Are We Starting to Abdicate Cyber Leadership To Consultants?
The internet makes finding examples of sound leadership principles easy. Finding examples of great leadership and world class program development within the cyber security community is a bit harder to find. This blog post explores if this is the case because so much thinking and movement within the cyber security industry is generated by vendors and consultants.
If we assume that a sound cyber leadership principle is that cyber leaders must own, define, and communicate the goals, resourcing, gaps, and roadmap for their cyber security program, then the counter example to doing these things would be the complete abdication of at least the ownership, definition, and communication to some other party.
Is the cyber industry seeing an increase in delegation to vendors? I obviously can’t look inside or otherwise know every program but I can look at several data points:
- The exceptionally low percentage of program level consultants that I’ve met that have actually filled a formal role of an internal CISO or similar role in which they built, led, and represented all aspects of their organization’s cyber program for a sustained period at all levels including the Board.
- The equally low percentage of cyber program level content is generated by cyber practitioners on a given topic versus vendors or academics.
- The high frequency of anecdotes that I hear other senior cyber leaders tell about their own programs during various professional interactions like conferences, meetups, or other events.
I’ll agree in advance that these are each a small data sample and aren’t the most scientific methods for drawing broad conclusions. That said, most survey based industry studies also aren’t asking the question of the percentage of security programs or a program’s decision making have been outsourced to vendors so we have to start somewhere.
The first and second points above likely have some relationship. A question that I have whenever approached by consultants offering program level cyber services is, “how long were you a CISO and where?” From the vendor perspective, they usually do not consider their personal experience leading a actual cyber team as an important qualification. After all, they regularly talk to Boards and often propose impactful changes. I get that. But, senior cyber practitioners can’t forget that most vendors don’t have to live with the consequences of their decisions; by the time any fallout starts, they’ve likely moved on to the next customer. Or, if they do have some longer term relationship and make a poor decision, the cleanup of that poor decision can be viewed as just another business opportunity.
I’ve had a number of vendors and consultants make recommendations that, had I followed their advice, would have caused major issues at best and perhaps even security incidents or worse. I’ve also had vendors try to steer the cyber program towards goals and objectives that were better suited to the vendor themselves or the preservation of future business than to the cyber that they served.
I’m not anti-vendor. Vendors provide key capabilities and services upon which cyber programs depend. Senior cyber leaders simply need to keep their own goals and objectives for their program in mind as they process any external advice that is given.
Because there doesn’t seem to be a deep bench of former CISOs turned consultants, I’d venture to guess that over 95% of free online content about how to deal with the program level challenges of a cyber program (program description, risk, etc.) has been generated by outside “experts” in the vendor and academic communities that have never formally led a cyber program previously.
That isn’t to say that field practitioners within cyber orgs don’t produce online content. They do….and in droves. Compare the percentage of online content generated by actual field practitioners doing the same work as highlighted in the content for various tactical disciplines within cyber and information security programs to vendor content on the same topics. By tactical, I mean specific disciplines such as incident response, digital forensics, cloud security, etc. The numbers are much more balanced.
Application security seems to be one of the lone glaring exceptions to my rule about a balance in tactical online content. Almost all online content about app sec is highly tactical in nature and almost all app sec online content seems to be generated by vendors.
I’ve previously said in blog posts and videos that I was a bit shocked to find almost no content about the development or challenges of cyber risk programs being generated outside of the vendor or academic communities. This disconnect continues to surprise me as most of the vendor related content seems to be mostly focused on the success of identification and classification of cyber risks. There is still little (if any) content, vendor or otherwise, on how to measure the success of one’s investment in cyber risk which I believe is a key task of senior cyber leaders after any major investment in the cyber program.
The gravity of what is at stake for cyber programs as their CISOs and other senior cyber practitioners consume the free online information is enormous. This information is often presented as “best practice” when, in reality, it’s really just “compelling marketing copy”. Given the amount of breaches that we read about each week, clearly there have been painful lessons for cyber leaders to learn as a result.
As for the third point above, again anecdotally, I’ve seen an increase in cyber leaders proudly pointing to bringing in outside consultants to convince executives to approve or take action on some critical risk or work items that has lingered longer than is reasonable, in some cases, for years. On social media, I see posts from consultants telling the same story.
When I’ve asked as to why the consultants are needed to sell some key aspect of the cyber program, the answer has always been the same. Leadership trusts outsiders more.
Wait. What?!?
Critical items have lingered for years. The cyber leadership has been unable to resolve the issue or gain support even though the issue is critical. An outsider is able to articulate the issue and achieve action within short amount of time.
As, as cyber leaders, we find some sort of pride in a scenario of outsiders making a compelling than us to enable forward movement on some sort of critical project?
There are only a few scenarios that could lead to executives having more confidence in an outsider than an organization’s own cyber leadership. I’ve outlined those scenarios as follows:
- Conversations between the cyber leaders, stakeholders, and executives on this key topic never took place
- Conversations between cyber leaders, stakeholders, and executives did happen but the critical nature of the issue was not understandable or otherwise made clear
- Conversations happened, were understandable, and the issue was shown to be compelling but the rationale or prioritization was not compelling
- Conversations were compelling but there wasn’t an associated achievable plan and so the project was greenlighted.
- The executives have lost confidence in the cyber leadership and didn’t move forward with a risk treatment plan or remediation
All of the above are potential indictors of cyber leadership problems.
Vendors are, at best, only a short term fix for cyber leadership problems. In my view, bringing in a vendor should be a possible outcome of these discussions, not the catalyst for a successful conversation.
I’d imagine that in addition to coming in and providing a winning narrative to win over executives, the vendors might also serve poor leaders as a way to deflect execution issues or failures.
Cyber team members, the organization’s executives, and the Board all deserve better.
You can successfully outsource work but you can’t outsource accountability the program leadership, program direction, execution, or liability after a breach.
As cyber leaders, these are ours to own.
For more insights into how cyber leaders can best enable the business and build rock solid cyber programs, please follow me on Twitter at @opinionatedsec1
You can also find more of my previous content at the “CISO & Cyber Leaders” publication on Medium: https://medium.com/ciso-cyber-leaders
