Profile picture
, 19 tweets, 4 min read
My Authors
Read all threads
1/n Okay, we need to stop for a moment and consider cybersecurity from a CEO's point of view. It's easy to laugh at them, as in the following tweet, but that's not going to change things until we understand their perspective.
2/ The only thing more broken than how CEOs view cybersecurity is how cybersecurity experts view cybersecurity. We have this flawed view that cybersecurity is a moral imperative, that it's an aim by itself. We are convince that people are wrong for not taking security seriously.
3/ Rather than experts dispensing unbiased advice, we've become advocates/activists, trying to convince people that they need to do more to secure things. This activism has destroyed our credibility in the boardroom, nobody thinks we are honest.
4/ CEOs view cybersecurity the same way they view everything else about building the business, from investment in office buildings, to capital equipment, to HR policies, to marketing programs, to .....
5/ Business is divided up into two parts.

The first is the part they do well, the thing they are experts at, the things that define who they are as a company, their competitive advantage.

The second is everything else, the things they don't understand.
6/ For the second things, they just want to be average in their industry, or at best, slightly above average. They want their manufacturing costs to be about average. They want the salaries paid to employees to be about average. Everything outside of core competency is average.
7/ I can't express this enough: if it's not their core competency, then they don't want to excel at it. Excelling at a thing comes with a price. You have to pay people more. You have to find the leaders with proven track records at excelling at it.
8/ This goes all the way to the top. If it's something the company is going to excel at, then the leader at the top has to have enough expertise themselves to understand who the best leaders to can accomplish this goal.
9/ All this is a tradeoff. It means a focus of business attention on the thing that can't be focused on all the other parts of the business. If your company excels at cybersecurity, it means not exceling at some other parts of the business.
10/ So unless you are a company like Google, whose cybersecurity is a competitive advantage, you don't want to excel in cybersecurity. You want to be average, or at most, slightly above average. You want to do exactly what your peers are doing.
11/ This is where Gartner comes in. They send analysts to talk to you and your competitors to figure out what all of you are doing, then write up reports about what your industry average is. Yes, yes, it's all phrased as "best" practices, but it's really "average" practices.
12/ When things hit the news, like this Twitter hack, CEOs want to know "what are our peers doing?". In other words, let's ask Gartner what our peers are doing.
13/ Yes, this often comes down to "what pill can I take to make this rash go away", because CEOs are simpletons. But whatever answer you think of, like "security is a process, not a product", is really no better. Process isn't a quick fix here, either.
14/ The problem I see in such companies is not that they fail to excel at cybersecurity, but that they fail to even be mediocre. This "being average, no better than our peers" has really entrenched bad habits and outdated processes/products.
15/ CEOs have entrenched the use of outhouses when modern plumbing is cheap and widely available (an analogy my father often used).
16/ I loathe and despise Gartner, because of my history as a product vendor, so this thread isn't intended to be supportive of them. Instead, I'm trying to empower security people in companies to be able to communicate with leadership, to understand their point of view.
17/ For any C-level executives reading this thread, do listen to your people more. Yes, yes, they are annoying at times, but buried within your organization is more expertise than what Gartner can ever give you ... unless you are an exceptionally bad leader of people.
18/ BTW, this thread is picking on Gartner here, but it's really all Big Consulting. The theory is Big Consulting is also hired by our industry peers, so understand Average Practices. In reality, they tend to perpetuate Worst Practices.
19/ In my experience, boutique consultants and just listening to your own damn people is the best way to get marginal improvements -- if only you had a way of getting around internal corporate politics to be able to communicate with your own people.
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with Robᵉʳᵗ Graham😷, provocateur

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @ErrataRob see all

Profile picture
Robᵉʳᵗ Graham😷
@ErrataRob
Twitter is fiction. The latest outrage is driven by deliberate ignorance, by refusing to see it from the opposing point of view, by blocking everyone who doesn't share your outrage, by creating a filter bubble.
Trying to see things from the other point of view is just moral corruption, and maybe you secretly support this bad thing. Purity and virtuousness means ignorance, that we cleanse the net from any detail that would lessen the outrage.
By the way, the outages I'm talking about are the ones that upset everybody today but which disappear tomorrow to be replaced by the next outrage. I'm not talking about the George Floyd homicide.
Read 5 tweets
Profile picture
Robᵉʳᵗ Graham😷
@ErrataRob
Bah. I'm nominally on the side of Zoom, supporting their decision to put end-to-end encryption only in their paid tier, but Matthew makes some compelling points here.
Nothing is "free". If somebody is offering a free product, they are expecting to get paid somehow. Saying Zoom's encryption needs to be free is like saying VPNs need to be free. Free VPNs are harvesting your data for $$$.
Zoom's free tier is therefore intended as the first step to get people to pay. From a pure business point of view, costs vs. benefits, what does end-to-end encryption lead to? If it results in more paying customers, then add it. If it only results in more costs, remove it.
Read 5 tweets
Profile picture
Robᵉʳᵗ Graham😷
@ErrataRob
Start the countdown for how long it takes Trump to tweet a baseless attack against Kelly.
Trump has a long list of common attacks he uses in cases like this. It's hard to predict exactly which one he'll choose.

"worst chief of staff ever"
"he begged me for a job"
"I did him a favor"
"nobody liked him"
"also known as John Smelly (or some other bad name)"
The way competent politicians combat this is "Kelly was an extremely competent chief of staff, but we increasing disagreed on policy decisions, and I'm sorry it's come to this". People would believe Kelly less.
Read 4 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!