TL;DR(Too Long; Didn’t Read): Welcome to the musings of a student of security, business, and human behavior. Let’s all be great at security together.
Welcome to what I consider to be the synthesis of my experience working to secure companies across varying industries, of differing sizes, and of all ages. I have had the good fortune of working for some of the oldest companies in the United States, to working for massive international conglomerates, to working at startups. Regardless of the company, my passion for Security and helping it be a business driver was always my focus.
While I have worked in large varieties of companies, environments, and corporate cultures, I think there are significant commonalities in how companies view security and how they choose to approach it. Security is often times a mythical creature within the organization that is there to keep you secure and “stop the hackers”, but it is rarely elevated to a position of being part of the business. Instead security is relegated to a role of being a technology function destined to absorb the blows of higher level decision making.
Thematically speaking, my experience has also been that the lines of communication are not as open as we think, or that there is underlying baggage that security professionals are not aware of. Let’s use the example of the CTO/CIO and their view of security. The CTO/CIO’s job is to deliver deliver deliver. This is a high stress job that is being measured every minute of every day and night. There are certainly elements that are longer time horizon or more strategic, but from a stress perspective the pressure is constant. Take that view point and apply it to security where almost all components have a longer time horizon save for operations and incident response. What the CTO/CIO sees is a department with an easy job, and where people are taking it easy – let’s call it “Hollywood” – this boils down to different operating rhythms and a lack of understanding in both directions. I don’t think we, as security professionals, have done a good job of breaking this image and enabling bi-directional empathy for the complexities technology and security face.
Many of the generalizations above led me to take a journey away from security and back to technology. After spending the better part of 14 years as a security professional, and a large portion of that spent building security programs, it was time to explore being a CIO at a fast moving company. The experience of running a marathon in a CIO’s shoes has been invaluable to my understanding of how we can all build better security programs together, and I look forward to exploring it with you.
The first parts of my writing will focus on how leadership teams should think about security. Once we establish that baseline, I will shift to what it means to be best in the world at different domains of security. In the end I am a student of security and risk management with the desire to spark conversation. We can all share our knowledge and scar tissue and Raise The Tide of security. I hope you’ll come on this journey with me.