topic Re: Today a CISO, Tomorrow an Admin in Career Discussions

Today a CISO, Tomorrow an Admin

AppDefects — Mon, 09 Oct 2023 09:26:49 GMT

Recent studies show that security breaches are costing CISOs their job - on average 6% are shown the door. Lots of these are high profile incidents:

1. Capital One (100 million records)
2. Equifax (143 million records)
3. Uber (57 million records)
4. Facebook (Cambridge Analytica scandal)
5. Target (40 million)
6. JP Morgan (83 million)

While an incident might leave some CISOs fearing for their jobs, the opposite may be true and that an incident may have benefits to both their career and personal health. Incidents can be a learning experience. Do you think that your Board of Directors would accept that? Let's discuss.

Re: Today a CISO, Tomorrow an Admin

Steve-Wilme — Mon, 24 Feb 2020 08:03:20 GMT

Firstly, it depends if it happens at your organisation or not. There will always be a few unlucky individuals who fall foul of the realisation that an incident could happen here too and rather than make the investments to reduce the likelihood an impact of that, the board just fire the CISO, even in instances where an organisation hasn't experienced a breach.

Re: Today a CISO, Tomorrow an Admin

Flyslinger2 — Mon, 24 Feb 2020 12:43:11 GMT

Personally, I would rate the CISO as a more volatile position then CEO. It should also pay more. Think whats at stake.

I don't ever see a situation where a stock based public company would retain a CISO after a huge breech. There would be too much public scrutiny and outcry.

Re: Today a CISO, Tomorrow an Admin

JKWiniger — Mon, 24 Feb 2020 13:39:14 GMT

@Flyslinger2 The CEO is a much more visible position than the CISO, so the CISO can probably be replace more easily. Replacing the CEO raises question about what will the new direction of the business be.

John-

Re: Today a CISO, Tomorrow an Admin

JKWiniger — Mon, 24 Feb 2020 13:45:16 GMT

It's a complicated situation. Many questions come up, is the CISO allowed to do what is needed by the powers above? And I say powers above because it has not yet become standard for the CISO to report to the board so the CIO or CTO could be a barrier depending on the org structure. But then if the CISO is given what is needed do they know what to do with it and how to properly secure things? Many of these breaches have come from a simple lack of updates and poor policy. If your company get compromised by a password spray attack and you don't have a policy passwords then as a CISO you might need to find another line of work. If the low hanging fruit is not taken care of...

John-

Re: Today a CISO, Tomorrow an Admin

Steve-Wilme — Mon, 24 Feb 2020 15:38:10 GMT

In many companies the CISO is the fall guy. The one paid to be fired when there is a breach. But otherwise not given the resources to make a real difference. And if they do spend big and there's still a breach then they're sure to go. CISOs are too easily seen as over promising and under delivering.

Re: Today a CISO, Tomorrow an Admin

CISOScott — Mon, 24 Feb 2020 17:16:51 GMT

I think it comes down to the situation. If the CISO was negligent and was not able to increase security to prevent the breach (i.e unpatched systems, outdated policies that left systems weaker or unprotected, creating divisions between security and IT, etc.) then they should be let go.

If the CISO implemented policies/procedures/processes that lead to the detection of the breach, then they should retain their position.

I think honeymoon periods also have an effect. A CISO with less than a year in the position may not have been able to change enough things to prevent the breach. Someone who was with the company a long time and should have been able to make it more secure, then they should go.

Sometimes people are let go due to clashing personalities, line of responsibility changes (i.e.going from not under the CIO to back under the CIO), or sometimes just a personality fit. Also, since CISO's are usually paid big salaries it seems to go with the territory. By the virtue of earning a large salary you are expected to be able to effect change and improve security. You are also expected to take the good with the bad.

It is also very easy to be the "fall-guy" or person who gets thrown under the bus when a breech happens. It is easy for the CEO or other high ranking company official just to point the finger at the CISO and publicly state that they have gotten rid of the problem and the search has begun to find someone who "will ensure that this type of thing doesn't happen again." Until the next breach. Luckily for the incoming CISO, lots of money will be thrown at them and they will (usually) have tremendous upper management support, plus after the company hires a 3rd party company to come in and do forensics on the breach, they will have a blueprint of what and how to fix the problems that got the previous CISO fired. Seems like this is the CISO position you should aim for! LOL!

Re: Today a CISO, Tomorrow an Admin

rslade — Mon, 24 Feb 2020 19:16:53 GMT

> AppDefects (Community Champion) posted a new topic in Career on 02-23-2020 02:40

> Recent studies show that security breaches are costing CISOs their job - on
> average 6% are shown the door.

Since CISOs only last an (industry) average of two years, I'd say those figures
demonstrate that security breaches have *nothing* to do with your tenure on the
job ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
[T]here was nothing illegal about [the Psychic Network], provided
that the ads hawking it clearly acknowledge, in the finest of
print, that the entire enterprise is `for entertainment only.'
Such logic is interesting, as it apparently means that I could
label the proprietors of such services as charlatans, bunko
artists and general rat finks without fear of legal action, as
long as I included the disclaimer that my comments were for
entertainment only ... - Steve Mirsky
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: Today a CISO, Tomorrow an Admin

CISOScott — Mon, 24 Feb 2020 19:27:59 GMT

@rslade wrote:
> AppDefects (Community Champion) posted a new topic in Career on 02-23-2020 02:40

> Recent studies show that security breaches are costing CISOs their job - on
> average 6% are shown the door.

Since CISOs only last an (industry) average of two years, I'd say those figures
demonstrate that security breaches have *nothing* to do with your tenure on the
job ...

I try so hard not to be average, yet here I am being average. I guess I should start looking for my next gig........

Re: Today a CISO, Tomorrow an Admin

AppDefects — Mon, 24 Feb 2020 23:08:29 GMT

@CISOScott wrote:
@rslade wrote:
> AppDefects (Community Champion) posted a new topic in Career on 02-23-2020 02:40

> Recent studies show that security breaches are costing CISOs their job - on
> average 6% are shown the door.

Since CISOs only last an (industry) average of two years, I'd say those figures
demonstrate that security breaches have *nothing* to do with your tenure on the
job ...

I try so hard not to be average, yet here I am being average. I guess I should start looking for my next gig........

CISOs are an endangered species. How can we help change the public's perception? If we don't then they will be forced to play musical chairs. If data breaches are not to blame then what is? Why should CISOs take the fall if they are only servants to the CIOs?

Re: Today a CISO, Tomorrow an Admin

Steve-Wilme — Tue, 25 Feb 2020 08:10:12 GMT

It's really simple from an organisational politics perspective. Some CIOs will hire a CISO, who may know that they probably won't get the funding or resources to run an effective security function, but let's give them the benefit of the doubt. So a CIO buys themselves an insurance policy by promising resources and funding, so a CISO comes on board and is thwarted at every twist and turn. Commitments to fund programmes are only partly met, co-operation isn't as forthcoming as they's wish. And at some point there will be a breach, because there is always is. Maybe it's someone dropping confidential paperwork in the street, someone attaching the wrong file to an email or an administrators incorrectly permissioning a resource. In response the CISO is let go, because accidents don't happen, it's always someone's fault and blame must be apportioned and blood let.

Re: Today a CISO, Tomorrow an Admin

AppDefects — Thu, 27 Feb 2020 02:15:30 GMT

@Steve-Wilme wrote:
In response the CISO is let go, because accidents don't happen, it's always someone's fault and blame must be apportioned and blood let.

I'm still looking for answers why the CISO has to be the sacrificial lamb when a lot of security is not under their control. Shouldn't we be holding operations people and their managers responsible?

Re: Today a CISO, Tomorrow an Admin

AppDefects — Sun, 01 Mar 2020 01:34:34 GMT

Here's an article that discusses the plight of today's modern day CISO: "Is the CISO a second-class executive?" Are CISOs the victim of a business that “doesn’t get it”? Or is the business a victim of CISOs that “don’t bring it”? The crux of this problem is the perceived value return of security under the leadership of the CISO. Two key points really undermine the CISOs perception:

The CISO’s difficulty in convincing what ‘good looks like’ from a security investment, and security results perspective. Basically, is there a strongly correlated relationship between security investment, and risk/ impact control?
The CISO’s difficultly in getting past reporting from a ‘technical and operational security’ perspective, rather than a robust and easy to understand risk and impact perspective.

Re: Today a CISO, Tomorrow an Admin

JKWiniger — Sun, 01 Mar 2020 02:05:39 GMT

@AppDefects This makes me thing of a few different things. If you take a person who was raised in a toxic family when they grow up all the know is what toxic looks like and the have no idea what health looks like, and I think the same rings true here. If a company has had bad habit and no understanding of the how and why security is needed it will take a lot to have them understand how it should really be and why it is better that way. This also made me think how often IT in general was seen just a black hole of a money pit with no direct return. Some companies developed charge back systems to pass the cost back to the associated departments and this made IT into a profit center instead of a black hole. With more moving to cloud platforms it is even easier to associate charges directly to departments. Security in general to me is a bit like car insurance, those who understand the value get good coverage, and those who don't get only what is required by law, but when misfortune happen one is left reassured and interacted and the other is taking the bus!

The has to be shown that security goes much further than just keep data out of the hands of those who should not have it and how it effects image, reputation, trust, and so much more. It is these intangible items that will defiantly have a major impact on the bottom line, sales, and every other aspect of the business. They just need a little help to understand this. And of course like insurance, if things always go right and you never need it you wonder if you really needed that level of coverage, but it just takes one issue to make you thankful you have it!

John-

Re: Today a CISO, Tomorrow an Admin

Steve-Wilme — Mon, 02 Mar 2020 09:46:57 GMT

If you compare if to medical malpractice, doctors don't get fired because patient are ill, it's about what they do or don't do to treat to illness. It's possible to understand if the CISO presides over a poor response to an incident i.e. fails to respond in a timely manner or is responsible for providing inaccurate media statements. But organisations that keep firing CISOs for the illness i.e. the fact that there are attackers out there, don't seem to be a sustainable way forward.

Re: Today a CISO, Tomorrow an Admin

rslade — Mon, 02 Mar 2020 18:04:53 GMT

> Steve-Wilme (Contributor III) posted a new reply in Career on 03-02-2020 04:46

> If you compare if to medical malpractice, doctors don't get fired because
> patient are ill, it's about what they do or don't do to treat to illness.

A doctor's reputation is made by the number of eminent men who have died under
his care.
(Oscar Wilde? Shaw?)

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Experience is merely the name men gave to their mistakes.
- Oscar Wilde
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB