Hathaway joins a distinguished group of highly respected and accomplished people who have quit the position of Cybersecurity Czar. She wasn’t even the actual Cybersecurity Czar, she was just the acting one, but it appears even that was too much to take for her. She cited personal reasons for resigning, but media reports suggest a more plausible reason for resigning – frustration at “spinning her wheels” and not being able to accomplish anything. Sounds familiar, doesn’t it. Whether you are a Cybersecurity Czar or a CISO, the challenges for this position are very similar.
This job has already been rumoured to be rejected by as many as 30 potential candidates. Forbes notes that among those who have said "no" to the position are former Virginia Sen. Tom Davis, Microsoft security executive Scott Charney, and Good Harbor Consulting Executive Paul Kurtz. The reason many are tempted to consider this position is that it looks great on paper. The role is accountable for protecting the nation’s cyber infrastructure had dual reporting relationship to NSC and National Economic Council (NEC) but as many candidates found out, it actually has very little authority to do anything substantial.
- CISO role is a thankless one – with a lot of responsibility and no authority.
- CEO (and the President) diligently pays lip service to security. Many security professionals were excited to hear the US
Cybersecurity is "a major priority for the president," White House spokesman Nicholas Shapiro said, adding that the administration is "pursuing a new comprehensive approach to securing
- Without political clout, you are bound to fail. As Ms. Hathaway found out – access to the President was not as easy as she was made to believe, and getting out of favor with some of his advisers (President’s economic team) meant that she was not able get the support she needed to progress her agenda. Also, similar to many corporate environments, not everybody wants you to succeed. This role could potentially encroach on other turfs, or at least make them do additional work – so it was not in their best interest to see this role succeed. Without getting buy-in from these stakeholders – you are guaranteed to fail.
- Other business priorities take precedence. It was widely expected that President Obama would name the new Security Chief during his speech on May 29th, but to our disappointment he did not. It has been two months and there is no appointment in sight. Obviously other priorities such as our nation’s financial crisis and healthcare take precedence over this issue – and security comes way down in the list of priorities.
- Companies will not take security seriously unless they get hit. This is an unfortunate but true. Many companies (and in this case the government) does not recognize the gravity of the situation unless they are affected by it first hand. The recent attacks on the electric grid system and sensitive government information assets should serve as a warning sign to the administration. Many organizations have found an attentive management and a lot more willingness to spend money on security only after an unfortunate disaster.
Let's hope the Obama administration moves from rhetoric to action before something drastic happens.