Feedback Friday Industry Experts Comment on Hive Ransomware Takedown

Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Security Leaders – Be Mindful What You Wish For

While serving as a security leader, how often have you heard or have yourself said, “If only the executives would pay attention to me?”

While serving as a security leader, how often have you heard or have yourself said, “If only the executives would pay attention to me?”

For years, security professionals and leaders in enterprises have begged to get noticed only to be seemingly dismissed as Chicken Little warning about a falling sky. Unheeded warnings, poorly understood risks, and lack of security input has created today’s climate of breach after breach.

Guess what? The executives are definitely paying attention now.

In fact, many of the security leaders I know and recently met aren’t just being noticed by their managers – the CIOs, the CTOs, and other direct managers – but also by their boards. As each additional disclosure hits closer and closer to home, CEOs and boards are bringing the CISO or their equivalent into the board room to have very serious discussions.

Two things are happening as a result.

CISO StrategyFirst, we have a lot – and I mean a lot – of newly minted CISOs. This is fantastic for the industry and people’s careers. This event raises the level of security in enterprises which had been previously lagging and helps drive better security presence and relevance across all industries which had previously lagged.

So, this is great! Unless you’re one of those CISOs who was the “security gal” or “senior security engineer” who suddenly finds themselves with executive-level responsibilities. The trouble here is that the conversations, tone, information and context are all dramatically different than what you’ve experienced until now. Your lexicon is no longer adequate to communicate effectively, and the tone of your discussions must change to adapt to boardroom-style discussions. This is a tough transition for many, and being given the CISO title doesn’t mean you are automatically given the ability to drive change.

Someone who has never been in a security leadership role before can easily confuse accountability for the ability to drive change. Being held accountable for the organization’s security is not a bad thing, but it can be career-ending if it doesn’t come with the ability to actually drive and enforce changes in behavior and culture. This is where not-for-profit groups like the Security Advisor Alliance bring tremendous value through mentorship programs and support for these newly appointed CISOs who find themselves in dangerous waters.

New CISOs should strive to understand their position in the organization and figure out whether they’re just the Chief Scapegoat, or if they are really tasked with improving their organization’s security. If the former, well… it’s time to polish off that ‘ol resume. If the latter, then it means you have a tremendous opportunity for you. Now comes the really hard part.

Second is what I’ve now call the “so, now what?” problem. Your organization has suddenly found itself in need of a security overhaul security, and whatever the catalyst for that need, it suddenly falls to your shoulders. Now what?

If all you’ve been doing is pointing out problems, without developing solutions to these problems, you may be in for a bad time. I once worked for a very wise executive who taught me the value of “if you’ve come to me with a problem, you’d better have a proposed solution.” I try to pass on that motto. All too often security professionals aren’t taken seriously because we are seen as the problem identifiers. Detecting problems without proposing solutions is a bit like a doctor telling a patient they’re gravely ill then walking out of the room. Once you’ve identified the illness, let’s work on proposing a cure.

I fully recognize the root of the condition identified here, too. It’s quite simple to find brokenness in the world around us. Nearly everything that runs on electricity has software that powers its function. That software has flaws. Guaranteed. Finding flaws has gone from a hobby to a full-time job for many, and it’s a critical part of the world. You can’t solve a problem if you don’t know about it. However, finding flaws doesn’t actually guarantee that they’ll be fixed. Much like in the enterprise where writing up a risk report detailing everything wrong with a particular process or widget is fruitless if it does not come with an equally impressive proposal for solution.

I see this condition we’re experiencing now as a “be careful what you wish for” situation. So many of us want to be taken seriously. Now you’re standing in the spotlight, executives and board members asking you to give your “so what?” How will you protect this company? How will you keep our critical assets, employees and bottom line safe from attackers and those seeking to do us harm?

Your move.

In part 2 of this post, I’ll share some ideas of how security leaders in various markets and industry segments are preparing for the spotlight, and shining in it.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.