It was fascinating to read your thoughts about our recent conversation in CSO (see The Many Challenges of Finding Work as a CISO/CSO). And when I say "fascinating," I mean in the sense of watching Nascar: a lot of predictable left turns and some really embarrassing, squirm-inducing shots of the fans.
I do like you, I think you're a nice guy, and so I wanted to give you some feedback about the interview process and what you're going to need to change to be successful.
I don't think you're going to enjoy reading this. But maybe some of those hours that you're spending maintaining that "vast database" of yours could be better spent understanding why we hired someone who understands they're an engineer.
But before I get into that: There is no small talk in interviews. Do you get drunk at interview dinners, too? You blew it in the first two phone screens; I'm going to tell you how, and I'm going to use your words and explain what I thought when I read them.
Quote: "Is it the misconception that companies don't really know or understand the enormous value that the CISO/CSO can bring to the table?"
It's not our job to understand that; it's your job to demonstrate it. To demonstrate it, to make it real every single day. CSOs keep talking about value, but let me clue you in on something: The economy is in a recession. What brings value is sales and cost reductions. Sales come from marketing and new products. Those boost the top line. Cost reductions--things like firing a CSO--help the bottom line.
Oh, sure, we might have a few more hackers get through, but everyone has hackers. All my friends with CSOs reporting to them are infested with viruses, spam and hackers, and they lose laptops, too. So show me this "enormous value" in the first five lines of your resume. For example: "I saved my last employer 30 percent in fraud executed against our website, delivering the project under budget and on schedule."
Stop hyperventilating. You want executive rewards? Deliver executive value.
Next quote: "This characteristic pattern [placing a CSO job on hold] is directly responsible for the myriad security breaches happening at many organizations."
Really? Directly responsible? Let me tell you how we use the words "directly responsible" in business. We mean causative or we mean it happened on your watch.
Are you telling me that SQL injection happens because attackers notice a job posting? That the day we made that choice, we got attacked again? From where I sit, breaches happen because our users make mistakes, because our developers put a copy of the friggin' customer database on a laptop or because our auditors don't tell us a damned thing about what's wrong.
They happen because security wonks tell us that we need to do all this PCI stuff, but once we've done it we're still not secure. And again, I take a look at all these breaches, and they don't seem to hit just the companies without a CSO. So Joseph, our CEO, thinks that we can give you a salary or not, and we're gonna get shafted either way. Let me talk about what that shafting really means, because the next few things you said indicate some...confusion.
Next quote: "Don't they know that one serious breach can jeopardize the existence of their business...?"
No, we don't. We know that Lehman Brothers didn't dissolve because of any of their breaches. We know that GM didn't go bankrupt because of information security issues. We know that most of the thousands of businesses who have gone under in this recession didn't blame it on security.
Wait, wait, don't tell me. You're gonna say that it really was security incidents, we just don't know about them. Two things: First, that's pathetic. You sound like a conspiracy nut. Second, if it was security problems, don't you think the CEO would have hung the CSO out to dry? Do you think they're going to materially misrepresent facts that are relevant to the decline of the business and risk jail under Sox? Heartland is still here. TJX had their best quarters ever after they got hacked.
Let me say this clearly: There are very real threats to the existence of our business. They forced us to let valuable employees and friends go. We hated doing that. But when we see real threats, we respond and we deal with them. We are laser-focused on increasing sales while cutting costs. You seem to be focused on other things, like security. You're not laser-focused on what matters to us, and that's OK. We can shake hands and go our separate ways. But throwing around ghost stories flips the bozo bit. And just like you and your unemployed CSO buddies talk, so do my employed CIO buddies and I.
By the way, laser focus on your speciality is great in middle management. It's what we want. One of the really hard things about jumping from management to executive is a focus on the whole of the business. It's a rare person who manages it quickly or easily.
Next quote: "...some of which [tough new security laws] carry severe penalties...including requirements of complete public disclosure to all the victims..."
Really? Severe penalties? That's severe? This may come as a surprise to you, but every quarter, the CEO signs a disclosure form talking about how the business is doing. It discloses all sorts of things to the public. And the penalty for getting it wrong isn't more disclosure--that's table stakes. The penalty for getting it wrong is fines and jail time. If you ask Joe what a severe penalty is, he says jail time, fines or consent decrees. Not disclosure.
Next quote: "This is not an area where businesses should be doing more with less. They should be doing the opposite to ensure their survival."
First: Huh? We should be doing less in security? How the [dickens] is that gonna stop these hackers? Second, there is no area whatsoever where we didn't have a serious, in-depth conversation about cutting. These random assertions that you kept making during the "small talk" part of the interview were really enlightening about your attitude and approach.
One final quote before I wrap: "[T]op information security specialists have been saying for years that our current infrastructure is at grave risk."
For the sake of argument, I'll accept that the folks saying that really are top experts. And you're right. They've been crying wolf for years. No one's used a cross-site scripting attack to take down the world financial system. No one's blown themselves up in Twitter's headquarters. That failure to throw money at security didn't lead to I-35 collapsing. Millions of Americans lack health care. Your unemployment money is running out. So I'm just going to assume that you, and they, are right. Our information infrastructure is one of the many things we could invest in.
To wrap this up: There are a tremendous number of ways any business can hire new execs. The ones we bring on board have an ability to see the forest and the trees. They can formulate and execute on strategies that impact the bottom line. They come in with proven records of execution and the metrics that show what they've done. We think security is important to our business and customers, and we look forward to finding someone who will approach it in a way that resonates in the boardroom. Until we do, we'll continue to promote engineers with some management talent.
Let me leave you with this: You guys keep talking and talking about the end of the world. It doesn't seem to come. As executives, we're demanding evidence that the money will make a difference. What are you doing to get that evidence?
The anonymous CIO is not currently a CIO but a longtime technology executive and a self-described "troll living under a bridge."