Enterprise security is hard, and the role of enterprise security leader is getting even harder.
In fact, I'm noticing something of a phenomenon lately that may have everything to do with how difficult it is to succeed in an enterprise security leadership role. No less than three of my real-life colleagues and friends in the last 90 days have left the enterprise role for a vendor or consulting opportunity. Now, this may all just be a coincidence but if you look back over the past year successively more and more very smart people from the enterprise are leaving their roles.
I've been thinking a lot about why this is happening, or whether it's just part of the normal cycle of things - but I think there is a pattern worth noting here. As the hum of 'cyber-security' becomes deafening even in the mainstream media and enters every crevice of our collective conscious - it's becoming difficult to spit without hitting something cyber-security related. With that as evidence perhaps it's simply true that the opportunities in the consulting and vendor world are far greater than in the enterprise. While this is probably true on a financial incentive level, these folks I know are not solely money driven so there must be more to it.
Is it simply too hard to thrive in the enterprise as a security leader?
Let's look at what factors in... First of course is the very definition of success. I know far too many organizations (large or small) that still have the delusional view that they expect their enterprise security folks to keep them from being attacked or hacked. This is a wildly unrealistic expectation in this climate. Hell this was wildly unrealistic 5 years ago...but I digress. If enterprise leadership that the CISO or security leader is to report to can't adequately understand how to define success for the CISO - what's the use in trying to dive in to achieve an undefined goal? That's madness! More precisely, if failure is easy to identify (being hacked/breached) and success is unclear - what are the odds of success here? I'd say pretty close to zero.
If you can get past the very definition of success and get to something mutually agreeable and achievable - there's always the issue of culture and budget. Some organizations are simply not going to adopt sane and sound security practices without a lot of forced retirement. I'm actually serious. Chris Hoff ( @beaker ) had a great quote a while back that certain paradigms (I think he was talking about cloud computing at the time) are literally waiting for us to die off (us being the dinosaurs) before they're mainstream adopted. Think about it. Those folks in you company that have been working there before computers were an everyday thing in all aspects of life, and before hackers and cyber was a common thing will probably never fully understand or mentally grasp the gravity of what you're going to ask them to do. So you'll literally have to wait until they're gone from the company before things get better. Now, don't get me wrong, I'm not saying that the latest generation raised on FaceBook and SnapChat have any better clues on security but at least they're understanding the technologies better ... or so we'd hope. The other major hindrance is budget, and that's just a fact of life in the enterprise. When things are going well, you get budget. When things are going poorly (and you really need every penny) you're likely being asked to cut back - the problem is that in security it's nearly impossible to pare back "unnecessary items" unless you've really padded your budget (in which case, shame on you, and good job). So there's that.
Lastly - your adversaries are kicking your ass all over the playground. They have better toys, they have more time, and they're often times much better equipped to win. You're stuck affording a mid-level firewall resource who also has to use the web app scanner to scan your web apps while your adversary is financially driven and has an entire supply chain of bad-asses at their disposal. Seriously, you're screwed. There is no way you're entering a CISO role at an organization that has a public profile without getting some bruises and having one of those very, very long nights when things go sideways.
So perhaps getting out of the enterprise (like I did back in '08) is just the thing to do right now, because to play defense is challenging to put it politely. Or perhaps the consulting and vendor side just pays way, way better and offers more challenge and a climate where it's at least possible to succeed. Or perhaps this is all just a coincidence ... but I bet it's more than that.
What do you think? Have you recently made the switch from enterprise to the dark side? Or have you gone back the other way (vendor/consultant to enterprise)? I'd like to hear from you in the comments section below...