Oppenheimer, CISO's, And The Politics of Cybersecurity

Spoiler Alert!

I had the opportunity to watch Oppenheimer recently, in 70mm too! As a fan of film, art, life and science, I was especially excited to watch this biopic, particularly by Christopher Nolan. The film was well done and gave me some reflections on the field of cybersecurity and cyber security leadership.

Oppenheimer Is The CISO

Oppenheimer was a scientist. Ambitious and a visionary. Not without his faults of course, as any human. He was not, though, a politician. Politics is a science, art, and craft in and of itself.

Anyone that has worked a corporate job, or any organization with other humans, whether it be your family, a non-profit, or a startup or large corporation, there is always an element of politics involved. Those politics can range from healthy to toxic in a variety of possibly unpredictable directions.

Navigating security is the same thing. Working with other teams is a skill and an art. You need to be part salesperson, politician, and scientist/engineer.

https://www.lastweekasavciso.com/p/selling-security-at-your-company

The AEC, SEC, and Executives

As a CISO you need to make quick decisions, especially in an Incident Response scenario. You must confer with leadership, offer your opinions, and then execute accordingly.

As with all things corporate, you must also not be naive. You must CYA and ensure you have your bases covered.

Risk comes natural with the job. You can never reduce your risk to zero, but you can take measures to ensure it’s reduced to a tolerable level.

Are CISO being blamed for cybersecurity breaches and incidents? I don’t know. 

Are they solely responsible for ensuring the security of a company? Many times, they are not in a position of authority.

The CISO’s job is to inform the business of risks so they can make an informed decision. If the CISO is lazy in that capacity, then that can be problematic.

But what about when the CISO has done everything in their power to communicate and try to effect change, only to be met with resistance? What then? Well, that’s where they often quit. They’d rather be jobless, than scapegoated in a security incident.

Must reads:

• A blameless post-mortem of USA v. Joseph Sullivan | by Ryan McGeehan | Starting Up Security | Medium 

• SEC notice to SolarWinds CISO and CFO roils cybersecurity industry | CSO Online 

Even the SEC published new rules for cybersecurity of public companies which I will do an in-depth analysis later. 

In the meantime, and interestingly enough they took away the requirement for companies to have a CISO or someone with that designated authority as well the requirement for boards to have cybersecurity integrated into their oversight.

That’s interesting.

Ponder this about the Atomic Energy Commission (AEC).

Users, Scientists, Engineers, and The Security Community

At the end of the day, the real losers are the people. 

Users lose trust in how companies handle their data.

Security professionals become jaded, burned out, and quit altogether as they’re not able to effect change.

Engineers lose faith in leadership and security people.

We haven’t even touched the Industrial Control Space (ICS) and the risk it has to real lived and people (see Triton – Darknet Diaries).

Will bad cybersecurity it end the world, like Atomic Energy, maybe not.