Jimmy the InfoSec Bartender: Is the MBA mightier than the Burp?
Recently on LinkedIn and Twitter, Rafal Los (@Wh1t3Rabbit) of HP was
hashing out the qualifications of a CISO/CSO. Should they be business
or technically backed? To consider this properly a little historical context is in order.
Consider where business was ten and twenty years ago? I affectionately
cal it the Jack Welch era. Where is business today? More agile,
adapting to niche markets, passionate individualism, engaged directly
with the customers, distributed worldwide by default, etc. How
different is that from the GE model of the 1990s? According to Fortune
and others, it's as night and day as you get. However, when you talk
to business insiders - and I've been fortunate (unfortunate?) to have
spent a lot of hours with some big Fortune 100 C-levels - they say
it's evolutionary and they re-tool and adapt regularly. So no panic
there. Now, consider IT over that same period... and you'll notice agile,
niche, passionate individualism, engaged directly w/ end-users,
distributed by default, etc. That sounds familiar, does it not?
However, we can't retool completely because systems have to keep
business running 24/7/365 and our customers don't see the
architectural rot that we do. So we have layers of hugely disparate
systems that linger for decades. A bit of panic. What alo has happened is that ~casual~ life expectations have aligned
themselves across ALL industries in such a way that we're all our own
C-levels. Things like personal finance and taxes have moved upward and
things like "manufacturing" (aka DIY) have moved down-ladder. Likewise
families and communities have become distributed geographically
through the Internet while simultaneously insular on the neighborhood
level. So, tying this all together, we now have a generation of Open
Source and Open Community Citizen Engineers led by early frontrunners
Linus Torvalds and Larry Wall that looks remarkably like the business
play-books of the Fortune 100. The Soccer Mom management edict of
communities put on steroids dealing with bigger egos, language
barriers, and the eyes of everyone. Our OS/OC Citizen Engineers have
created their own Six Sigmas and are rocking industry after industry
through trial-by-fire growth. This is not to say that business professionals and C-levels don't have
massive amounts of expertise and perspective that everybody else does
not. They most certainly do. However, we can now relate to business
people in a way we could not a decade or two ago. Likewise in other
industries (e.g. Medical, Legal, ..) we have the same commoditization
to the Citizen of the basic underpinnings. As I'm sure we're all
aware, this trend has potentially catastrophic downsides too but
that's for another debate. OK, ~NOW~ consider Security over the same timeframes and there is one
notable difference. There. Is. No. Baseline. As an industry we're
still selling snake oil and have huge differences of opinion with
about the same market result (e.g. hacked, stock doesn't budge). The
rules of engagement that have made it down to the end-user are so
ridiculously primitive that if we were Doctors our version of WebMD
would say "have an Apple and an Aspirin" for ~every~ ailment. Back to the first paragraph.. it's because of that, because of the
organic nature and relative immaturity of our field, that I feel
strongly that you can't teach a CSO/CISO the ~S~ on the job. They have
to already lived and breathed that for the past decade to have even a
fighting chance of being the C-level over the Anarchist mass of
Security Professionals. When the baseline customer is used to posting
the most intimate details of their lives and passwords, install AV,
and patching is all they know otherwise.. well.. you're screwed at
that starting gate. If "Turing Complete" triggers a visit to Expedia,
you might as well pack up your data and leave it in the mall parking
lot. I guess a rude way of saying it would be that you can't teach insanely
dangerous intellectual curiosity. We haz it. Sorry for the random
rant, just thinking out-loud, Cheers, -Ali
hashing out the qualifications of a CISO/CSO. Should they be business
or technically backed? To consider this properly a little historical context is in order.
Consider where business was ten and twenty years ago? I affectionately
cal it the Jack Welch era. Where is business today? More agile,
adapting to niche markets, passionate individualism, engaged directly
with the customers, distributed worldwide by default, etc. How
different is that from the GE model of the 1990s? According to Fortune
and others, it's as night and day as you get. However, when you talk
to business insiders - and I've been fortunate (unfortunate?) to have
spent a lot of hours with some big Fortune 100 C-levels - they say
it's evolutionary and they re-tool and adapt regularly. So no panic
there. Now, consider IT over that same period... and you'll notice agile,
niche, passionate individualism, engaged directly w/ end-users,
distributed by default, etc. That sounds familiar, does it not?
However, we can't retool completely because systems have to keep
business running 24/7/365 and our customers don't see the
architectural rot that we do. So we have layers of hugely disparate
systems that linger for decades. A bit of panic. What alo has happened is that ~casual~ life expectations have aligned
themselves across ALL industries in such a way that we're all our own
C-levels. Things like personal finance and taxes have moved upward and
things like "manufacturing" (aka DIY) have moved down-ladder. Likewise
families and communities have become distributed geographically
through the Internet while simultaneously insular on the neighborhood
level. So, tying this all together, we now have a generation of Open
Source and Open Community Citizen Engineers led by early frontrunners
Linus Torvalds and Larry Wall that looks remarkably like the business
play-books of the Fortune 100. The Soccer Mom management edict of
communities put on steroids dealing with bigger egos, language
barriers, and the eyes of everyone. Our OS/OC Citizen Engineers have
created their own Six Sigmas and are rocking industry after industry
through trial-by-fire growth. This is not to say that business professionals and C-levels don't have
massive amounts of expertise and perspective that everybody else does
not. They most certainly do. However, we can now relate to business
people in a way we could not a decade or two ago. Likewise in other
industries (e.g. Medical, Legal, ..) we have the same commoditization
to the Citizen of the basic underpinnings. As I'm sure we're all
aware, this trend has potentially catastrophic downsides too but
that's for another debate. OK, ~NOW~ consider Security over the same timeframes and there is one
notable difference. There. Is. No. Baseline. As an industry we're
still selling snake oil and have huge differences of opinion with
about the same market result (e.g. hacked, stock doesn't budge). The
rules of engagement that have made it down to the end-user are so
ridiculously primitive that if we were Doctors our version of WebMD
would say "have an Apple and an Aspirin" for ~every~ ailment. Back to the first paragraph.. it's because of that, because of the
organic nature and relative immaturity of our field, that I feel
strongly that you can't teach a CSO/CISO the ~S~ on the job. They have
to already lived and breathed that for the past decade to have even a
fighting chance of being the C-level over the Anarchist mass of
Security Professionals. When the baseline customer is used to posting
the most intimate details of their lives and passwords, install AV,
and patching is all they know otherwise.. well.. you're screwed at
that starting gate. If "Turing Complete" triggers a visit to Expedia,
you might as well pack up your data and leave it in the mall parking
lot. I guess a rude way of saying it would be that you can't teach insanely
dangerous intellectual curiosity. We haz it. Sorry for the random
rant, just thinking out-loud, Cheers, -Ali
