CISA and Desist

It’s an old joke: “Heads I win, tails you lose,” but it can also play out in reality. How often do cybersecurity professionals end up on the wrong side of that bet? CISOs (Chief Information Security Officers) don’t seem able to get a break. They invariably get blamed, and sometimes fired, if a cyberattack is successful and especially when it gets a lot of press. This happens even if the CISO warned management ahead of time to invest in appropriate defense and tried to get the budget for it approved, but to no avail. Never mind that management didn’t follow the advice of their professionals … “You should have been more convincing!” they commonly say. But when you try to be more assertive, they knock you down anyway.

With the recent firing of Christopher Krebs, the former director of CISA (Cybersecurity and Infrastructure Security Agency) within DHS (Department of Homeland Security), it appears that management will eject a CISO, even if they have done a great job. This is a whole new ballgame.

In addition to Krebs, two high ranking members of DHS—Bryan Ware, assistant director at CISA, and Valerie Boyd, DHS assistant director for international affairs—were asked to resign (to put it kindly) … see CNN Politics article by Alex Marquardt and Geneva Sands, dated November 12, 2020 with the title “Two top Homeland Security officials forced to resign by White House,” available at  Two Homeland Security officials forced to resign by White House – CNNPolitics

I had looked up Bryan Ware and the other CISA leadership prior to learning of his resignation and was very impressed by his background. He seemed to me to be the most technically proficient of CISA’s management team.

So, there you have it. As a senior cybersecurity professional, you either go along with, and do not question, the wishes of management or you suffer the consequences, even if what you recommend or say is consistent with good cybersecurity practice. I know of what I speak. I’ve been there.

In a sense, cybersecurity practitioners are under attack as much as the systems that they have been tasked with defending and protecting. That does not bode well for the profession or the IT industry as a whole. No wonder there are so many breaches. And small wonder that so few actual breaches are made public.

One potential solution to this problem is to have Information Security report along similar lines to Internal Audit, namely, directly to the Board of Directors. And the InfoSec budget should not be part of the IT budget, but separate and approved by the Board. Management should not hold sway over how much and where InfoSec dollars should be allocated—it really is a conflict of interest, since, in many cases, spending on security means less money for new improved systems that clearly send a more positive message to top management, customers, and shareholders—except when a cyberattack is successful.

By the way, all of this applies to privacy also—perhaps even more so.

*** This is a Security Bloggers Network syndicated blog from authored by C. Warren Axelrod. Read the original post at: