Home » Security Leadership » Career/Staffing

Bob Moore Knows How Not to Get Fired

Remember: Once you have a security leadership job, it's the little things that help you keep it.

There's an English proverb that says, "Cheat me in the price but not in the goods." It seems security officersparticularly information security officershave taken this to heart and have learned some "shortcuts" to effectiveness in their jobs. It's probably not a coincidence this somewhat cynical job advice came from ISOs, since IT traditionally treats security as an afterthought, trivial nonsense that threatens deadlines. At any rate, this is how it's done:

In A Few Good Men, Tom Cruise as Lt. Kaffee calls two Navy airmen into the courtroom who provide enough uncertainty to, eventually, unravel the insolent Col. Jessup played by Jack Nicholson. Later, we find out the airmen's presence was a bluff; they were decoys who, if called to testify, had nothing to say.

So be Tom Cruise. Because, at times, you'll be asked to provide more proof than you have for securing a project, even if you know that not securing the project is a great risk.

A CISO at one of the world's largest banks (he requested anonymity, demonstrating that he knows how not to get fired) says he's seen too many recklessly insecure programs get deployed. So he bluffs. The more documentation on hand when you go make the case to operations for securing a project, the better, this ISO says. "It doesn't matter how good the documentation is, really. It just has to weigh a lot. There's a fair bit of marketing involved here. I go in with three good metrics and seven pounds of paper underneath it, and it works. It works every time."

Of course, you'll be building a real portfolio of solid data (see below), but you knew that.

Be Brazen

Bill Spernow, the CISO at the Georgia Student Finance Commission, once observed that a security incident has a half-life of about six months. After a major security incident, that's about how long other executives will be looking up to you. Stopping by your office. Taking the time to learn what exactly it is the security team does on a day-to-day basis.

It's also when they'll fund you. "What's amazing about major incidents," Northcutt observes, "is that the status quo ceases. At that moment you can go to the top brass and ask them for anything and they'll do it. Boom.

"And, 100 percent of the time, I'm ready. I've got something on my shopping list. And I'm completely brazen about it. It might have nothing at all to do with the incident at hand, but I'll get it."