Cybersecurity Goldilocks

Not Too FUD, Not Too Fluffy, but Just Right

The Cybersecurity Leadership world is abuzz with the news of the SEC fraud charges against the Solarwinds CISO. This blog is not an analysis of those charges. These charges, and resulting social media commentary, made me ponder on the struggles many have as a security leader, trying to get the message right.

First…

The security community is hyper aware of every security failing everywhere, and particularly internally. I am unaware of any Chief Information Security Officer (CISO) who walks into a new role and thinks “wow, these people really have their sh*t together!” or “I can’t find any security weirdness anywhere!”. We all know that the sausage making machine is UGLY. Security team members will be the first to point out when something is wrong (“Can you believe what we found?”) and if you’re really, really lucky these failings have been documented, escalated and approved by senior business leadership. Sometimes, these failings are systemic, and receive a shoulder shrug, and a “what can you do?” eye roll. If you’re lucky they get documented, but either way business carries on.

CISOs know what the broader security community will think of security failures. Seasoned, mature leaders will carry on with their security programs regardless of the armchair…