CISO #1 just started with a large federal government organization. He'd literally just retired from the military (after probably hundreds of years of service) as a plain clothes senior law enforcement officer and just took over with this federal organization. He'd been on the job two weeks when we first talked. CISO 1 is ready to burn down down the house, take no prisoners, and doesn't care who knows about it.
CISO #2 has been on the job for about eight months now, and since the day he started (working at a large healthcare company), he wanted to go "APT hunting". CISO 2, in my opinion (I've already expressed concern) is going to find something that's going to cost a ton of dough *like millions* without adequately preparing/socializing his bosses to what this might actually mean.
CISO #3 works in a large financial.. fairly new. Very smart guy, coming from the high tech space prior to being named CISO at this bank. CISO 3 wants intelligence, but before jumping into a collaboration, wants to turn his new banking security team into hunters and security producers --the top of the CTI Maturity ladder... because that's what he had before.
CISO #4 works in a large manufacturing company.. 100K+ computers. CISO 4 is a brand new CISO, who told me last week that the board was requesting a brief within TWO WEEKS of reporting onboard. TWO WEEKS!? In an enterprise this size (100k+), it takes two weeks to learn where the bathrooms rooms are... let alone figure out the inter-dependencies of of the network and the business.
All four of these CISO's have exemplary careers; all very smart, motivated, and without a doubt, have earned the right to be in their CISO seats. But I have to wonder... these guys are all pretty aggressive. I know... I'm one to talk right? These guys are hitting the ground running hard. In past cases, I'd worry if they'd burn out, lose the support of their champions, find out the company really doesn't want to know what's really happening in their networks, or simply don't have time to build the relationships needed to be successful.
Are these guys wrong? Who am I to say? Are we finally in an era when a new CISO can put the pedal on the floor?? I can't wait to see!
In the mean time I'm running hard in the DC area preparing to fly to San Diego for the FS-ISAC conference. I'll be presenting our Cyber Threat Intelligence Assessment of Venezuela. This is the fifth such report we've written presented.
I'm looking forward to seeing many of you in Coronado. These guys pick the best spots for conferences!
So until next time,
Have a great weekend!