to be fair, i'm reading a few books on projects and beaurocracies at the moment & you could read the original question differently.

since 99.5% of projects across every field, every country, every vertical falls on cost, deadline or benefits; the entire system is broken. And that's looking at projects over 100 years +.

so "are the C-suite the greatest threat?"; well since none of them can actually run a project then looking at M&S hack & JLR with that - you could say that leaving a laptop on the train is the least of the issues, offshoring & outsourcing is the issue, reducing spend, reducing people across the entire company (a stressed marketing person is far more likely to click the link than someone whose working in a fully staffed team); then you can say the biggest threat to the security of a firm, is the C Suite pushing through the "save save save" principle knowing they won't be there for longer than a couple of years & someone else down the road will pick up any issues.

@nkeaton

 

Unfortunately, I have worked in both industry and held post secondary roles for most of my adult post military life - so I have watched it from both inside and outside of the industry at all times.  Most of us are used to the business perspective but fail to recognize that is what is said.  For instance, when I speak to a CEO, COO, CFO etc., typically when I say security their first thought is compliance which has really nothing to do with what we do, but that is their go to. I wrote a paper not so long ago you might enjoy, sent it through the ISSA journal in October of last year.  So technically SecDevOps is not actually the same as DevSecOps - it depends upon which has the most emphasis within the organization.  We've been working on an entire series that describes the different roles of technical, technical security, and cybersecurity - it's really important within our professions and pretty important within the business realm.  Just like we don't ask the average IT worker to build our web pages, or the average programmer to configure a Cisco ASA firewall - the rest of the world will eventually need to know we are not the same.  Just as the HR "or" statement from the 1990's involving education and experience turned into an "and/or" statement because someone figured it was a better plan during the mid to last part of the 200X decade - this has now evolved into an "and" statement almost exclusively for HR job announcements.

 

I remember my first jobs post military were "or", certification, experience, or college degree for tech and security jobs.  I had worked in the civilian sector over the weekends/evenings for about 10 years (while on active duty).  I was a bit ahead of the power curve, by 2000, the announcements were certification, experience, and/or college degree.  Now I see graduates faced with "certification, experience, and college degree".

 

In 2001 I was an information security manager, and remember having to discuss with HR why they needed to ensure they included the "or".  They were busy attempting to removing back then.  I had to explain that by removing "or" it excluded many qualified candidates - this continues til today.

 

The problem really is that many C-suiters do not understand the history of how we got here, so they cannot undo the changes that have sidetracked us.  That is the importance of understanding the differences between the securities.

For your viewing pleasure:

 

 

@ervinfrenzel First thank you for your service. That is a perspective that so few have experienced anymore. When we were younger, the military touched everyone’s life in some way. I appreciate you sharing this and would like to read that article. I agree but mostly say SecDevOps for their attention and to explain that security is that important even though it is not a profit center. Yes, our trenches in this profession are different ones, and I am fortunate that our upper management has a lot of people who either understand or are willing to understand and listen to those of us with experience. I have always been a self learner and self teacher but have a somewhat academic need to know to not only be the most informed can be but to also help and encourage others to learn as well.

Thank you for the chart. It made me smile as well. I help our compliance folks at times; they do tend to get a little lost concentrating on just that, and most do not have a strong technical background. They were pushing the ISSMP a short while back and in a meeting had given the historic path to it telling them that was what expected of them. I politely interrupted to tell them about the new path. How do you know that? This is part of my job to know to keep you informed. Oh. The list makes me a little sad because I hated to see the HCISPP retired. I thought was great to have a certification with cybersecurity and healthcare tied together. A lot of people in other verticals that network with definitely have different considerations with PHI, legacy systems, and human life that we don’t in other business and academic environments. I had thought about earning it as a way to better communicate and encourage others to earn it, but it is no longer an option.

We just need to keep fighting the good fight to keep security in the spotlight. It is like I tell our management though We need to develop others to replace us. Hopefully we do that well or more importantly they do.

@vishybear something to think about is that our "C" suiters are often allowed to run amuck.  For instance in the EU, the Helse Sor-Ost breach, the CEO was the founder and was held responsible for the data breach.  The organization was just about bankrupted and the CEO was charged and held personally responsible for it.  During an interview, he asked why the IT staff were not held responsible, but the bottom line is that he was the one in charge.  That was the final verdict of the court, although he repeatedly tried to blame staffers.

 

The CEO will never work in healthcare or as a leader of an org again - and he shouldn't.  Do I believe the IT staff share some responsibility?  YES. Should they have really pushed to enlighten the leadership?  YES. Should leadership pushed to really find out their status?  YES.  Have leaders pretended for years that they were clueless?  Again a resounding YES.

 

The CEO as the founder and medical practitioner made less than a 10% of what a hospital director makes here - yet he got time and fines, etc.  This goes back to our leadership being allowed to run amuck.  When you have someone who can exist without having a checks and balances, then expect them to run like they are unchecked.

 

 

@nkeaton Thank you ma'am.  It's funny you say that as it seems we might be missing the boat (from our Veterans and new members perspective).  I have a good many students who are modern vets, and while traditionally vets fell into security and teaching - many are opting not to go into our career pathways. I have several of the charts, one for each of the primary vendors (ISC2, EC Council, CompTIA, etc.), and they all work out the same way.  Originally, each vendor "recommended" a learning period to master the required skills prior to sitting for the exam.  HR folks just took the learning period as gospel, partially because they didn't understand the certification process, partially because they didn't take the time to ask for explanation, and part of it was because we didn't take the time to explain it to them.

 

My HCISPP expires roles to emeritus this month, I too wish we hadn't retired it.  We finally looked at identifying healthcare as a key infrastructure, then we immediately retired the cert?  I took (and passed) the CCSP but I did not appreciate it as much as the HCISPP, the CCSP was somewhat comparable with the old Cloud Essentials (although slightly updated).

 

You are extremely correct on we have to keep it in the spotlight and keep training replacements.  That is part of the reason I go out of my way to identify the component technology securities.  It is significantly harder if we try to recreate the ocean than if we identify how to recreate water. In keeping it simple, we can train many more than we can by trying to complicate the devil out of it.

 

 

@ervinfrenzel   I really like that analogy and may find a place to use it.  While I have never discussed this with anyone at ISC2, I am guessing that the numbers of people certified may make a difference on whether a certification is considered worth updating and retaining by an organization.  They did rebranding and added frameworks to the CAP, now CGRC, which had low numbers.  The former concentrations are now kind of rebranded as ISC2 no longer calls them concentrations and no longer have the requirement for a CISSP.  My CCSP kind of started my last certification run.  I rescued an exam voucher from one of our people that was going to just let it expire.  I passed that and decided that maybe I would try the CISSP.  I had been happy for years with my CAP and SSCP and a couple of CompTIA certifications.  As far as the certification that I am the most proud of, I guess that would be my ISSEP since it is historically one that people have difficulty passing and not many have.  I know that my experience has a huge factor.  I am also very proud of my ISSMP, but it was sort of a natural extension of my CISSP and CISM.  Now architecture seems to be a weaker discipline for me and not sure whether will pursue the ISSAP.  I have zero left to prove to myself but always eager to learn.  I have taught a few college classes, but I know that I do better one on one with people and am maybe a little too empathetic to consider that a good pathway for me.  Thank you for sharing that.  I like to be very aware of what is going on around us.  I have zero problem reminding our folks of that.  Like I tell them a lot If something is easier to use, then you are probably giving up some security.      

@nkeaton If I remember correctly the CAP was an entry level for many of the govt roles in GRC, which did make sense as many govt folks did not have sufficient time to gain initial CISSP certification.  Just prior to the CAP >> CGRC change the U.S. mandated was an entry level "Associate" which ISC2 quickly jumped on.  Only recently has ISACA made a move to the "Associate CISM" and EC Council to the "Associate CCISO".  Originally, EC Council offered the EISM (EC Council Certified Information Security Manager).  After reading through the ISACA materials on the Cybersecurity Fundamentals, I will pass on the ISACA chain.

 

I do believe the ISSMP and ISSAP are pretty natural extensions for the CISSP, not so sure for the ISSEP though, it should be an extension for CSSLP but doesn't seem to naturally fit there.  I'm actually surprised that ISC2 didn't seek CSA partnership on the CCSP to improve it's acceptance rate and overall relevance to the market.  I know it is a bit of a small thing, but the more we can combine and bring together vendors for better overall acceptance, the stronger our career pathways.  Universal acceptance is always a plus in our fields.

 

 

Good Idea - how about it ISC2?