A New York Times story sheds fascinating light on the career paths of CISOs who bear the weight of the world upon their shoulders.
No question, it’s a tough job. And one that invariably seems destined for failure and short tenure. So tough, in fact, that even on Day One, a new CISO is already engaging in gallows humor. The article relates the one about the new security officer who meets his predecessor. The predecessor hands him three numbered envelopes and tells him to open them in an emergency. After a breach, the new security officer opens the first envelope. The message reads, “Blame your predecessor.” After a second breach, he opens the second, which suggests, “Blame your staff.” After a third breach, the security officer opens the third envelope. The message reads, “Prepare three envelopes.”
The biggest insight the article delivers, though, is one which isn’t included in the story itself. “Of all the headaches that chief information security officers face,” it reads, “one of the biggest is figuring out which security products to trust.”
Read that again. So, one of the biggest headaches in the life of a CISO involves a search for something to trust whose source is extrinsic to the organization. Okay, I can certainly see why that would constitute a headache. But amazingly, this state of affairs goes from bad to worse when, a few sentences later, we get, “[CISOs] say there is no silver bullet when it comes to breach defense. It is a matter of layering the most effective technologies, hiring the best people, then hoping for good luck.”
Good luck?! Really? Even Lucille Ball once quipped, “Luck? I don’t know anything about luck. I’ve never banked on it, and I’m afraid of people who do.”
If there is one thing CISOs can bank on, it’s that luck—if left to its own devices—will be against them. The smartest, most effective executives know that they make their own luck. As Ralph Waldo Emerson said, “Shallow men believe in luck. Strong men believe in cause and effect.”
So how does one go about improving luck? Start with cause and effect. Since the article cited research by Dr. Larry Ponemon, we’ll cite him here, as well. His annual Cost of Data Breach study, for example, consistently lays the lion’s share of breach blame at the feet of employees, contractors, or partners who through carelessness or neglect, precipitate or otherwise enable a costly breach. There’s your cause. If you don’t educate your people about proper information security practices, then you are, by default, relying on porous technology and… luck.
I actually had the pleasure of listening to Dr. Ponemon as he delivered his keynote address at an information security conference just one week prior to the Target event. Whether ironically or presciently, the talk was based on his research about the differences between companies that have a CISO and those that do not. Target, at the time of its breach, as you might recall, did not.
We met afterward for a one-on-one chat, in which I asked him, given the CISO state of affairs, what he considered to be the foundation to a robust information security strategy. “For most organizations,” he answered, “Step One tends to be technology rather than people, which is a mistake. Organizations should first get their people squared away, and then start making investments in technology. But we’re constantly fighting the mantra of ‘better security through better technology.’ They believe that if we have the best tools, we can nip this in the bud. It doesn’t work that way…. It seems like everything we’ve done—I mean everything—from a security environment point of view, a metrics point of view, to the overall effectiveness of the CISO, comes down to the ability, or unfortunately the inability, to train people so that they understand the rules of the road and the reasons why security awareness is so important. . . . The focus should be on developing a security-aware workforce.
Not only will you have fewer people making mistakes, but they can also be your eyes and ears on the ground, because they are now cognizant of their environment from a security perspective. We find that those companies that get control over their negligent employees—not the bad guys, but the good guys educated in ways that make them more effective—benefit tremendously.”
And there’s the effect.
The day you decide to take on a strategy that bakes security awareness into the culture of the organization will not only be your lucky day, but also a big step in the direction of making sure those three envelopes stay unopened.