CISO: Chief Infosec Scapegoat Officer

The average tenure of a CISO is now just 18 months; and this is likely to worsen if corporate security doesn't improve.
The average tenure of a CISO is now just 18 months; and this is likely to worsen if corporate security doesn't improve.

This is one of the findings of Veracode’s latest State of Software Security Report. It pins the main blame on the poor state of application security, where 70% of applications fail to comply with company security standards (such as the OWASP Top 10 and the CWE/SANS Top 25). This, says Veracode, is an increase from 60% in the previous study. “The expansive threat profile associated with software means the likelihood of CISOs being negatively affected by a high-impact security event has never been greater,” says the report.

The problem, suggests Chris Wysopal, co-founder and CTO of Veracode, is that “A developer’s main goal usually doesn’t include creating flawless, intrusion proof applications. In fact the goal is usually to create a working program as quickly as possible.” The need for speed over security is what creates the buggy software that threatens the CISO.

It’s not that there aren’t very good secure software development training courses and qualifications available; it’s just that they require planning and budgeting and often fall by the wayside. “This is why when I came across an article describing a new training program by the Software Assurance Forum for Excellence in Code (SAFECode), I was pleasantly surprised,” says Wysopal.

The Software Assurance Forum for Excellence in Code (SAFECode) has this week launched a new program of free online security engineering training courses. “This seemed an obvious area where SAFECode members could use their internal resources to make a positive industry impact,” said Howard Schmidt, executive director and former cybersecurity advisor to President Obama. “By providing free training courses in a modular fashion, we hope other organizations can pick and choose the ones most relevant to their needs to either supplement an existing program or build the foundation for a new one.”

The first set of modules were contributed by SAFECode member Adobe, who had used them successfully in-house in its own training regime. The material was then reviewed and supplemented by a SAFECode technical team “to ensure broad applicability across diverse development environments.” Other modules are in development. “While not a replacement for formal security engineering education at the college and university level,” said Schmidt, “nor a one-sized fits all curriculum, SAFECode hopes that this new program is a step forward in addressing that knowledge gap and promoting the broad application of secure development practices.”

It is this combination of free, on demand and practical that pleases Wysopal. “My first hope is that it will help programmers use more secure coding practices. The second is that it will eliminate the taboo of admitting (during the development stage) that an application could have security vulnerabilities.” That he hopes, will lead to more secure software – and that in turn might start to increase the tenure of the CISO.

What’s hot on Infosecurity Magazine?