When the CISO shouldn't blow the whistle on vulnerabilities

Highlighting the fact that there are security vulnerabilities in your organisation sounds like common sense, but there is such a thing as doing it too fast, according to Foxtel CISO Kevin Shaw.
Written by Michael Lee, Contributor

When security is mostly sent to a managed security service provider, executives could be forgiven for thinking that they don't need to dive into the technical deep end. But, according to Foxtel's chief information security officer Kevin Shaw, even if CISOs don't need to have complete technical prowess, there are other challenges they need to face.

Kevin Shaw.
Image: Michael Lee/ZDNet

Speaking at AusCERT 2013 at the Gold Coast, Queensland, Shaw shared his regret at digging his heels into IT operations staff when things got ugly during changes in processes.

"You are going to discover some very, very ugly things. The secret that I have personally found is when you find the ugly stuff, don't go trumpet it to everybody and say, 'Hey, I've found all these flaws.'

"If you start off blowing the whistle too quickly, too early on — and believe me, way back early in my career, I did — I didn't make any friends, [and I] didn't get any further with the program of work I was trying to do."

Instead, Shaw said that what he does now is to sit with the IT operations staff, figure the problem out, and then, when it's at a state where it's resolved or manageable, start informing the executive team.

"That's when you put them on the line: You're doing a really, really good job now. You've got our security profiles up to where we want to be; don't drop the ball."

One of his other recommended practices is to provide executives with updates, even when there's nothing to report, just to keep the conversation and relationships going. One tool he's used is a simple pie chart, consisting of nothing other than a green circle, representing zero incidents.

"The first time I used that little tool, it actually created quite a lot more conversation around the executives because they started asking questions to see [if] I could justify."

He said that those presentations, even if they only last 70 seconds or so, help in those times when things are going wrong and the board wants answers.

"You do not want to be standing in front of an audit risk committee or the senior executive in an organisation when things have gone wrong and they don't know your first name, and they don't know the strategy that you're trying to do, and they haven't seen the value of the security investment that's been put through."

Editorial standards