Like many people reading this blog, I have spent a great deal of time on the front lines of the biggest conflict of our age – the cyberwar. Along the way I’ve reached the conclusion that while we are all fighting the good fight and winning some battles, we are ultimately losing the war. Like a runner on a treadmill, we are working our hearts out and not getting anywhere.
That might sound provocative; it’s intended to. I believe that we need to start talking about strategic directions instead of Band-Aid fixes, and, unlike some vendors, my opinion is based on almost twenty years as a Chief Information Security Officer (CISO). From 2000 to 2004, I was the first CISO for the County of Orange, California, the fifth largest county in the U.S. From 2004 to 2008, I served as the Corporate Division Information Security Officer for Pacific Life Insurance Company, a highly regulated financial services company. From 2008 to 2011, I was the CISO for Riverside County, California, the 11th largest county in the U.S., and in 2011, I left government and returned to the insurance and member services industry as CISO for Auto Club Enterprises. When I tell a CISO “I feel your pain,” it’s because I have the scars to prove it. It’s a thankless, lonely, stressful job, and the kicker is how much we all want to do it well.
Unfortunately, instead of being able to focus strategically, we are forced to spend most of our days putting out tactical fires. This seems to be a constant refrain among my CISO colleagues, regardless of industry. One big problem is that there is so much noise in this overcrowded market, and a never-ending display of smoke and mirrors, that it becomes extremely time consuming to even understand the security offerings in front of us. We end up using our limited time and resources just separating the technical wheat from the marketing chaff. The vendors don’t understand the real world in which we live, nor do they comprehend that their products often fail us at the worst times. We can’t find and hire enough qualified people. We’re trying to protect myriad systems and software—some of it so full of vulnerabilities and bugs that it should never have been sold, but now inextricably woven into our infrastructure. Obviously, we can’t take down that infrastructure because of the potentially negative impact such a move could have on business operations.
To throw gasoline on the daily fire drill, we’re still using the same approach to solve many of these problems that we’ve used for the last 20 years. It didn’t work in the past, it doesn’t work today, and it won’t work tomorrow. But for some reason we just keep repeating the same failed approach, hoping that we’ll eventually have some sort of breakthrough. Even if this is not your definition of insanity, it is a guarantee that we’ll all need to hop on that treadmill tomorrow, just to make sure that the lights stay on.
That’s why in 2016, after 16 frustrating years on the treadmill, I decided enough was enough and I jumped off. I quit my job and moved my family to Silicon Valley, the tech capital of the world, to see if I could help bring some sanity to this craziness. I’m tired of just winning battles, I want to win the war!!!
And make no mistake: this is a war in every sense of the word. In today’s world, everyone and everything is interconnected, and as security practitioners we are no longer just responsible for protecting corporate profits. We are now responsible for protecting life and civilization. Every year, the war becomes more and more dangerous, which is why we must act immediately to break this cycle; the consequences of losing are becoming catastrophic. Years ago, we were concerned about things like having our websites defaced, then we worried about organized crime stealing information for monetary gain. Now we worry about attacks that not only could result in loss of life, but ultimately the downfall of governments and societies around the world.
From my perspective, that’s where we, as CISOs, find ourselves today. In our next blog, I’ll look further into how we got here.