Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Smoke Jumpers in Enterprise Security

Smoke Jumpers

Smoke Jumpers

Ken Baylor, Chief Security Officer at Pivotal Software, had an interesting post on LinkedIn recently titled “Solving the InfoSec staffing problem” in which he made reference to how some CISOs inspire loyalty amongst their staff who will follow them from one company to the next.

These people acquire new skills constantly and never mind the challenge but follow the person. His piece further discussed how some CISOs aren’t as lucky that people are willing to jump into “challenging situations” with them, so they have trouble hiring. This article was both insightful and brought to mind something I’ve witnessed a few times over the years that I think bears discussing.

While Ken may be right, few security professionals are willing to jump into a troubled organization in this age of “negative unemployment” (whatever that means). I think there are a fair bit of us that like the challenge of the fix. This is where I think the term “smoke jumper” applies. The reference, in case you don’t know it, is to people who fearlessly jump out of airplanes to fight raging forest fires and save human and animal lives. They literally jump into the smoke to perform amazing acts of heroism – and while I recognize what we do in security isn’t quite as dramatic or heroic, it’s similar.

After all, security people who jump into these troubled security organizations to help right the ship put their careers on the line and personal aspirations on hold, and their families take a temporary back seat. That job isn’t for everyone. because it takes guts and determination. However, it’s one that plenty of my friends and colleagues over the years have done… thanklessly. It’s an extremely interesting challenge and certainly not for every personality type.

It’s interesting to think about the job these InfoSec smoke jumpers do. The conditions are probably fairly similar in many of the scenarios. You have to rebuild foundations and relationships, and yes focus on the dreaded basics. Few organizations do the basics well, and it just gets more complicated when a program is struggling. Maybe its post breach, or maybe it’s just an organization that’s seen a mass exodus because of one of a million reasons and now needs to rebuild. But the mission is clear: triage and fix the problem quickly.

First, smoke jumpers put out the fires endangering revenue and company directives. Then, they try to figure out the best things to pull strategically out of harm’s way. Knowing what is important, what is at risk and where the highest technical dangers are, are skills acquired from doing that job repeatedly. They’re mentored and taught to the point of being an art form. Often, this job is accompanied by levels of stress that would crush many an employee, but these folks seem to feed off it and thrive under the pressure.

They generally don’t journey alone and are known to follow a strong security leader who has a track record of being a good fixer. Political savviness, a strong gut and excellent communications skills to match are essential. Their job is not to maintain; their job is to stop things from burning out of control. Once the fire is contained, they move on to the next fire. Their skills are very specific, geared towards high-stress, high-velocity situations where change needs to come quickly and with purpose.

It hasn’t been too long since hopping jobs was seen as a negative thing on a resume, and to some extent that is still the case. It shows a lack of commitment and maybe even immaturity. Except when you’re one of these commandos who are willing to brave an InfoSec mess and get it to an operational state where the program can be handed off to someone to maintain.

Advertisement. Scroll to continue reading.

There is a significant and immediate need in our industry for these smoke jumpers . There are small fires that were neglected for years that are now raging out of control. While we do have a talent shortage, skills gaps and “negative unemployment,” we need more of these people to help triage and fix as many listing programs as possible, as quickly as possible. The alternative is … devastating.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem