Recently, I have come to realise that there is yet another mode of operation for the CISO, arguably more important in business terms – seeking innovation.
But the sort of innovation that has been dominating my thinking is the sort that is looking first and foremost to do better business, while solving the security challenges necessary to do that better business securely. It can be illustrated by a recent example in banking.
We have seen exploitation of the internet "channel" stymied by various security issues and threats: principally authentication weaknesses, trojans (key loggers) and phishing/social engineering.
Our response has been to address each threat separately and search for layered mechanisms to add to existing solutions, either preventative (stronger authentication) or detective (monitoring for phishing activity).
But analysing the root causes of such vulnerabilities can give the security geek a different perspective – passwords are a difficult thing for the average human to cope with and keep secure. Ultimately, we advocate moving to tokens. But banking customers have used tokens for authentication for decades. There's a whole credit and debit card business based on tokens.
The idea of using cards as an authenticator for the electronic channel is not original and is becoming part of mainstream future planning in banking, but why has it taken a decade of internet banking to get back to a mechanism that already existed? The scale of banking is large enough to have addressed the problem of the card reader a long time ago.
A greater focus by security geeks like me on innovation might have resulted in a different path, possibly more secure, earlier. This is just one example. Part of looking at the internet banking problem innovatively is, I believe, realising that all the security mechanisms work together.
So if the authentication mechanism cannot be both perfectly strong and usable by humans, perhaps authentication should not be isolated from mechanisms that, say, control PC connectivity.
But there is one that I can talk about that many of you will have heard of already. Jericho is primarily about security professionals looking from a business perspective for an adapted perimeter security model that allows better business to be done.
I typically use the example of my bank wanting to operate effectively, at an acceptable network cost, in locations where it is difficult to get enough reliable proprietary bandwidth and where putting in a big firewall is so costly as to eat all your profit margin. In that case, you need to think innovatively about where the real boundary is – it won't be at the traditional firewall.
Then you can begin to do better business. So go out and innovate - it might be fun!