- Posted by barak engel
- On September 19, 2020
- 2 Comments
One of the key topics I address in my book Why CISOs Fail is how companies repeatedly and recurrently hire wrong.
They will hire smart, experienced people, and then set them up to fail, frustrating them out of the job in a couple of years. Or they will hire not-so-great but confident-seeming people, and let them “do their thing,” which does little to improve the security posture in the organization, but does a lot to introduce needless processes that end up serving no end but their own existence, at a significant human resource cost.
Here are common thought processes that lead to this pattern, and a response to each one:
“Security is hard”
The truth? Security is no harder than managing cash flows or penetrating new markets. All are disciplines that require a particular expertise. It just so happens that information security, at present, has a lower number of established leaders because it hasn’t been around for as long, and it is highly related to a field (technology) that is evolving rapidly. But that doesn’t make it harder.
Being a CISO is just as difficult (or as easy) as being a CIO or CTO—which is, incidentally, one more reason why they should be peers.
There is also another element at play here, which is the good ol’ profit motive. The security space is filled with vendors offering niche solutions, using FUD (fear, uncertainty, and doubt) and fantastical claims that only serve to keep security as unapproachable. We’ve been here before with technology. Yes, the Nineties, I’m looking at you.
“Security is a higher stakes game”
The truth? A favorite statement of candidates to the position of CISO, this is not only wrong, but dangerous. So let’s set this one straight. Security is there to support the business in its highest stakes game—in the case of a for- profit enterprise, manufacturing product, obtaining and serving customers, and carving out market share.
A security person who is focused on technology threats all day will never be able to properly analyze the risk inherent in everyday business decisions, and will likely become ever more conservative in their decision making. The end result?
The company pays lip service to the security leader while ignoring them where it really matters, which in turn leads them to become even more paranoid, frustrated, and upset, which in turn drives everyone else to behave even more covertly so as not to piss them off… until it all breaks down, they quit (or get fired), and a new person comes on-board to start the cycle anew.
In the meantime, processes do fail and the business ends up assuming more risk than necessary, because everyone is afraid of bringing in the security person to assess the really important decisions, since they always seem to slow things down significantly. Sometimes that can lead to a bad data leak, which can harm the brand. At this point, when asked for my opinion, I tend to dismiss the candidacy of any security practitioner for the role of CISO who uses the “higher stakes” argument.
“Security is part of IT”
The truth? We just spent a few pages discussing this issue, so hopefully we are on the same page by now. I do want to add a thought here, though. For the purpose of this discussion, I will assume you provide some sort of service or product that directly targets consumers or business—a b2c or b2b type environment.
Ask your prospective CISO who their most important partnership is with, outside of their boss or direct reports. There are the typical answers— CIO, CTO, VP Operations, and so on. Some go further and mention the CFO or Chief Counsel, which are highly important and show a deeper understanding of the role.
But the best ones will say “everyone,” and when pressed, mention the heads of sales and marketing.
I will explain later in the book why these are such important business partners to the security leader, and hopefully, your candidate will be able to do the same, and give you concrete examples as to how this partnership has worked for them successfully in the past.
“If we aren’t compliant, we’ll have to shut down our doors”
If you haven’t heard that one or a variation thereof, and you’re a senior executive in any reasonably sized enterprise, then you are either (1) woefully behind the curve or (2) lucky to have one of the best security pros in the business working for you. If it’s the latter, I congratulate you.
If it’s the former, please reach out to me. But most likely, you are in neither category, and you have heard it before. The truth is that even in places where such draconian enforcement measures of security standards and regulatory compliance are common—say, the NSA—there is almost always a lot of wiggle room even after things go bad. Yes, there are exceptions that prove the rule (such as CardSystems International, which eventually shut down after a massive 2005 breach).
But for the most part, companies can and do survive breaches. This is not to discount the heavy cost of breaches, in both remediation costs as well as ongoing costs for years, and in particular, a burden placed on technology use that can easily have a direct impact on the company’s ability to grow.
But using this kind of language isn’t helping anyone. Did it ever really convince you, deep down? Or if you said it, did you ever truly believe it? Or were you using it in frustration to get your way?
All of these—and other—surprisingly pervasive misconceptions about security inevitably drive toward one common result, which is a series of failed hires into security leadership roles that make nobody happy.