Helping cyber security leaders show more business value, giving them more opportunity for growth | Founder @ The Blueprint | 1st time entrepreneur | Creating a future for the cyber security workforce
You lied to your CISO so they would accept the job. Terrible move. (But not uncommon) I hear this SO much. -I was told they took security seriously. -I was told I would have X budget. -I was told I could build a team. If you plan on telling these little porkies in the interview, remember; This massively damages your brand. People in security talk, and before you know it, nobody wants to work for you. Secondly, this will cost you. It took you 6 months to make a decision in the first place + waiting for a 3 month notice period to finish. Then they leave within the first 6 months. That's potentially 15 months of time, money & resources down the drain. Getting it right the first time doesn't seem so bad now does it? Stop wasting your time hiring security folks to tick boxes. It won't get you any of the results you want.
This is a typical “external facing image” vs actually addressing the reality of the situation. So many companies operate on the “it’s not a problem until it’s a problem” mentality, and quickly forget past instances that made them have some sort of “we need this” mentality in the first place. Instead of knee jerk reactions, companies need to become proactive, and set these teams up intentionally while things are good, or else the panic and defensive approach to the issue will cost so much more than the meager budget they try to allocate for it at all.
This fundamentally applies to any role, sugar coating or blatantly misrepresenting the position leads to the resource leaving and the recruitment process starting over again.
True. But. you can also flip this around since most orgs tell you what they "want" and not what they have. They "want" to take security seriously but need the CISO to take ownership and show them "how". Did they work with the CEO to sponsor a culture of security so they can then take the baton and champion the culture. Did the CISO earn the budget with business cases for tools and staff by influencing stakeholders as sponsors? Only if the CISO has tried and failed at these can they make these claims.
I have experienced this first hand, "We have x turnover", however fail to disclose they are loss making.
You could have simply stopped at "lied". A decent CISO is going to see that as a very large issue and a personal risk.
Familiar with this issue and many lessons learned. Thanks for sharing
How true, not being honest about the job.
So true - WOW. know this first at hand.
So true.
Cyber Security Leader, Project Manager, and Furniture Maker
1moIn twenty years and hundreds of companies, I've never heard a SINGLE ONE of them say anything except "we take security very seriously!" Then you pop the hood and see: They don't have a dedicated team because "security is everyone's responsibility!" They don't have a budget. They don't have security requirements, or policies. When you discuss security or ask any security related question you are told, "that's not how we do things here", or "We can't make any changes that could impact production." or any other of a thousand excuses. As a consultant, I could always smile, and nod and write a report that would sit on a shelf gathering dust. When I worked internal security, I would grit my teeth and roll up my sleeves. But having a company ACTUALLY care about security, and put their money where their mouth is..... well that's a diamond in the rough. Thanks for calling out the "check the box" mentality!