Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Smoke Jumpers in Enterprise Security

Smoke Jumpers

Smoke Jumpers

Ken Baylor, Chief Security Officer at Pivotal Software, had an interesting post on LinkedIn recently titled “Solving the InfoSec staffing problem” in which he made reference to how some CISOs inspire loyalty amongst their staff who will follow them from one company to the next.

These people acquire new skills constantly and never mind the challenge but follow the person. His piece further discussed how some CISOs aren’t as lucky that people are willing to jump into “challenging situations” with them, so they have trouble hiring. This article was both insightful and brought to mind something I’ve witnessed a few times over the years that I think bears discussing.

While Ken may be right, few security professionals are willing to jump into a troubled organization in this age of “negative unemployment” (whatever that means). I think there are a fair bit of us that like the challenge of the fix. This is where I think the term “smoke jumper” applies. The reference, in case you don’t know it, is to people who fearlessly jump out of airplanes to fight raging forest fires and save human and animal lives. They literally jump into the smoke to perform amazing acts of heroism – and while I recognize what we do in security isn’t quite as dramatic or heroic, it’s similar.

After all, security people who jump into these troubled security organizations to help right the ship put their careers on the line and personal aspirations on hold, and their families take a temporary back seat. That job isn’t for everyone. because it takes guts and determination. However, it’s one that plenty of my friends and colleagues over the years have done… thanklessly. It’s an extremely interesting challenge and certainly not for every personality type.

It’s interesting to think about the job these InfoSec smoke jumpers do. The conditions are probably fairly similar in many of the scenarios. You have to rebuild foundations and relationships, and yes focus on the dreaded basics. Few organizations do the basics well, and it just gets more complicated when a program is struggling. Maybe its post breach, or maybe it’s just an organization that’s seen a mass exodus because of one of a million reasons and now needs to rebuild. But the mission is clear: triage and fix the problem quickly.

First, smoke jumpers put out the fires endangering revenue and company directives. Then, they try to figure out the best things to pull strategically out of harm’s way. Knowing what is important, what is at risk and where the highest technical dangers are, are skills acquired from doing that job repeatedly. They’re mentored and taught to the point of being an art form. Often, this job is accompanied by levels of stress that would crush many an employee, but these folks seem to feed off it and thrive under the pressure.

They generally don’t journey alone and are known to follow a strong security leader who has a track record of being a good fixer. Political savviness, a strong gut and excellent communications skills to match are essential. Their job is not to maintain; their job is to stop things from burning out of control. Once the fire is contained, they move on to the next fire. Their skills are very specific, geared towards high-stress, high-velocity situations where change needs to come quickly and with purpose.

It hasn’t been too long since hopping jobs was seen as a negative thing on a resume, and to some extent that is still the case. It shows a lack of commitment and maybe even immaturity. Except when you’re one of these commandos who are willing to brave an InfoSec mess and get it to an operational state where the program can be handed off to someone to maintain.

Advertisement. Scroll to continue reading.

There is a significant and immediate need in our industry for these smoke jumpers . There are small fires that were neglected for years that are now raging out of control. While we do have a talent shortage, skills gaps and “negative unemployment,” we need more of these people to help triage and fix as many listing programs as possible, as quickly as possible. The alternative is … devastating.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

Cloud and container security firm Sysdig has tapped William Welch as CEO on its path to an IPO.

Dave Scher has been promoted to Deputy Chief Information Officer at MITRE.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.