Are Security Leaders that Incompetent or is Security simply still not a Priority within Organizations?

I’ve recently heard/read commentary on the panel discussion presented by Chris Nickerson, Marcus Ranum, and Alex Hutton at INFOSEC World 2012. First, let me start off by saying I respect each of individual as being a thought leader in the industry and the contributions in which each have made to the Information Security field. Let me also say, that I have not had a chance to actually attend INFOSEC World and/or have been able to actually watch the presentation. This is important as my comments are based off second and third hand explanation of the talk and I apologize if I take anything out of original context.

From my understanding, the main point of the discussion was that security leaders aren’t prioritizing security initiatives appropriately and, in many cases, simply aren’t intelligent enough to protect their organizations. In my experience, I actually agree with both these points assuming that these points were actually made in the discussion. However, I think what may have been missed, is that typically CSO’s/CISO’s aren’t the ones that are actually prioritizing security initiatives within the organizations but are simply taking marching orders from those that are. Let me use the movie Moneyball as an example. Brad Pitt, the GM of the Baltimore Orioles, is tasked with putting a team together that is competitive on the field. As such, he approaches the owner to ask for money to be able to sign big name All Stars. The owner denies this request as the Orioles are a small market team and don’t have the same size wallet as a team such as the NY Yankees. The obvious problem with this is that it is hard to compete against a big market team, such as NY, without allocating budget and spending money in order to be able to do so. As can be seen, the owner of the team was perfectly content in not improving his team significantly enough to actually be able to compete with the big boys.

Let me use another example. Let’s say my personal mission is to date the best looking girl in the world. I hire my best friend as my dating consultant and say “here is 200,000 dollars and the first thing I need is an Audi R8”. My buddy perfectly understands what my mission is. Does the fact that he knows what my mission is help him better make decisions and prioritize objectives when I already told him what my first priority was? No. He is taking marching orders from me without having any real say as to what he actually believes is the best thing to do with that $200,000 which I allocated to him. He could of course come back to me and say “Andrew, I think we should take the money and use it for plastic surgery as, being the expert in the field, I truly believe this better aligns with your mission.” That’s the only real option he has but at the end of the day, he is at the mercy of what I tell him to do if he wants to stay employed as my dating consultant.

How is this any different than what happens in the Information Security field? Typically when it comes to Information Security objectives are already determined by upper management. Many times security leaders know what the right things to do are and what priorities the company SHOULD be focusing on, but because of the lack of budget, resources, other business objectives, politics, etc. have their hands tied to what their bosses tell them is important. Many times, and as I believe discussed in the talk, these priorities are based off regulatory mandates the organization is subject to. Obviously, most security professionals know that prioritizing security initiatives based off regulatory mandates does very little at actually protecting your company. However, if you are a CISO and the CEO (you would be lucky if you directly reported to the CEO as typically this is not the case) comes to you and says we need to be PCI compliant or we are going to lose our ability to accept credit cards that becomes your main objective and what you will be focusing on. Nothing else matters at this point as you were directly told what your priority was by your superior and, oh by the way, you have a family at home that relies on you having a good job.

Look, all I am trying to say, is that the individuals in which gave this presentation aren’t your average run-of-the mill security professionals. One of them is founder of his own company. Obviously he has no problem getting budget or prioritizing security initiatives as he reports to no one. It’s like the GM of the NY Yankees telling the GM of the Cleveland Indians that he has no idea how to run a baseball team. They aren’t operating on the same playing field. With that said, I do believe there is a fundamental problem with those that are tasked with running a security organization. Many of them think because they have the CISSP certification, that somehow gives them the “know how” to be able to truly protect an organization and prioritize security initiatives off business objectives and company mission statements. Again, I didn’t get the privilege of watching the presentation and apologize if I took something out of context. However, I have seen a lot of good security professionals fail not because they didn’t know how to protect the company, but because security wasn’t important to the company in which they were tasked to protect. These same security professionals thrived at other organizations that did take security seriously.

- Andrew

@AWeidenhamer