Tuesday, December 3, 2013

Enterprise Security Professionals Getting Out of the Enterprise?

Enterprise security is hard, and the role of enterprise security leader is getting even harder.

In fact, I'm noticing something of a phenomenon lately that may have everything to do with how difficult it is to succeed in an enterprise security leadership role. No less than three of my real-life colleagues and friends in the last 90 days have left the enterprise role for a vendor or consulting opportunity. Now, this may all just be a coincidence but if you look back over the past year successively more and more very smart people from the enterprise are leaving their roles.

I've been thinking a lot about why this is happening, or whether it's just part of the normal cycle of things - but I think there is a pattern worth noting here. As the hum of 'cyber-security' becomes deafening even in the mainstream media and enters every crevice of our collective conscious - it's becoming difficult to spit without hitting something cyber-security related. With that as evidence perhaps it's simply true that the opportunities in the consulting and vendor world are far greater than in the enterprise. While this is probably true on a financial incentive level, these folks I know are not solely money driven so there must be more to it.

Is it simply too hard to thrive in the enterprise as a security leader?

Let's look at what factors in... First of course is the very definition of success. I know far too many organizations (large or small) that still have the delusional view that they expect their enterprise security folks to keep them from being attacked or hacked. This is a wildly unrealistic expectation in this climate. Hell this was wildly unrealistic 5 years ago...but I digress. If enterprise leadership that the CISO or security leader is to report to can't adequately understand how to define success for the CISO - what's the use in trying to dive in to achieve an undefined goal? That's madness! More precisely, if failure is easy to identify (being hacked/breached) and success is unclear - what are the odds of success here? I'd say pretty close to zero.

If you can get past the very definition of success and get to something mutually agreeable and achievable - there's always the issue of culture and budget. Some organizations are simply not going to adopt sane and sound security practices without a lot of forced retirement. I'm actually serious. Chris Hoff ( @beaker ) had a great quote a while back that certain paradigms (I think he was talking about cloud computing at the time) are literally waiting for us to die off (us being the dinosaurs) before they're mainstream adopted. Think about it. Those folks in you company that have been working there before computers were an everyday thing in all aspects of life, and before hackers and cyber was a common thing will probably never fully understand or mentally grasp the gravity of what you're going to ask them to do. So you'll literally have to wait until they're gone from the company before things get better. Now, don't get me wrong, I'm not saying that the latest generation raised on FaceBook and SnapChat have any better clues on security but at least they're understanding the technologies better ... or so we'd hope. The other major hindrance is budget, and that's just a fact of life in the enterprise. When things are going well, you get budget. When things are going poorly (and you really need every penny) you're likely being asked to cut back - the problem is that in security it's nearly impossible to pare back "unnecessary items" unless you've really padded your budget (in which case, shame on you, and good job). So there's that.

Lastly - your adversaries are kicking your ass all over the playground. They have better toys, they have more time, and they're often times much better equipped to win. You're stuck affording a mid-level firewall resource who also has to use the web app scanner to scan your web apps while your adversary is financially driven and has an entire supply chain of bad-asses at their disposal. Seriously, you're screwed. There is no way you're entering a CISO role at an organization that has a public profile without getting some bruises and having one of those very, very long nights when things go sideways.

So perhaps getting out of the enterprise (like I did back in '08) is just the thing to do right now, because to play defense is challenging to put it politely. Or perhaps the consulting and vendor side just pays way, way better and offers more challenge and a climate where it's at least possible to succeed. Or perhaps this is all just a coincidence ... but I bet it's more than that.

What do you think? Have you recently made the switch from enterprise to the dark side? Or have you gone back the other way (vendor/consultant to enterprise)? I'd like to hear from you in the comments section below...


American said...

Appreciate the candid perspectives & observations yet struggle with the absence of references to compliance and risk management, which contributes more angst to the picture. Competitive ideologies of security purists vs. paper pushers (leveraging likelihood & potential impact to rationalize their programs)further exacerbate the success criteria challenge but throw in the "legal" folks who barely get any of it so they debate early notification or no notification to customers and you end up with Adobe-like situations (e.g., 2.4M to 38M impacted) only to be forced to come clean by impacted partners and peers. And - for Sec Archs / Analysts that can command salaries like Snowden, i.e., $250K w/o a high school diploma, why burn out in bureaucracy?

Anonymous said...

You can count me among the ranks of those who have recently left Enterprise security (in my case prompting a few comments that I've committed "career suicide" by leaving a promising track at an ivy-league affiliate). A number of your points resonate with my recent experiences and the driving force that caused me to leave, but I'm not sure I would characterize the impetus of it having been "too hard to thrive". Rather, the migration away from these roles (and the cause of "security burn-out" in general) to me stems from frustration caused by traditional business entities still using a model of security effectiveness and reasonable results that has not yet matured to match the state of the art and practice of security as we currently understand it.

We're living in a world where many of us have to answer to people who still believe security is something that can be achieved as an end-goal rather than an ongoing process and our "progress" down that path is measured and metricated. That works well at first, but the law of diminishing returns means somewhere along the line "progress" will appear to stall.. or worse yet, a compromise or breach gives the impression of regression down the "path".

Meanwhile, security practice has progressed to the point where we've acknowledged we'll never completely "get there" and that we go about the business of securing, not being secure. We're also starting to learn that our castle's foundations can very quickly turn to sand and are beginning to embrace the idea that it's more productive to assume the castle has already crumbled and respond accordingly.

While we're busy trying to explain these major paradigm shifts, the enterprise in turn is still trying to work out how to measure how well we've defended the castle. In judging how far along the path we are they're expecting the budget to be on a downward slope just as we're telling them it needs to go the other way. Dissonance.

In the end professionals end up spending considerable effort just wading through the political implications of it all when what they really want to do is move their security program forward because their adversaries aren't saddled with any of these corporate-culture shackles.

In the end, vendors and consultants get to make their case and improve the situation without having to become trapped completely within the enterprise mechanisms. Personally, I'm far more interested in delving into how we can actually improve security and respond to threats than wading through that sort of mess, so if anyone needs me I'll be consulting, pen testing and working in the lab.