When the Wrong Person Leads Cybersecurity

Author’s photo Matthew Rosenquist Cybersecurity Strategist - Intel Corp, LinkedIn Top10 Tech Voices 2018, 170K+ followers, Keynote Speaker, Board Advisor Succeeding at managing cybersecurity risks is tremendously difficult even for seasoned professionals. To make situations worse, poorly suited people are often chosen to lead security organizations, bringing about disastrous results. This has contributed to weaker risk postures for organizations and the rapid turnover in cybersecurity leadership. I am unhappy to report that the industry has a pervasive problem that few want to discuss: a propensity to enlist inexperienced or unsuitable professionals to lead cybersecurity. It is time to change that caustic and enabling behavior by first recognizing the problem. As an example, recently in the news, there was criticisms for someone appointed with the responsibility to lead the cybersecurity effort for the 2020 Olympics, but had “never used a computer”. How does someone who has never used a computer and has difficulty answering basic questions about USB drives, be tasked with building a cybersecurity program to protect the digital security, privacy, and safety for hundreds of thousands of people? Downward Spirals Sadly, I have seen similar situations play-out over and over again across academia, business, and government sectors. Far too often, poorly suited people are appointed such roles and it simply does not make sense. Let’s be clear, most are truly knowledgeable and accomplished in their primary field, but a transition to security is a significantly different domain. Engineering and product management executives focus mostly on static problems where there is a solution and desired end-state. Whereas in cybersecurity, we face a highly dynamic set of threat agents, people who are creative, intelligent, motivated, and dynamic, who will adapt to any solution. There is no permanent fix for cybersecurity as it is an ongoing competition to managing risks between defenders and attackers. Human nature, overconfidence, and a lack of understanding the challenges begins to shape a counterproductive mindset. It is common for a professional from a different discipline, transplanted and put in charge of cybersecurity, to believe their prior expertise is equally applicable to the new challenges. Somehow, magically, they think they are as proficient and insightful at an adjacent domain as their previous profession. To those experienced in adversarial challenges who have seen this unfold, it is an affront to common sense. It is no surprise that such dangerous situations most often result in momentous failure. For years, the turnover rate in cybersecurity leadership positions across the industry has been very high, with most Chief Information Security Officers (CISO) only lasting 2 to 4 years. When surveyed, CISO’s cite a lack of executive management support or insufficient budgets were the pervasive motivators. But that is only one side of the story as many CISO’s have been let go. I have always been curious what C-suites and board had to say. When I ask company leaders about a change in cybersecurity leadership, I often hear that an outgoing CISO was ineffective, could not communicate risks well, and demanded significant budget increases every year yet the organization did not show a commensurate benefit. Events culminated when a severe incident occurred and then the C-suite or board chose to find a new security leader. With the shortage of CISO’s in the industry, those displaced quickly find another company and continue their ‘training’. This musical-chairs routine does not serve the company or overall industry needs very well and simply transplants problems from one organization to another.