Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Management & Strategy

Have Our Security Rock Stars Failed Us?

IT Security Rock Stars

In almost any endeavor, success usually comes with additional responsibility. For example, a promotion into a management or executive position comes with the additional responsibilities associated with that position.

IT Security Rock Stars

In almost any endeavor, success usually comes with additional responsibility. For example, a promotion into a management or executive position comes with the additional responsibilities associated with that position.

Taking a security executive (e.g., a CSO, CISO, CRO, or otherwise) as an example, we know that this position brings with it responsibility for many things, among them the entirety of the security organization and a significant amount of the organization’s risk portfolio. The title does not come for free, and of course, none of us would expect that it would.

Those of us that have been in, are currently in, or have close professional colleagues that are in security leadership positions are familiar with the tremendous weight of responsibility these positions bring. Yet, even given the weight of their responsibilities, most of these security leaders focus most of their energy on improving their respective security programs rather than seeking the limelight. In other words, they are too busy working to worry about press and lauds.

In parallel, there exists a phenomenon in the security profession that, as it turns out, is not particularly unique to our profession. Like many professions, security tends to elevate certain people to celebrity or rock star status. I’m not quite sure why we have this tendency, or how certain people attain this status and others do not, but it is nonetheless something with which we have to contend. Some of our rock stars maximize their status, pushing us and challenging us to think differently about solving problems, providing us with guidance and wisdom based on their knowledge and experiences, and/or using their influence for the greater good. We usually examine their words closely and pay intimate attention to those words, as we should.

But what happens when some of our rock stars don’t live up to these noble goals or lose sight of them entirely? What happens when they may not have written anything new in 5, 10, 15, or perhaps even 20 years? Or when they harp on the news items and buzzwords of the day rather than provoking deep intellectual thought and debate? Or perhaps when they, intentionally or unintentionally, distract the community from the long-term, strategic issues we need to remain focused on in favor of issues that suit their agenda? Or how about when a sound byte or news clip is sought at the expense of the greater good of the community? Or what about when self-promotion and populism are pursued at the expense of outreach, education, communication, and real change?

As someone who travels quite a bit and is fortunate enough to meet with so many security professionals on a continual basis, I have many opportunities to discuss the issues of the day. I have noticed many common patterns and themes during the course of my discussions, but one subject in particular stands out. The amount of bad information, misinformation, biased information, hype, FUD, etc. that exists is overwhelming.

I hear thoughts on this topic continuously from a wide range of people, mainly because the current state of affairs makes the lives of operational personnel and security leaders extremely difficult. This troubles me for many reasons, and many of those reasons are the same reasons that I am troubled by those rock stars who choose not to provide the community with what we need from them.

The message I hear day after day is that it is hard to sift through the noise, difficult to navigate the hype, and nearly impossible to reconcile the misinformation. Bear in mind that this is coming from security professionals. Imagine what this landscape looks like to business leaders who are likely not security professionals but nonetheless have security as a top priority.

Advertisement. Scroll to continue reading.

For operational personnel looking to mature their security programs and improve their overall security posture, this situation creates a tremendous challenge. It is difficult enough to accomplish this mission in a “clean” environment. But in an environment where bright shiny objects are continually introduced to distract or remove focus from the truly important issues and tried and true approaches, this mission becomes orders of magnitude more difficult.

Security leaders want to and need to focus on vision, strategy, risk mitigation, security operations, incident response, staffing, and any of the other challenges of the day. When rock stars use their platforms to harp on populist issues or bring attention to themselves or their agendas, it comes at the expense of all of these challenges. In my view, this does not help advance the state of security. In fact, it impedes it. Security leaders need their rock stars to work with them, rather than against them.

Although I have a modest following and am no rock star, it is my personal belief that even one reader of my materials puts upon me tremendous responsibility. I have always tried to educate, provide insight, and offer practical suggestions that can be implemented operationally. I can only hope that I am living up to expectations, and I will never know for sure. The feedback I receive from members of the security community regarding my columns, speaking engagements, and articles in various publications indicates to me that there are many in the community who would agree with my perspective and appreciate what I am trying to do. It is certainly not an easy task, and I am well aware of that.

If someone finds that he or she has attained rock star status, it should bring with it a tremendous amount of humility and responsibility. That responsibility should be to the very security community that made someone a rock star. And as members of that community, we should demand better.

With celebrity status, as with every leadership opportunity, comes tremendous potential to influence and advance the state of security. From my perspective, not taking advantage of that potential, or using it for the wrong purposes is a missed opportunity that hurts the community as a whole. In essence, it’s not about any of us in the end – it’s about advancing the state of the security profession one day at a time. That necessitates contributing to the discussion, rather than being a populist. After all, a true leader doesn’t seek to create followers. A true leader seeks to create other leaders.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently Global Solutions Architect - Security at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights