I just read an HBR article from 2013 that REALLY made me wince. It wasn’t necessarily that some of the author’s points aren’t valid about how challenging the infosec space is. These are indeed “interesting times”. My problem with the article boils down to three things:
- Hyperbole: Don’t get me wrong, the data the author presents appear to be accurate. How he presents it however, feels overstated and doomsday-ish. I had to think about it for a few minutes to pin down why it struck me that way, but it’s a matter of how he presented the “happens all the time” events in the same breath as “the end of the world as we know it” events. Yes, breaches occur frequently. And yes, severe breaches occur. But severe breaches don’t occur frequently, unless your definition of “frequently” is different than mine. It’s an important distinction that too many in our profession fail to make, which leads me to...
- Perspective: I’m a firm believer that, if a CEO or organization executive is clueless about infosec, a significant contributing factor is likely to be the quality of infosec leadership. If we want executive management to understand and care about what we do, we have to become MUCH better at communicating it to them. Here’s a clue in that regard -- hyperbole doesn’t help. In fact, hyperbole makes it worse because most CEO’s recognize it and discount what may otherwise be an important message.
- Silliness: How long will an organization survive without a CFO overseeing financial matters? In the absence of a functional budget and financial process, a Chairman for the Joint Chiefs of Staff is going to be useless. You’ll have to read the article to understand what I’m referring to, but it felt contrived and indefensible as a premise.
Given the above, if I was on the Board of a company and my CSO was prone to hyperbole, didn’t seem to demonstrate much perspective, and had an unrealistic understanding of their role relative to that of the other executives in the organization, I’d probably look to replace them.
Again – the author was correct that the infosec space was challenging then, and arguably more so now. In order for executive management to govern the cyber risk landscape appropriately – balanced against all of the other business imperatives they have to juggle, they have understand it in accurate and meaningful terms. Business terms. This is why a model like FAIR, that enables risk analysis in economic terms, is so useful.