulnerability, event and compliance monitoring into a single, role-based, interface for administrators, auditors and risk managers to evaluate, communicate and report needed information for effective decision making and systems management.
Current thread:
- How Much is a Good CISO Worth? Jake Kouns (Nov 30)