This is more from my noisy search for my next windmill to tilt at in what will be the great success of helping an organization become more resilient, capable, and respected for the information security posture they exhibit.
I like some of the recruiters I deal with on LinkedIN. I have helped several very nice recruiters find awesome prospects among my former students and colleagues. My address book is pretty much a “who’s who” of the information security field. I have old school hackers and new age cyber sleuths who are friends I email with semi-regularly. So, I’m not hating on any recruiters. In fact, the recruiter that spawned this post was polite, professional, and I hope to buy him a dinner some time.
First my career goal, I want to go from CISO in residence at DHS to CISO at a Fortune 100 or larger organization, somewhere in the South near a major coast, at $250K to $300K a year (more for West Coast, less for Florida coast). That isn’t exactly normal job requirements but it works for me. So … That is my agenda, but here is my story.
I was recently told that a company was hiring a CISO and that since I wasn’t in the specific industry I didn’t qualify. I was flummoxed. Infosec is my industry. Cybersecurity is my discipline. I’m a published author, current SME, I’ve briefed congress, spoke at hacker conferences, write blog posts that are read by hundreds of thousands of people, consulted in the board rooms of multi-national corporations. And, my resume doesn’t show I ran a hospital information security program so I’m not a candidate?
I’ve NEVER been hired based on my resume. Ok… I know the resume sucks. This was the first time I’ve not even been called by an entity based on what it says.
On an average day I might be giving advice formally to any CIO/CISO in the federal government, my phone could ring at any time, and I’ll be briefing the head of the NCCIC at DHS or CTIIC at ODNI on some cyber related technical/threat/response issue. Otherwise, I might get an email and somebody from the dam, financial, health care, retail, or energy sector might be asking me a question. On an average day I can be helping somebody write a python script to detect APT and be responding to a KPI on a strategic plan for a Fortune 100 CEO/CIO/CISO.
Yesterday I was giving the CTO of a major infosec company (great guy, great company) a run-down on how Washington DC functions. A few hours before that I was explaining to a senior government executive (great guy, great agency) how the tech-sector worked. I’ll really have succeeded if these two sit down and talk to each other.
I’m a trusted third party to a lot of people. Which is why I’ll never do sales again. You can’t be vetted confidant and have a sales agenda.
Speaking of colleagues. A very senior government friend was approached by a recruiter to lead a tech team at a financial company. He said flat out “you’ve got to hire Sam!” After an hour interview with the recruiter she determined I would not be a good fit as I had no financial industry experience (sigh). However, she offered up a position leading incident response for a health care entity (two tiers down from where I am now). I didn’t take it but helped one of my former employees who wanted to move up into the position. Information security is a discipline unto itself. He went from running military security programs and responding to critical infrastructure to leading infosec within a major healthcare related company. Good for him, good for the recruiter, and well… I’m still writing rants.
But, “You’re not qualified to work in our sector we’re different!” I’ve heard it before.
When I worked for MCIWorldcom connecting about two-thirds of the Internet my teams worked in every hospital and healthcare entity. In fact with over a quarter million customer premise equipment locations we worked in every industry and key infrastructure sector worldwide. When I was working at NCR financial and retail were king, but I also won awards at Sun Microsystems where I led a helpdesk team, and led the field support team implementing first generation security and management tools across the Fortune 100.
But regulation… I’ve been on the ground floor for HIPAA, SARBANES, FISMA (1/2), and various other legal regimes. I’ve been a member of USACM helping make senior technical leader comments on the topics as they come up. I’ve been a “leading scientist” on two rather nasty briefs to federal court where I was approached by the hacker community to lend credence. For gosh sakes I not only taught cyber law as a non-lawyer, sit on OSAC that defines many of the legal elements for digital forensics, I’ve been the featured technical editor on three books that look at the topic.
Chi and Glaser in “The nature of expertise” rightfully conclude that a GO master will not make a great general because they understand the strategy of a game. The domains are too different and strategy does not transfer from board game to war craft. The error is in thinking that infosec is somehow locked into the realm of one discipline or one industry. That a retail CIO/CISO should never consider becoming an Energy CIO/CISO.
This mistakes the business line for the practice of what is at stake. Information. Information is a consistent process that follows specific patterns through generalized products and services. Prioritization and specificity of delivery of information will change between an energy sector PLC synchronizing timing on a inter-connect, and a health care cardiac telemetry unit. The use case changes but the underlying principles of understanding what is important to your customer do not change. A good CISO not only learns the business lines, he learns the customer mission priorities (overt and covert).
Every environment is different even between unique autocratic agencies like the US Army. Where AR25-2 says everybody WILL do X and they MUST do X or be in violation. The interpretation of X order or directive is pretty widely diverse and everybody in every unit is a special use case. The nature of a good CIO/CISO is to find the pattern, analyze the unique characteristics, and then develop an operational plan towards the strategic goal.