[ot][crazy] Re: Who Should a Crypto CISO Report To?

Mon Oct 23 05:46:38 PDT 2023

I have 2-3 sets of memories of this newsletter, and they mismatch the
records in my email.

One of them involves communicating with the author and connecting them
with the cypherpunks list, which I imagined they joined (years ago).

It looks like the newsletter is business-oriented. I don't remember
this. My email confirms it mentioning major whistleblowers.

I think my memory is faulty. I'm curious if my records are too. Either
way, it's information, and helps give reason to preserve both our own
records and information on our beliefs or states of mind, whether to
find internal or external mistakes, especially in a way that is easy
for us to comprehend later.

On 10/23/23, Cyber Cyber Cyber Cyber <cybercybercybercyber at substack.com> wrote:
> View this post on the web at
> https://ninja.cybercybercybercyber.ninja/p/who-should-a-crypto-ciso-report-to
>
> "Who should a CISO report to?" is a perennial favorite topic of conversation
> for security folks—CEO? CIO? CTO? General Counsel? CRO? Someone else?
> Every vertical has different needs, so let's drill down into a specific
> vertical: cryptocurrency / web3.
> Thanks for reading Cyber Cyber Cyber Cyber! Subscribe for free to receive
> new posts and support my work.
> Security risks across verticals in, say, the Fortune 1000 companies, varies
> enormously. At one extreme you have companies with very low security risk
> who are primarily concerned with the financial impact of regulatory fines
> resulting from a data breach.
> If regulatory compliance is the primary driver of your company cybersecurity
> strategy, then there is a strong argument that the CISO should report to the
> General Counsel. This seems self-explanatory, no?
> Across the middle bulge in the normative distribution you see CISOs
> reporting to technical leadership, like CIOs or CTOs or VPs / Engineering.
> If you collect, store, process, and secure large amounts of
> business-critical data (information), then there's a reasonable argument to
> be made that the Chief Information Security Officer should report to the
> Chief Information Officer.
> In this common use case there is a much weaker argument for the CISO to
> report to a CTO or VP / Engineering—this is usually a result of execs saying
> "we don't understand security, it’s too technical, let's give it to our
> company tech lead". But building technology and company-wide security risk
> management are two entirely different skill sets that only by coincidence
> happen to be technical in nature.
> Now we come to the opposite extreme end of the spectrum, where security risk
> poses company-ending catastrophic or even existential business risk.
> What happens when the mission-critical information in question is fungible,
> non-reversible cryptocurrency?
> In such a scenario, does it make sense for the CISO to report to the General
> Counsel? Clearly not. If cybersecurity risk ("if we get hacked") could
> result in bankruptcy, then that's not legal or regulatory risk, that's pure
> cybersecurity risk.
> In such a rare and extreme scenario, I think you have two reasonable
> options: the CISO should report to either a Chief Risk Officer (CRO) or to
> the CEO directly.
> CROs are a bit of a unicorn role, both rare and hard to hire for—how do you
> find someone equally fluent in legal risk, financial risk, and cybersecurity
> risk, all in the same human being? But great if you can find such a person.
> So when security risk poses company-ending bankruptcy risk, I tend to think
> the CISO should report directly to the CEO. The chief executive must
> constantly balance risk and reward in driving their business forward, and
> that means having detailed information from a direct report (the CISO) about
> the risk on their flanks.
> There's ultimately no right answer to the question "Who should the CISO
> report to?" That's because the correct answer is "It depends." It depends on
> your threat model. It depends on the nature of the security risk that a
> business carries.
> Just as foreign policy writes domestic policy, so too external risks to a
> company drive internal org chart design.
> Thanks for reading Cyber Cyber Cyber Cyber! Subscribe for free to receive
> new posts and support my work.
>
> Unsubscribe
> https://substack.com/redirect/2/eyJlIjoiaHR0cHM6Ly9uaW5qYS5jeWJlcmN5YmVyY3liZXJjeWJlci5uaW5qYS9hY3Rpb24vZGlzYWJsZV9lbWFpbD90b2tlbj1leUoxYzJWeVgybGtJam81T0RFME1EQXNJbkJ2YzNSZmFXUWlPakV6T0RJeE1qZ3dNeXdpYVdGMElqb3hOams0TURRMk1qTTRMQ0psZUhBaU9qRTNNREEyTXpneU16Z3NJbWx6Y3lJNkluQjFZaTB6T1RrMk1TSXNJbk4xWWlJNkltUnBjMkZpYkdWZlpXMWhhV3dpZlEuaEl5NEprbDktcWdka3doM0czS3RScDNhbHlLNFpQbjFZS0pXTzJuSm1NUSZleHBpcmVzPTM2NWQiLCJwIjoxMzgyMTI4MDMsInMiOjM5OTYxLCJmIjp0cnVlLCJ1Ijo5ODE0MDAsImlhdCI6MTY5ODA0NjIzOCwiZXhwIjoxNzAwNjM4MjM4LCJpc3MiOiJwdWItMCIsInN1YiI6ImxpbmstcmVkaXJlY3QifQ.PUPeUEmYsy_eoCXK_yXcGPxaeUvuLXAy4h7Vt1iakAQ?