Ex-CSOs Team, Offer Free Security Help
A team of former CSOs from Zale Corp., Deutsche Bank, The New York Times, Anheuser-Busch, State Farm Insurance, and other big firms has been assembled at Websense to offer free security strategy, assessment, and attack response support to enterprise chief security officers.
The new Office of the CSO group at Websense is led by former Emerson Electric and New York Times CSO Jason Clark. “It started with many of us as previous CSOs. So many CSOs of large companies are struggling,” says Clark, who says he was seeing this firsthand in his role as chief security and strategy officer at Websense after leaving his post as CISO and vice president of infrastructure at Emerson Electric.
“I noticed a major gap. I was being asked to come out and help them [CSOs] for an hour or two, and they weren’t aligning their security strategies with what the business threats were,” says Clark, who conceived of the Office of the CSO idea. “[So] I started hiring this team of all former CSOs from multiple companies that have practiced the craft.”
The CSO team doesn’t pitch Websense products, and its members say they steer clear of vendor-ease in order to maintain their integrity as impartial to allow them to return to enterprise CSO duties someday. “They wanted to help the community and will go back and be CSOs [again] at another time,” Clark says.
But the group still comes with the Websense moniker. Office of the CSO member Neil Thacker, the former head of information security for U.K. national lottery organization Camelot and Deutsche Bank, says he doesn’t get rewarded for clients that become paying customers, and the goal is to help the security community. Thacker, who is information security and strategy officer for Websense EMEA, says he took the gig at Websense because he likes educating and supporting security pros; he currently has a caseload of about 30 people.
“I’m very keen to keep my integrity as a security practitioner,” he says. “If someone is interested in Websense, I tell them to go to websense. com, and now let’s talk about the issues you’re facing. I just want to help the community.”
Still, the Office of the CSO obviously offers a savvy marketing opportunity for Websense, albeit indirect, security experts say. “This is very good and innovative branding and marketing for Websense,” says Mike Rothman, president of Securosis and author of “The Pragmatic CSO.” “If anybody can provide access to folks that have been there and done that before, I don’t see anything wrong with that.”
Rothman says the CSO team fills a gap for organizations that need help in an advisory role but don’t want to fork out the big bucks for CSO consulting services. It’s likely to be attractive to CSOs who may not have as much hands-on experience and know they need assistance, he says. “I think it’s going to cater to a CSO that’s mature enough to understand what they don’t know,” he says. “There is clearly a need out there for that kind of mentoring, an advisory shoulder to cry on … a ‘therapist.'”
The Websense CSO team offers free threat strategy assessment with a kill chain model exercise; security framework review using a threat simulation penetration test in a sandbox; a “toolkit” for CSOs that provides guidance on security success and training employees; and boardroom assistance, where the team offers communication strategies for aligning security projects with business plans and strategies.
But there are other free venues available for CSOs to share and learn from one another, such as industry ISACs and ISSA and other intelligence-sharing groups. “I would argue that these spaces are extremely valuable,” says Eddie Schwartz, CSO for RSA Security, an EMC company.
Schwartz says he meets CSOs from around the world who often share with him the challenges or issues they are facing. He says he tries to help them, but he also connects them to other peers who may be a better match for a particular issue. It’s all about free networking, information, and intelligence-sharing, he says.
“You find a lot of major vendors have that kind of thing going on,” he says. “It’s something we do.”
[Attacks out of China that hit Google, Adobe, Intel, and other U.S. companies was not only a wake-up call for businesses in denial about persistent targeted attacks and cyberespionage, but they also forced the chief information security officer (CISO) to step out of the corporate confines and reach out to peers at other organizations. See ‘Operation Aurora’ Changing The Role Of The CISO .]
Clark says the Websense Office of the CSO’s initial consultation is typically an hour-long conversation with the client, and then includes on-site visits as well. “We offer a threat modeling service … you tell me three things you are worried about, and we put on a whiteboard what the controls are in each stage,” Clark says. That could then become the client’s next investments, he says.
A newly anointed CSO from a Fortune 1000 firm, for example, reached out to the Office of the CSO group. His bosses had asked him for a pitch on why the company needed a CSO, an update on the current state of security — and a three-year security strategy for the company. “This guy was promoted to CSO — he had been with his company for 12 years,” Clark says. “He called us because he didn’t know who to call” for help on this, he says.
Just how long a freebie service can survive in today’s constantly changing security space is unclear. “We’ll see if it has any staying power,” Securosis’ Rothman says. “I think it’s a good concept, and it’s good for the industry.”
Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.