Security Experts:

Smoke Jumpers in Enterprise Security

Smoke Jumpers

Ken Baylor, Chief Security Officer at Pivotal Software, had an interesting post on LinkedIn recently titled “Solving the InfoSec staffing problem” in which he made reference to how some CISOs inspire loyalty amongst their staff who will follow them from one company to the next.

These people acquire new skills constantly and never mind the challenge but follow the person. His piece further discussed how some CISOs aren’t as lucky that people are willing to jump into “challenging situations” with them, so they have trouble hiring. This article was both insightful and brought to mind something I’ve witnessed a few times over the years that I think bears discussing.

While Ken may be right, few security professionals are willing to jump into a troubled organization in this age of “negative unemployment” (whatever that means). I think there are a fair bit of us that like the challenge of the fix. This is where I think the term “smoke jumper” applies. The reference, in case you don’t know it, is to people who fearlessly jump out of airplanes to fight raging forest fires and save human and animal lives. They literally jump into the smoke to perform amazing acts of heroism – and while I recognize what we do in security isn’t quite as dramatic or heroic, it’s similar.

After all, security people who jump into these troubled security organizations to help right the ship put their careers on the line and personal aspirations on hold, and their families take a temporary back seat. That job isn’t for everyone. because it takes guts and determination. However, it’s one that plenty of my friends and colleagues over the years have done… thanklessly. It’s an extremely interesting challenge and certainly not for every personality type.

It’s interesting to think about the job these InfoSec smoke jumpers do. The conditions are probably fairly similar in many of the scenarios. You have to rebuild foundations and relationships, and yes focus on the dreaded basics. Few organizations do the basics well, and it just gets more complicated when a program is struggling. Maybe its post breach, or maybe it’s just an organization that’s seen a mass exodus because of one of a million reasons and now needs to rebuild. But the mission is clear: triage and fix the problem quickly.

First, smoke jumpers put out the fires endangering revenue and company directives. Then, they try to figure out the best things to pull strategically out of harm’s way. Knowing what is important, what is at risk and where the highest technical dangers are, are skills acquired from doing that job repeatedly. They’re mentored and taught to the point of being an art form. Often, this job is accompanied by levels of stress that would crush many an employee, but these folks seem to feed off it and thrive under the pressure.

They generally don’t journey alone and are known to follow a strong security leader who has a track record of being a good fixer. Political savviness, a strong gut and excellent communications skills to match are essential. Their job is not to maintain; their job is to stop things from burning out of control. Once the fire is contained, they move on to the next fire. Their skills are very specific, geared towards high-stress, high-velocity situations where change needs to come quickly and with purpose.

It hasn’t been too long since hopping jobs was seen as a negative thing on a resume, and to some extent that is still the case. It shows a lack of commitment and maybe even immaturity. Except when you’re one of these commandos who are willing to brave an InfoSec mess and get it to an operational state where the program can be handed off to someone to maintain.

There is a significant and immediate need in our industry for these smoke jumpers . There are small fires that were neglected for years that are now raging out of control. While we do have a talent shortage, skills gaps and “negative unemployment,” we need more of these people to help triage and fix as many listing programs as possible, as quickly as possible. The alternative is … devastating.

view counter
Rafal Los is Managing Director, Solutions R&D within the Office of the CISO for Optiv, which was created in 2015 from the merger of Accuvant and FishNet Security. Los leads a team developing research-backed guidance addressing key program challenges for enterprise security leaders. Prior to joining Optiv, Los served as principal, strategic security services at HP Enterprise Security Services. Previously at HP, Los served several diverse roles including security strategist of enterprise security products where he advised customers on implementing practical solutions. Los also held various positions at GE entities and various other start-ups. Follow Rafal on Twitter: @Wh1t3rabbit.