Join us for the FREE Cyber Defense Forum | Live Online on October 9


Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

CISO departures highlight the need for better security metrics in the boardroom says leading expert

  • United Kingdom
  • 14th October, 201

Dr Eric Cole, one of the most prominent instructors at the upcoming SANS London 2013 InfoSec training event, warns that organisations need to build capabilities and be prepared for the inevitable information security breach. "There is a level of frustration across the world as organisations spend ever increasing amounts of money on information security technology yet still get breached," says Cole. "The likelihood is that you will be compromised -even with this vast amount of spending and layers of systems. Now we need to focus more on finding the attackers lurking on hijacked systems and minimising the frequency and impact of each incident."

As one of the world's leading experts on cybercrime, Dr. Cole is also a SANS Fellow Instructor and author of 10 books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He also holds 20 patents and is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards. Dr. Cole has over twenty years' experience in network security consulting, with clients including International banks, Fortune 500 companies, and the CIA.

Cole believes that organisations have improved their information security over the last 10 years, "but if you compare it to the scope, scale and technical capability of the adversary, it is in fact a net loss of capability and we need a change of mind-set on how we deal with the reality of cyber-crime."

He suggests that organisations can learn a lesson from the automotive industry, "airbags, seatbelts and roll cages are recognition that accidents will happen and if you look at the big trends in cyber-crime, it is the human 'operating system' that is often the victim or unknowing accomplice in a vast majority of successful cyber-attacks." Cole also advocates that organisations should build IT infrastructure defensively, "This should include limiting individual user access, increasing auditing capabilities and regularly 'going hunting' for compromised systems and bad user behaviour."

At SANS London this coming November, Cole will be teaching SEC401: Security Essentials and is also the author of follow-up SEC501: Advanced Security Essentials - Enterprise Defender, "If you look at both of these courses, they are constantly adapting to the real world threat landscape because the attackers are doing exactly the same - this game of attack, defend, adapt then repeat is constant and unfortunately never ending."

However, Cole has seen several positive changes in the last few years. "The vendors like Microsoft, Oracle, Google are taking their responsibilities more seriously which makes defence a bit easier and it seems that CEO's are starting to expect more than just a 'tick box' when it comes to the requirements for a Chief Information Security Officer(CISO)."

Cole has spoken to over a dozen large organisations that have quietly fired their CISO although he looks at this as a positive step in many cases. "The board knows what failure looks like, but it still has a hard job measuring success when it comes to information security," he says, "The main issue is that there is no 99.999% uptime equivalent for InfoSec which means that the modern CISO needs to be able to provide metrics and potentially educate the board as to what they are doing to mitigate risk and more importantly, find compromised systems and vulnerabilities and close these gaps."

In his view, the danger of complacency can be as risky as incompetence. "When a large organisation says to me that they have never had an information security breach, an alarm bell instantly rings," says Cole. "The modern and often state-sponsored attacker wants to get in and stay in and if successful then no alarm bell sounds even as on-going frauds are perpetrated and sensitive data stolen."

"The Advanced Persistent Threat (APT) message is not just a case of FUD," says Cole, "and the smarter organisations start with the assumption that it is currently going on and they look for the signs instead of just assuming invulnerability - which nobody is. A quick look at will show just the visible tip of a very large iceberg," he concludes.

For more information about SANS London 2013 or to register, please visit:

Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions worldwide. Renowned SANS instructors teach more than 60 courses at In-Person and Live Online cyber security training events, and more than 50 courses are available anytime, anywhere with our OnDemand platform. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system – the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (