How Much is a Good CISO Worth?

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.govinfosecurity.com/blogs/how-much-good-ciso-worth-p-1387

Would you take a job as a chief information security officer for
$100,000 a year? It seems no qualified IT security manager wanted the
job as CISO at South Carolina's Department of Revenue for that salary.

While the CISO post stood vacant this past summer, at least one
assailant hacked into the department's tax system, exposing the Social
Security numbers and other personally identifiable information of
nearly 4 million taxpayers. The breach will cost the state at least
$12 million to address its aftermath [see Stolen Password Led to South
Carolina Tax Breach].

A special state Senate panel held a hearing on the breach Nov. 28, and
according to a report in The State newspaper, revenue department
Director James Etter told the committee the agency didn't have a CISO
for nearly a year because it could not draw candidates for a $100,000
salary, about half of what the private sector pays.

According to the paper, Revenue Department CIO Mike Garon filled the
security role, but he left the agency in September for undisclosed
reasons unrelated to the hacking.

After the hearing, the special investigative panel's cochair Sen.
Kevin Bryant told the paper that he was upset that the department left
the job open so long without asking for help from lawmakers, saying:
"How many banks go 11 months without a security guard?"

South Carolina isn't the only state with limited resources to fund IT
security staff and equipment. To tackle the resources challenge, the
state of Delaware has implemented a certification program that gives
its departmental and divisional information security officer, many of
whom hold other IT jobs, the skills needed to safeguard IT [see On the
Job Training for ISOs].

With an apparent dearth of IT security expertise on hand, one must
wonder if the South Carolina Revenue Department conducted a risk
assessment prior to the breach. An investigation conducted for the
state by the IT security firm Mandiant revealed that the agency failed
to require multiple passwords to access sensitive data. Once inside
the system, the hacker had access to unencrypted PII, including Social
Security numbers.

At the special committee hearing, Etters told the senators the state
is spending $25,000 for a dual password system. Such a system - which
requires users to input two passwords, including one that changes
every minute - likely would have prevented the breach. "I almost fell
out of my chair," Bryant said. "For $25,000, we wouldn't be here."
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.