{"id":2700,"date":"2012-07-26T17:10:11","date_gmt":"2012-07-27T00:10:11","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=2700"},"modified":"2013-05-31T15:35:39","modified_gmt":"2013-05-31T22:35:39","slug":"training-the-ciso","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2012\/07\/training-the-ciso\/","title":{"rendered":"Training the CISO"},"content":{"rendered":"<p>Earlier this week, I caught <a href=\"http:\/\/www.bankinfosecurity.com\/new-focus-training-ciso-a-4968\" rel=\"nofollow,noopener\" >an article by Eric Chabrow<\/a> about the increase in cybersecurity\/infosec leadership programs.\u00a0 This is something that is long overdue \u2013 putting actual education behind the idea that leading information security requires a different perspective than practicing it.\u00a0 <!--more-->There is a tremendous amount of training and education available for practitioners \u2013 everything from undergraduate programs, to certifications (i.e., CISSP), to CPE \u2013 but relatively little programmatic training for leaders outside of books (e.g., <a href=\"http:\/\/www.pragmaticcso.com\" rel=\"nofollow,noopener\" >The P-CSO<\/a>).<\/p>\n<p>When talking to customers, I can tell pretty quickly where, individually, they stand on the spectrum between pure security experts and security\/business liaisons (if I look at the two programs Eric Chabrow talks about \u2013 <a href=\"http:\/\/hnz.cm\/CISOexec\" rel=\"nofollow,noopener\" >CMU<\/a> and <a href=\"http:\/\/www.rhsmith.umd.edu\/cybersecurity\" rel=\"nofollow,noopener\" >U of MD<\/a>, security\/business liaisons are exactly the types of folks they are looking to turn out).<\/p>\n<p>Practitioners have focus \u2013 look at technology, understand risk and threats, and generally adopt a risk-averse perspective.\u00a0 They\u2019re focused on risk, not necessarily benefit.\u00a0 Security leaders, on the other hand, act as that security\/business liaison, and look closely at both sides of the equation \u2013 both risk and business return on that risk.<\/p>\n<p>This isn\u2019t news to anybody, and there are plenty of practitioners who natively understand both sides of the equation (many are Palo Alto Networks customers).\u00a0 Unfortunately, many practitioners end up in charge of security with neither the natural affinity for the role, nor the training required to fulfill it.<\/p>\n<p>Obviously, this is near and dear to my heart, given Palo Alto Networks\u2019 focus on safe application enablement \u2013 the idea that applications are good, carry risk, and should be treated accordingly. \u00a0What that means depends on the application and the business, but generally there's a lot of \"allow, but...\" policy statements that enable certain groups to use certain aspects of an application in certain ways, with appropriate content (i.e., no threats). \u00a0The more security leaders have the perspective that high-risk, high-reward applications should be safely enabled for the overall good of the business, the better the overall state of information security.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Earlier this week, I caught an article by Eric Chabrow about the increase in cybersecurity\/infosec leadership programs.\u00a0 This is something that is long overdue \u2013 putting actual education behind the idea that &hellip;<\/p>\n","protected":false},"author":40,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[],"coauthors":[],"class_list":["post-2700","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/2700","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/40"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=2700"}],"version-history":[{"count":3,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/2700\/revisions"}],"predecessor-version":[{"id":2703,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/2700\/revisions\/2703"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=2700"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=2700"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=2700"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=2700"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}