Many organizations have the wrong expectations when hiring security leaders. Some look at it as a checkbox requirement to meet their third party security requirements… but not really looking for effective security (which requires change). Some others are expecting this security person will come in and magically make everything secure, without additional budget, tools, actual change, or support.
If you want security, things will need to change, even if gradually. Status quo will not work.
So when you hire a security person, but they’re not allowed to do what they’ve been hired to do, it’s pretty frustrating.
We sometimes call them this the Token Security Hire. This position is usually setup for failure.
This issue came up in a recent Slack community discussion. Many of us in the field know how to tell if a position is setup for failure or no growth.
Here are some signs:
Tasked with security management, but not allowed to hire anyone, no budget, no tools, etc.
Customer facing only... not really working with internal teams. Often put in an unethical position to say things are secure when they're not
Gets tons of pushback from their own manager, security recommendation ignored, or even blatantly broken.
Unfortunately, this is very common in the industry. Sometimes it’s due to a lack of education on what security really is, sometimes it’s laziness to go past the status quo, and sometimes it goes into the unethical… or a combination of all of the above.
Security people want to do good work. Let’s set them up for success and avoid the status quo.