So you do not want to become a CISO anymore?
There has been quite a chatter in the security community for the last couple of weeks. Well, it is always some discussion — be it a new vulnerability, breach or gatekeeping. But I am referring to mainly the appearance of Twitter’s former security chief before the court and now the jury verdict against Uber’s former CISO.
These two incidents have shaken the security community, especially the jury verdict about Joe Sullivan. I have seen a lot of social media posts about folks not wanting to become a CISO. After all, who wants to be a scapegoat? Who wants to end up being a prisoner with monetary penalties?
So you don’t want to be a CISO?
That’s fine.
That’s your decision.
I understand no one wants to get into legal trouble.
But let me pause here for a second.
What if no one will be a CISO? If folks do not want to be a CISO, no one would care if organisations had a CISO role. It would be extinct pretty quickly.
What will happen?
Management is almost always unhappy when security teams demand budgets (it is an expense). How many of you have gotten the security budget you wanted without fighting? Probably just a handful. Security does not drive revenue. It’s the product that mints money, not the security team, even if it is a cybersecurity company.
So, if there is no CISO, who will lead the security efforts? Probably it will fall in the purview of CEOs, COOs or board. Their goal is not to secure the organisation but to drive business and growth (we can agree to that).
Do we think it would be good for the security community as a whole?
Do we believe that there would be a demand for security professionals?
Do we think we would have someone to fight for gatekeeping, skill gap and unfulfilled security jobs?
Surely there would be security leaders raising the issues (I respect them. I love their work. More power to them.), but who will convince the organisations to spend money on security and hire security professionals from within the company?
It would make security arduous and chaotic. Do we really want to leave this chaos for the next generation of cyber-warriors?
I am not saying to start a massive revolution, but I am hoping we can start making things right from wherever we are, no matter how big or small our efforts are. We can not change it overnight, but I see hope over a decade. Let us all play our part ethically and do what is right.
I suddenly remember a quote by Dr APJ Abdul Kalam while writing this. I will put it here -
“Let us sacrifice our today so that our children can have a better tomorrow.”
Let the Joe Sullivan verdict be a lesson for everyone, and by everyone, I mean Boards, CEOs, COOs, CISOs, security professionals, government and federal bodies to aspiring cyber warriors.
Oddly, I kept the name of this blog ‘not your CISO’, but someday I do aspire to be a Chief Information Security Officer.
