I posted [my unpopular opinion yesterday](https://www.reddit.com/r/cybersecurity/comments/pbkoo4/unpopular_opinion_there_is_no_cybersecurity/), and I’m blown away by how many infosec professionals (specifically senior managers, directors, ISOs, CISOs) cling to the idea of “If I do my best, make timely, good recommendations, and document everything; my job will be secure following a massive breach.”
Even seeing all the opinions to the contrary throughout the comments…I can’t believe so many of us are that naive.
1) Odds are something like 33% you’d be fired quickly. Nice job documenting your shit…but we got massively breached anyway. (Or…you can take a shitty desk job with an 84% pay cut.) Byeeeeeee!
2) Even if I wasn’t fired, I know I would have a hard time dealing with survivor’s guilt. If “only” 1-2% of the workforce was downsized, how many co-workers would give me some one-off look; and I’d start wondering if I could’ve prevented one of their work friends from being downsized… (In my mind…quite a bit more difficult to deal with than #1).
3) If you’re not #1 or #2…Do you think management will start listening to you? How often do YOU go asking advice from the person that told you your behavior was going to lead to specific consequences after you’ve endured the pain and humiliation of those EXACT consequences?
Being right and documenting it doesn’t mean anyone is going to thank us or want us around (quite the opposite).