Well it looks like a missed a good time up at the InfoSec show in Orlando. My friend Jeani Park from Spectorsoft was going and I was thinking about joining her, but had too much to do back at my office. The highlight seems to be a panel that my friends Alex Hutton and Chris Nickerson were joined on by Marcus Ranum. All three of those guys could be named Buck, because you know when it comes to speaking their mind, they don’t give a F^#k. That is a good thing for a security conference panel in my opinion.
From what I have read by Rob Westervelt the message was “Industry is doomed by automation, misguided IT security strategy, experts warn”. Rob says the panel members chided the security leaders in the audience to stop managing to compliance and do their job.
That silly rabbit, Raf Los says that from what he heard and what he believes, the problem is many of these so called security leaders don’t really know what their job is to begin with.
Both authors in their articles retold the story (I felt like I was reading different gospels of the same story) of the man that Chris Nickerson asked what the corporate mission statement was of the company he worked for. The man couldn’t say. To Raf especially this was a smoking gun for much of what is wrong with the security industry and why we are in trouble. Westervelt’s article ended on a positive note with some examples of things and places done right in security cited by the panelists.
So before we all run for the exits because someone yelled fire, lets take a moment here. First of all the guy who didn’t know his company’s mission statement might have had a case of stage fright and brain frozen. Or maybe he really doesn’t know it. But lets not go off and say that represents the majority or even a sizable minority of the security industry. I would venture that more than most security folks know what the mission statement is for the company they work for.
Secondly, let’s not blame people for not being strategic, when they are tactically trained and experienced. Our industry is still relatively young. CSOs and CISOs have lots of different job functionality at lots of different companies. For many gigs the CSO or security leader is more of an NCO (non-commissioned officer) who actually works for a living, rather than a genuine officer. Many CSOs achieve their positions by mastering a series of tactical engagements that have never tasked them with thinking strategically. They operate going from one fire to the next and just don’t know any better. If anything maybe our industry needs to do a better job of teaching people to think strategically, not tactically.
Does this make them incompetent and the wrong person for the job? No, not necessarily. Maybe that is just what the doctor ordered at that organization. They just want someone to come in and be very tactical about achieving specific goals. In the words of Rhett Butler, frankly they don’t give a damn about the higher strategic picture of why being vigilant about security is more important than being compliant. They are paying someone to fix what that damn auditor said needed to be fixed. They don’t want to pay someone to pontificate and blog and prioritize. Many mid-size and smaller enterprises operate like that. There is a CEO owner who calls the shots and that is the way it is.
I remember a few years back going into an airline headquartered down here in South Florida. The company was preparing to go public. As such the underwriters told them they had to be SOX compliant and the auditors had prepared a list of items outstanding. I was shocked to find out the “CIO” and I use that term loosely was the CEO’s nephew and didn’t know jack about IT, let alone security. The “security leader” was just a security admin who ran the firewall, the IDS, the endpoint AV and probably cleaned the toilets when everyone went home. Do you really think the CIO and his uncle the CEO gave a flying crap about what the security leader thought?
Yeah, its easy to say you shouldn’t work in that environment. But it was a job, it paid well, fast growing company and maybe one day they would see the light and let the security dude do what needed to be done. But saying that guy is a dunce, not qualified or that our industry is in trouble isn’t right either.
Maybe it will take a breach at that organization for them to bring in a real strategic security thinker. In fact more often than not, that is what it takes. Nothing makes you jones for the cure like being sick already.
At the end of the day organizations get the security they want and the security they are willing to live with. It is a decision that is made and that they live with. It doesn’t mean our industry is made up by a bunch of dolts who don’t see the big picture. It is made up by a lot of hard working people who make the best they can out of a situation where many in the organization still think of them as the people who say no and don’t appreciate the real risks. But everyone needs a job and like Donald Rumsfeld said “we got to war with the army we have, not the army we want”.
So until you walk a mile in those shoes, don’t be throwing stones.