Cybersecurity Goldilocks

Not Too FUD, Not Too Fluffy, but Just Right

Helen Patton

--

The Cybersecurity Leadership world is abuzz with the news of the SEC fraud charges against the Solarwinds CISO. This blog is not an analysis of those charges. These charges, and resulting social media commentary, made me ponder on the struggles many have as a security leader, trying to get the message right.

Three brown bears on the side of a river.

First…

The security community is hyper aware of every security failing everywhere, and particularly internally. I am unaware of any Chief Information Security Officer (CISO) who walks into a new role and thinks “wow, these people really have their sh*t together!” or “I can’t find any security weirdness anywhere!”. We all know that the sausage making machine is UGLY. Security team members will be the first to point out when something is wrong (“Can you believe what we found?”) and if you’re really, really lucky these failings have been documented, escalated and approved by senior business leadership. Sometimes, these failings are systemic, and receive a shoulder shrug, and a “what can you do?” eye roll. If you’re lucky they get documented, but either way business carries on.

CISOs know what the broader security community will think of security failures. Seasoned, mature leaders will carry on with their security programs regardless of the armchair quarterbacks (who are most often people who have never led a security program). Inexperienced security leaders will hope their organization’s security failings are no worse than anyone else’s, and that when the proverbial you-know-what hits the fan (because it will) the court of public opinion won’t be too bad. In both cases, security leaders know that very few external critics (including regulators) will have any understanding of the internal organizational dynamics security teams must deal with, or how that plays out in security risk decision making.

Second…

Business leadership has a limited tolerance for discussing cybersecurity risks. Truth be told, they are a little bit afraid. This wasn’t something that came up until recently, they certainly didn’t study cyber risk in their MBA program, and, well, it just feels like something outside of their control. Instead, they want a workforce who is positive, eager to deliver strategic…

--

--

Helen Patton

Cyber Security, Technology Ethics, and Humanity. What else? I can be found at CISOHelen.com or on Twitter @CisoHelen or on Mastodon @cisohelen@infosec.exchange