From Chief Information Security Officer to Chief Cybersecurity Officer

Wired Magazine recently reported the successful hack of a major security company's smart safes used in retail stores, restaurants, and convenience stores.  The exploitation is enabled by the presence of an unsecured USB service port.  The hack will be demonstrated at the upcoming DefCon conference in Las Vegas.  The vulnerabilities are numerous, and Wired concluded: "We see this many times, a company that does one thing well, and they move into a field where they have no experience." Ouch!

Recently, I tried to engage the CISO of a major commercial airline in a discussion of the ability to hack an aircraft's avionics systems from the Wi-Fi or Entertainment systems, or from the ground.  The CISO's response was that this was out of scope.   Also, I have worked with many Hi-Tech companies, and see the same pattern.  The CISO is chartered to protect the business, and has nothing to do with product or services. 

The question becomes: Should a company's products and their security be in the scope of the CISO's responsibilities? Or, should organizations have a Products Chief Cybersecurity Officer?  Either would be great, because developers often don't understand the security principles, risks, and ramifications of what they are doing.

Views by Brian Cummings

Rate this article: 
Average: 1.8 (4 votes)
Article category: 

There is 1 Comment

"Out of Scope" indeed!!!! You just have to publish the identity of this CISO and the airline he/she is serving so "efficiently", and they will very soon run out of business! 
In the unthinkable situation of a large and fully laden airliner being hacked via this backdoor and hijacked into flying into a building / city etc., can a CISO really keep a straight face and state this same reason for not having paid attention to and securing the inflight entertainment network? I, like most folks in our line of work would agree, believe that the capability to imagine of the human mind is limitless and any such possibility should be explored to discover if indeed there exists a backdoor/loophole and then work towards plugging it. Thats what ethical hackers are for. I hope airlines are working on this.