By: Jack Jones
I just read an article that REALLY made me wince (http://bit.ly/ZM7olD). It wasn’t necessarily that some of the author’s points aren’t valid about how challenging the infosec space is these days. These are indeed “interesting times”. My problem with the article boils down to a few things:
- Hyperbole. Don’t get me wrong, the data the author presents appear to be accurate (except, perhaps, his claim that infosec is the #1 need for businesses today). How he presents it however, feels overstated and doomsday-ish. I had to think about it for a few minutes to pin down why it struck me that way, but it’s a matter of how he presented the “happens all the time” events in the same breath as “the end of the world as we know it” events. Yes, breaches occur frequently. And yes, grossly severe breaches occur. But grossly severe breaches don’t occur frequently. It’s an important distinction that too many in our profession fail to make, which leads me to...
- Perspective. I’m a firm believer that, if a CEO is clueless about infosec, a reasonable contributing factor is probably the quality of infosec leadership. If we want executive management to understand and care about what we do we have to become MUCH better at communicating it to them. Here’s a clue in that regard -- hyperbole doesn’t help matters. Hyperbole makes it worse because most CEO’s recognize it and discount the message. You have to understand and speak to the issue of probabilities, not just possibilities.
- Silliness. How long will an organization survive without a CFO overseeing financial matters? In the absence of a functional budget and financial process, a Chairman for the Joint Chiefs of Staff is going to be useless.
Given the above, if I was on the Board of a company and my CSO was prone to hyperbole, didn’t seem to demonstrate much perspective, and had an unrealistic understanding of their role versus that of the other executives in the organization, I’d probably look to replace them.