Category: Training

Should There Be A Professional CISO Certification and Organization?

I’ve been thinking a lot about the CISO role and how it is rapidly maturing from a technology and compliance role to a more generalized business executive role that specializes in security and risk. The primary catalyst for this evolution is the recent release of the SEC rules requiring companies to report material incidents on their 8K forms. It also requires companies to disclose their process for governing security issues (via committees or other processes) and their process for determining materiality (via their annual 10k filing). All of this is having a similar effect on the CISO role that Sarbanes-Oxley had on the CEO and CFO role after it was passed in 2002. The end result is public companies are now being expected to demonstrate investment and expertise in governing security issues, which is elevating the CISO role to become a true executive officer and is ushering the role into the board room.

Why Did The SEC Establish The New Requirements?

Security reporting and disclosures by public companies has been lacking. There has been zero incentive or accountability for companies to report these events other than via lawsuits, stock price corrections or brand and reputation impact These disclosures often happen as a result of a news report published months or years after the actual incident. The company then issues a generic statement downplaying the event and emphasizing how serious they take security. The SEC has determined this pattern of behavior is insufficient for investors to accurately make decisions about the health of the company.

Why Do Professional Certifications Exist?

Professional certifications exist for a number of reasons. Doctors, accountants. professional engineers and lawyers all must demonstrate a minimum level of knowledge to get licensed in their chosen profession. They must also agree to conduct themselves according to a specific code of conduct. This allows the practitioners to wield specific credentials demonstrating proficiency and credibility in that field. Displaying professional credentials attests these professionals bear the responsibility to protect life, prevent fraud or protect assets.

Additionally, professional credentials afford the practitioners a number of benefits such as knowledge sharing, continual career development, job placement and act as a back stop if someone’s conduct is called into question. Certifying organizations can testify on someone’s behalf if they believe they have upheld the requirements of the profession, or they can self regulate and strip someone of their credentials for fraud or gross negligence.

A short list of fields with professional certifications are as follows:

  • Lawyers – Bar
  • Doctors – Medical license, National Board of Medical Examiners (NBME), State level licenses, American Board of Medical Specialities (ABMS)
  • Accountants – Financial Accounting Standards Board (FASB), Government Accounting Standards Board (GASB), Generally Accepted Accounting Principles (GAAP), Certified Public Accountant (CPA)
  • Engineers – Certified Professional Engineer (CPE)
  • Privacy Professionals – International Association of Privacy Professionals (IAPP)

Existing Security Certifications And Organization Are Lacking

There are already a number of certifications security professionals can choose from on their path to becoming a CISO. A short list of common certifications listed on CISO job postings or LinkedIn profiles is as follows:

  • C|CISO
  • CISSP
  • CISM
  • CISA
  • CRISC

Of these certifications, only the C|CISO certification comes close to offering a specific certification for CISOs. The rest serve either as generalized security certifications or specific offshoots of the security profession. These certifications are often bundled together by professionals to demonstrate breadth of knowledge in the security field.

While existing certifications are good, they are all lacking in what is needed for someone to serve as a CISO at a publicly traded company. They are more generalized about how to serve as a CISO at any company (small to large), but publicly traded companies have specific requirements and demands. Specifically, most of the certifications above are extremely heavy on a breadth of technical aspects and popular industry frameworks. Some of them do cover how to create and manage a security program. Some even cover basic board level conversations (although these are usually technical discussions, which are unrealistic). Where I find these certifications lacking is as follows:

  • Realistic board level conversations about risk and tradeoffs including building effective presentations
  • Board and legal conversations about materiality for security incidents
  • Common board committees and what to expect as a CISO serving on a board level committee for your company
  • Testifying or providing legal evidence post incident
  • Legal conversations about how to best notify customers of breaches including drafting communications
  • Legal conversations with security researchers and navigating vulnerability disclosures
  • How to establish and manage a bug bounty program
  • Navigating conversations with law enforcement or national security issues
  • How to effectively change or strengthen security culture
  • How to have conversations with other C-Suite executives about security
  • Navigating customer and industry requests for disclosure of security program information
  • Managing the budget / P&L for a security function including tooling, licenses, services, travel, expenses, equipment, certifications, etc.
  • Common security team structures and how to design a security org that add maximum value for the business
  • Personnel management, skillsets expected for different roles, matching training and certifications to job function, etc.
  • Negotiating with vendors and cyber insurance companies
  • Contract review and negotiation with customers (including common security and privacy clauses)
  • Creating RFPs, RFIs and RFQs
  • Talking to customers about security at your company or hot button security issues
  • Establishing requirements, conducting trade-off analyses and performing build vs buy analysis
  • How to effectively network with peers
  • Industry resources such as ISACs, Infraguard, etc.
  • Top recruiting agencies for placing CISOs at publicly traded companies
  • Career development post operational CISO (boards, consulting, etc.)
  • Properly documenting your security program
  • How to navigate achieving common compliance certifications such as SOC1, SOC2, FedRAMP, ISO27001, HIPAA, PCI-DSS. Typical costs, consulting companies that can help with these processes and what to expect during the process.
  • When to outsource your security program to an MSP
  • When to bring in an outside consulting or incident response firm
  • Successfully passing an external audit
  • Negotiating for a job including severance, D&O liability, assessing the role, etc.
  • Differences in the CISO role depending on who it reports to (General Counsel, CTO, CIO, CEO, CFO)
  • How to navigate common security related political and moral hazards at public companies

As you can see, there is a big difference between what certifications offer and the real demands of a public company CISO. Additionally, there are a number of professional security organizations such as the Information Systems Security Certification Consortium (ISC2), Information Systems Audit and Control Association (ISACA) and The Council of E-Commerce Consultants (EC-Council). Each has their own certification track, terminology and code of conduct. Each is good in their own right, but there is still a lack of a single certifying body for public company CISOs similar to a CPA. Arguably, ISACA comes closest to being an international organization that can back CISOs, but they lack a CISO specific certification covering the majority of the topics above.

While existing certifications are good, they are all lacking in what is needed to prepare someone to serve as a CISO at a publicly traded company.

Why There Should Be A Professional CISO Certification

The SEC requirements are forcing public companies to govern security to the same standard forced by Sarbanes-Oxley 20 years ago. The SEC considers security to be a material concern to investors and public companies need to treat the issue accordingly. As a result CISOs are getting elevated to the board room and CISOs need to be prepared to navigate the issues they will encounter while serving at a public company.

The advantages of a professional CISO certification and accompanying organization are as follows:

  • Standard of ethics and conduct – CISOs face a difficult job and often walk into roles that aren’t properly supported or properly funded. Yet, CISOs are asked to bear the responsibility and accountability for the security health of the organization. A standard of ethics and conduct, similar to a CPA, will backstop the authority of the CISO and serve as guidelines for how to navigate common issues at publicly traded companies.
  • Standard credential for publicly traded companies – Large companies face a difficult job sorting through the credentials and titles of job applicants. Most public companies hire executive recruiting firms to help navigate the sea of candidates to find ones that are truly qualified for the role. However, a single professional CISO certification would distinguish individuals who have met the standard to be a CISO at a publicly traded company and distinguish these credential holders from other individuals with discretionary CISO titles.
  • Shelter the role from (some) liability – One advantage of a professional certification like the ones for doctors, engineers, lawyers and public accountants is it provides a standard of conduct. These professionals can fall back on this standard of conduct if their professionalism is called into question and they can even have the certifying organization offer testimony on their behalf. As CISO take on more liability, a professional CISO organization can be useful to help support CISOs, testify on their behalf, offer recommendations for liability insurance policies or even provide low cost liability insurance through the organization. They can even help review employment contract terms to evaluate liability policies, severance, legal coverage, etc.
  • Board Level Expertise – One of the primary roles of public company CISOs is to present to the board and help the company navigate regulatory and compliance requirements such as SEC filings, breach notifications, etc. A professional CISO certification offer individuals this experience and it can give them the confidence to speak to the board on how to navigate topics of risk. By certifying individuals are qualified to operate in the board room the board will gain another voice to balance the other C-Suite executives who aren’t grounded in technology and security issues.
  • Consulting and auditing – One final advantage of a professional CISO certification is for the “big 4” consulting firms or other agencies who are contracted by investment companies to audit and certify the filings and reports of public companies. In this case, a certified CISO can represent shareholders and investors for the accuracy of security filings around governance processes, representation in board committees, recommendations for appropriate investment in security governance and generally offering advice on industry best practices for security governance at publicly traded companies.

Wrapping Up

I’m bullish on the CISO role long term because I think it is the ultimate C-Suite executive. Public company CISOs touch all aspects of the business, they need to have strong technical chops, need to understand business topics and need to have the political chops to build alliances and navigate big company politics. Existing security certifications are good, but none of them offer a comprehensive breadth of topics to prepare individuals to become a CISO at a publicly traded company. As CISOs establish their role and credibility in the board room, it will become critical for these individuals to have credentials that back their experience, offer support and can elevate the CISO role on par with other C-Level execs, similar to what Sarbanes-Oxley did for CFOs after 2002.

Are Phishing Campaigns Worth It?

Phishing campaigns are often touted as a complementary exercise to security training as a way to measure training effectiveness. The thought is, if your training is effective, users will be less likely to fall for and click on phishing emails, which will correlate to a decrease in the number of phishing incidents at your company. This sounds great in theory, but phishing campaigns have a lot of downsides that need to be considered before you hit the send button.

What Is Phishing?

The Cybersecurity and Infrastructure Security Agency (CISA) defines phishing as:

“a form of social engineering where malicious actors lure victims (typically via email) to visit a malicious site or deceive them into providing login credentials.”

What does this mean for a CISO in practical terms? It means your employees will constantly receive emails that look legitimate, but are actually scams. They are trying to get your employees to click on links in the email so they can steal credentials, install malware, get access to sensitive data, or steal money. Phishing campaigns are often one of the first methods attempted in a more targeted attack that can use the phished credentials to allow the attacker to gain a foothold into your environment.

What Are The Common Defenses Against Phishing?

User Awareness Training

One of the most effective ways to counter the threat of phishing attacks is to educate your users. Regular user awareness training on how to recognize and take action against phishing emails has proven to be highly effective. Why? Phishing is trying to trick your users into performing an action they wouldn’t normally perform. This is a form of phycological or social engineering and the best way to instill the proper mindset in someone is through regular training. This training should test for understanding and the ability for users to recognize and report phishing emails. When in doubt, report it and delete it.

DMARC, SPF and DKIM

Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) are technologies that can be implemented by businesses to verify the sender of incoming email and authenticate that incoming messages are valid (not spoofed). Technologies such as SPF allow domains to publish lists of IPs and servers that will send emails, and DKIM allows domain owners to digitally sign emails coming from their domain so recipients can cryptographically validate the messages. SPF and DKIM are forms of authentication in the email world and help prevent spammers from sending mail on domains they don’t own.

DMARC is the enforcement arm in the email world. It takes the output from SPF and DKIM and takes action. This action can be configured based on your organizational preferences, but typical actions for messages that fail SPF or DKIM checks are to deliver the message, mark as SPAM or reject the message entirely. When configured properly, all three of these technologies will help filter and reduce potential phishing emails that make their way into your user’s inboxes.

MFA

Another technology that is critically important to protect against phishing attacks is to enable Multi-Factor Authentication (MFA). This is another form of defense that will protect your user accounts if a phishing email makes it through the filters and your user clicks on the phishing link in the email.

For example, a typical phishing email may impersonate a legitimate business website that requires authentication. The formatting, graphics and appearance may all look exactly the same. The only way to tell the email is a phishing email is by looking at the sender domain or email headers to detect subtle variances in spelling or formatting. If a user falls for this phishing email, clicks on it and enters their username and password, MFA will help prevent their credentials from being fully compromised. Yes, the user will need to have their password changed, but MFA such as one time passwords, tokens or passkeys, will prevent the attackers from using the phished credentials.

What Are Phishing Campaigns?

Phishing campaigns are controlled email campaigns sent by your own organization or a contracted third party to send fake phishing emails to your users to test how many open and click on the phishing links. Phishing campaigns allow organizations to directly test how well their user awareness training is working to recognize and avoid phishing attacks. Phishing campaigns can be stand alone events or they can be tied into other security testing like penetration tests.

What Are the Downsides To Phishing Campaigns?

Phishing campaigns, while popular, have questionable morality and effectiveness for a few reasons.

  1. The primary method of business communication is email. Phishing campaigns are teaching users to mistrust and in some cases stop using email for business purposes. Security organizations should find ways to support and protect the business without unnecessarily impeding it and for this reason I believe phishing campaigns are counter to the mission of an effective security organization.
  2. The top businesses have cultures that support and encourage psychological safety. Being able to respectfully speak your mind, have support from your colleagues and feel valued are all important aspects for job satisfaction and effectiveness. Phishing campaigns go against the idea of psychological safety. They attempt to trick your users into clicking on emails with questionable tactics such as promising bonuses, legitimate business purposes or even funny cat videos.
  3. One large problem with phishing campaigns is they tend to have punitive outcomes. Anyone that falls for the phishing email gets sent to remedial training or may be given a reduced set of permissions for a period of time. These punitive actions punish users for using their primary method of communication, destroy the concept of psychological safety and discourage productivity.
  4. Speaking of productivity, I see a lot of metrics about the percentage of users that clicked on phishing campaign emails along with targets to reduce those numbers after sending people to remedial training. What I don’t see are metrics on the impact the campaign has to productivity. How much longer will it take the person on finance to do their job now that she doesn’t trust anything in her email? How much longer will it take IT support to resolve the help desk ticket when they have been scolded repeatedly for falling for phishing emails? These metrics unfortunately are overlooked or not even captured. Security programs should ground their activities against the overall business strategy and make sure their programs are generating true value for the business that is measurable in the form of reduced risk as a tradeoff to other areas of the business.

A More Effective Solution

Whenever someone asks me for my thoughts about phishing campaigns I tell them honestly that I am not a fan. I’ve been on penetration testing teams that have crafted emails as part of phishing campaigns and I’ve seen the effect it has on users. I think there is a better way.

A lot of this post has gathered inspiration from various sources, but one of the main sources is the Cybersecurity and Infrastructure Agency (CISA). In October 2023, CISA the FBI and the NSA published a joint article on guidance for stopping phishing attacks. You can read their excellent recommendations here. Their article supports my sentiments here because one thing that is not in their recommendations is conducting a phishing campaign against your own users.

What are my recommendations?

  1. Conduct proactive training that tests not only comprehension, but the ability to accurately recognize phishing emails. Give employees the skills to look at email headers and give them the latitude to report suspicious emails or delete them altogether. Accept that email will be a slower and less trusted form of communication and even prevent the use of email for critical business functions (like contracting or financial activities). This training should have hands on practicals that gives the security function and senior leaders confidence they have trained their users to the best of their abilities to minimize the risk.
  2. Put controls in place to protect your employees. DMARC, DKIM, SPF and MFA can protect your users. Endpoint protection, monitoring and logging, ingress and egress filtering, etc. can all provide defense in depth to stop phishing attacks from being successful. The point here is, a comprehensive and well executed security program is one of your best defenses against phishing attacks.
  3. Employees that fall for real world phishing emails should be given a second chance. Assume good intent here. Most employees will recognize when they have done something bad and will feel guilty about it. They will punish themselves so the organization should support them, offer them additional training and help them get back to doing their job. Having proper security controls in place can help minimize the impact of your employees clicking on phishing emails.
  4. As a last resort, I will recommend some sort of punitive action, but this should not be the default and should be used sparingly. For users that just don’t get it and are repeat offenders they should face disciplinary action such as termination or reduced job responsibilities. This ties into organizations that evaluate how well employees support and uphold the security objectives of the organization. Repeated violations of Acceptable Use Policies (AUP) should fall under an HR/Legal action that minimizes the risk of the employee to the business.

Wrapping Up

Phishing is a form of social engineering and is a real business risk. It can lead to credential compromise, malware infections or Business Email Compromise (BEC) resulting in real business loss. A well rounded and comprehensive security program will help counter the threat of phishing attacks through comprehensive security controls and processes. Most importantly, I recommend security teams remove phishing campaigns from their tool chest and instead use proactive techniques to educate users, while protecting the business with a defense in depth approach.