CSO Anonymous

An anonymous CSO relates the trials and tribulations of the profession

Why is it such a struggle to work in security? Show me a security professional who hasn’t felt misunderstood and undervalued. Who hasn’t complained that they are treated like a pariah? What are we missing? Is it our fault or is the world not ready for us yet? Does a major security breach have to happen before the penny drops?

Finding an answer to these questions,H.L. Mencken springs to mind:

"For every complex problem there is an answer that is clear, simple, and wrong"

I don’t believe there is a single answer or a simple one.

An unorthodox path brought me to the CSO role; suffice to say that my background is in operations and then consulting, where I learned about security policy. When I commenced as CSO, there was one technical team member left, no real handover and security was embedded in an inexplicably irrelevant IT stream — apparently the group had been moved and restructured five times in five years as each successive manager tried to offload this problem onto the next one.

IT management, let alone the rest of the company, had little or no idea what mysterious benefit the security group offered. Instead, the group was considered a bottle neck, an obstacle to be avoided where possible.

Nothing like a challenge! Over the following months, I set about recruiting, protecting the remaining resource and responding to the squeakiest wheels. What was clear early on was the diversity of skills necessary to carry out security. We recruited accordingly.

It was also obvious that the group’s scope was too broad. It was necessary to stake out some ground that could reasonably be managed and then delegate/raise risks for the gaps.

Another important observation was that the group was largely ineffective and tied up with fire fighting because we didn’t know what was going on untillate in the development lifecycle. With that understanding, I further directed the group’s scope to a business engagement model — to go to where it all begins. Remember I said I didn’t have a security background — well this actually came in handy. The business accepted me, which provided an opportunity when the time was right to bring the appropriate resources in to deal with the nuts and bolts and then gradually formalise the process.

Our IT stakeholders were also onboard and excited about what we were doing and wanted to be part of it. Things were going well, the security team was making a positive impact driving organisational change.

Then it all went pear shaped.

What happened was that new IT management from an ‘old school’ came on board. They didn’t get that becoming a business partner was the way forward forsecurity nor were they willing to listen or negotiate. Immediately, I raised the risks, lobbying management across IT and business stakeholders. Interestingly, the business considered this to be an issue of internal IT politics so was unwilling to get involved and IT management never understood the role of security in the first place.

So where is this organisation today? Sort of back where it was when I started,new team members gone, no leadership and lots of squeaky wheels. The difference is that there are a bunch of people in the business and IT scratching their heads wondering what they are going to do about security now — they had only just come to understand why it was important to them and it’s gone.

Looking back at what transpired, I wason track, made the right decisions and moved in the right directions but reporting into IT was perilous. IT management with an IT shop mentality became insecure (pardon the pun) and uncomfortable with the important relationships that I established directly with business stakeholders. There really was only one place to go.

Security needs to be protected from politics and compromise, it belongs with the governance, risk and compliance streams and its risk outputs require executive visibility. However what if the organisation is just not ready for this? I wish I had the magic formula here but I don’t. The security profession is still developing, still finding a voice, still considered an IT shop and in part it is. Until the security profession matures, I think we will continue to find ourselves in many organisations as collateral damage to politics, misunderstanding and management ambition but this is not reason to despair.

Perhaps we need those major security breaches to hit home, however I believe we are changing the perception of security through our collaborative efforts, by applying the abundant cleverness and passion that exists within our ranks to break down the stereotypes and misconceptions and to come up with new and creative approaches. We are still on the journey so hang in there and be prepared for some challenges along the way.

To offer some inspiration, did any of you catch the news that Bill Clinton recently attended a US security conference and referred to security professionals as “modern cops” — in a sense he’s right. This is our future!

Join the CSO newsletter!

Error: Please check your email address.

Tags CSO concernssecuritywomen in secutity

More about Bill

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by CSO staff

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place