, 13 tweets, 3 min read
My Authors
Read all threads
I don't understand a CISO resigning over differences over how to manage information security. My definition of a CISO is somebody who isn't so childish as to get upset when the organization is insecure.
I mean, there's lots of reasons a CISO might resign. If a company's insecurity is harming its customers, then of course that's a reason to resign. But if a company's insecurity is only harming itself, then it's not a good reason.
Infosec workers are usually disgruntled because the organization hires them to secure things, then prevents them from securing things. It's not just that, it's how truly silly their resistance to security becomes.
You: "There's an obvious SQL bug that any teenager can exploit"
Them: "It's purely theoretical, we won't fix it"
You: "It's not theoretical, it's obvious and easy to exploit, let me show you"
Them: "No"

...time passes...
...the bug gets hacked by a teenager...
Them: "Why didn't you prevent this?"
You: "...grrrr...."
So it's not that they won't listen to you, it's the absurdity of this resistance that causes disgruntlement. That your entire security team is perennially disgruntled is just a standard part of infosec.
So for me, the most important part of being a CISO is somebody who can deal with the absurdity without getting disgruntled. I mean, there's still ethical problems I can imagine they'd have to confront that might cause them to resign, but not simple disgruntlement.
Of all the ethical issues I've had to confront in the past, none of them apply to presidential campaigns. The biggest I can imagine is exposing donor lists, but since they have to be exposed anyway in FEC filings, it's not an issue.
So this thread lists some reasons to resign. One of which is simply money. I'd love to work with any presidential campaign -- but not for the money they'd be willing to pay:
And another reason: the damage to reputation when the organization you are responsible gets hacked.
Another reason I've had to stop working with people is legal issues, when I disagree with their interpretation about their legal duties. Nobody explicitly breaks the law, but there's grey area, and if you are unsure, you are at risk and should get away.
But I wouldn't phrase it as "differences on how to manage security". That phrase implies disgruntlement. I'd simply phrase it as "I no longer wanted to work there".
The point is that when you part from your employer, you really don't want to do so in a way that makes you look "disgruntled", as it does here. This is especially true for higher levels of management.
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Rob ☃️ Graham

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!