Wired Magazine recently reported the successful hack of a major security company's smart safes used in retail stores, restaurants, and convenience stores. The exploitation is enabled by the presence of an unsecured USB service port. The hack will be demonstrated at the upcoming DefCon conference in Las Vegas. The vulnerabilities are numerous, and Wired concluded: "We see this many times, a company that does one thing well, and they move into a field where they have no experience." Ouch!
Recently, I tried to engage the CISO of a major commercial airline in a discussion of the ability to hack an aircraft's avionics systems from the Wi-Fi or Entertainment systems, or from the ground. The CISO's response was that this was out of scope. Also, I have worked with many Hi-Tech companies, and see the same pattern. The CISO is chartered to protect the business, and has nothing to do with product or services.
The question becomes: Should a company's products and their security be in the scope of the CISO's responsibilities? Or, should organizations have a Products Chief Cybersecurity Officer? Either would be great, because developers often don't understand the security principles, risks, and ramifications of what they are doing.
Views by Brian Cummings