Vulnerable U - Weekly March 1

First week of March and we're coming in hot

Vulnerable U Community,

Welcome to the latest edition! Today, we're discussing the broken incentives of being a Chief Information Security Officer (CISO) and how it’s going to shape our industry.

Main Course:

The Incentives of Being a CISO are broken. I’ve been having this conversation for years and most recently on the RSnake Show podcast with Robert Hansen where we hit this topic in depth. Robert mentioned this as part of a keynote he gave and broke down the REAL incentives of a security executive:

  1. Don’t get fired

  2. Don’t increase personal liability

  3. Quit before people blame you and have a couple wins for the resume

Even what the industry considers good CISOs wind up having to fight against these tides and their pull. Number one is to look good for the board, continuously be hiring a large team, and focus on metrics and dashboards that are often useless to have some slides showing pseudo progress.

If you think I’m being dramatic about personal liability …I’m not

As for incentive three - Having two seemingly successful large initiatives even if they have limited impact on actual security risk. Roll out your favorite EDR. Buy everyone some MFA Tokens. Spend some money on a flashy looking vendor which produces great lists of things that need to be fixed in bright stoplight colors of criticality. Then get out.

What can we do about this? I believe we can outline a framework where security leaders can become value creators at organizations rather than cost centers. I’ll go into this in later issues of the newsletter but there are lots of important math problems being solved in the industry of what vulnerabilities to fix and the costs associated with it.

We can transform the conversation from Red, Yellow, Green, A-, B+, 3.4/5, security to dollars and cents of increased company value based on information security posture.

What I'm Reading This Week

Here are some things I’m reading right now:

The Power of Vulnerability:

Some of the latest breach disclosures that I’ve really respected. Coinbase and Lastpass have both been hit by extremely targeted attacks in the last few weeks. For Lastpass they went so far as attack the employee’s personal computer to install a keylogger to then get creds for their work accounts.

I highlight these stories because they are great examples in being transparent about our vulnerabilities and are collectively making the community stronger. I saw a lot of talk about how Lastpass messed up from a lot of people I know work for companies who also allow work account access from personal devices. The fact these stories are being shared publicly will spur conversations and free up budget for strategies to make sure these attacks don’t happen elsewhere. Thanks to the teams who wrote these posts up if you’re reading this.

Community Spotlight:

Share Your Story We're always looking for members of our community who are embracing the reality of their vulnerability and willing to share so we can all learn together. If you have a story to share about your own journey, please reach out to me! We'd love to feature you in a future edition of the newsletter. (Tech, non tech, I don’t care. I’ll be telling human stories we can learn from to become more resilient)

Referral Program:

Help Us Grow! If you know someone who might be interested in joining the Vulnerable U community, please share this newsletter with them! As of now, spread will just be by word of mouth.

Parting Thoughts:

Let me know how I can help as always.. If there's a topic you'd like to see covered in a future edition of the newsletter, or if you have any questions or concerns, please don't hesitate to reach out to us. I’m always happy to hear from our readers and help in any way I can.

Stay safe, Matt Johansen