Sisyphus, CISO

[et_pb_section fb_built=”1″ _builder_version=”3.22″ da_disable_devices=”off|off|off” global_colors_info=”{}” da_is_popup=”off” da_exit_intent=”off” da_has_close=”on” da_alt_close=”off” da_dark_close=”off” da_not_modal=”on” da_is_singular=”off” da_with_loader=”off” da_has_shadow=”on”][et_pb_row _builder_version=”3.25″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”3.25″ custom_padding=”|||” global_colors_info=”{}” custom_padding__hover=”|||”][et_pb_text _builder_version=”4.14.5″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” global_colors_info=”{}”]

Information Security: A War Without Victory


Absolute futility,” says the Teacher. “Absolute futility. Everything is futile.”

What does a man gain for all his efforts that he labors at under the sun?

A generation goes and a generation comes, but the earth remains forever.

Information security is, simultaneously, the most rewarding and most desperate career choice today. Its rewards are plentiful and obvious: creativity, opportunity, variation, depth all are hallmarks of an information security career. Information security also is a bleak field. If war is politics by other means, then information security is war without victory.

Engineering and development create products, finance gain analyst favorability directly affecting shareholder value, sales and marketing bring in revenue, create the image, and feed raw meat to tigers on a stage in Vegas (true story). Human Resources cannot do any wrong* as they lobby for, obtain, and hand out benefits, training, and open-bar Fridays. Information security, though… who invited them?

Even more perilous is the role titled Chief Information Security Officer. Because perception often trumps thoughtful analysis, Information Security is the “Department of No” behind their backs. You are the brake, not the gas pedal. You are the uncool parent yelling at DevOps that “you’ll shoot your eye out” with their Christmas bb-gun (or CI/CD). When you are right, you’re not appreciated for being right. “I told you so,” is not sexy.

In the periphery of your imagination, there is an ideal Information Security team and CISO that are different, though. They are agile, responsive, sensitive to business value, and are not a cost center. Other security leaders ask them for advice, their board decks are top-notch, their PCI audits take five days (calendar, not business), and even the head of engineering nods a ‘sup as that CISO passes in the hallway Monday mornings.

Does that CISO exist? If so, why can’t you be like that CISO? What kind of CISO are you? Do you know your strengths and weaknesses? Did you know you can? Do you know how?

In this series, we will walk through many examples that may surprise you and should be instructive. It is hard to hear criticism, it is easy to give it. You will get that opportunity as we examine and critique other leaders, in situations and circumstances that feel and sound familiar to you. Teaching these characters may help you identify lessons you would like to learn.

Next post, we begin with strategy and why you are not very good at it*.

  • Some food for thought to whet your appetite:
  • Who are the leaders and experts of strategy in our time?
  • It is common these days to steal lessons from the military.
  • But did you know that the war colleges were started because military leaders were so poor at strategy that they “stole” from academics?
  • What does this have to do with you, the strategy-struggling CISO?