These days, I am very, very afraid for the future of CISOs. Over the past few years, and specifically the past 12 months, I have become increasingly alarmed at the level of “groupthink” and “synchronized nodding” going on with security executives. Here are some of the things I am seeing:
1. Lots of talking about the same shit, with absolutely no innovation at all. Good examples include metrics (we need them! they’re IMPORTANT!) and talk about policy and governance that usually means absolutely nothing.
2. A desperate need to find “the metrics” to report to “senior management” – there is no such thing. Your management, in all likelihood, does not want any tactical numbers on antivirus events, IDS alerts, or such blather. They want real risk advice on business goals and functions. Period.
3. Managing by managing what everyone else is managing. You would not BELIEVE how many security products get purchased because other security executives are buying them.
That’s really the current picture of our field: people doing what the others are doing. I like his idea of treating the security program like a startup, but an interesting thing to consider is how many CISOs would have the opportunity to do that. Their bosses would expect something different, their peers, security committees and external consultants/auditors. It’s not easy to escape that rat wheel!
A CISO job where one have the opportunity to shake things up like Dave suggests is a dream opportunity for any security professional. Unfortunately a lot of those in positions like that are too busy…groupthinking J