August 27, 2021

Unpopular opinion series: a C/ISO that makes the right recommendations and documents them is just as likely to lose their job following a breach.

I posted [my unpopular opinion yesterday](https://www.reddit.com/r/cybersecurity/comments/pbkoo4/unpopular_opinion_there_is_no_cybersecurity/), and I’m blown away by how many infosec professionals (specifically senior managers, directors, ISOs, CISOs) cling to the idea of “If I do my best, make timely, good recommendations, and document everything; my job will be secure following a massive breach.”

Just no.
Even seeing all the opinions to the contrary throughout the comments…I can’t believe so many of us are that naive.

1) Odds are something like 33% you’d be fired quickly. Nice job documenting your shit…but we got massively breached anyway. (Or…you can take a shitty desk job with an 84% pay cut.) Byeeeeeee!

2) Even if I wasn’t fired, I know I would have a hard time dealing with survivor’s guilt. If “only” 1-2% of the workforce was downsized, how many co-workers would give me some one-off look; and I’d start wondering if I could’ve prevented one of their work friends from being downsized… (In my mind…quite a bit more difficult to deal with than #1).

3) If you’re not #1 or #2…Do you think management will start listening to you? How often do YOU go asking advice from the person that told you your behavior was going to lead to specific consequences after you’ve endured the pain and humiliation of those EXACT consequences?

Being right and documenting it doesn’t mean anyone is going to thank us or want us around (quite the opposite).

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.