J.M. Porup Profile picture
Aug 8, 2021 15 tweets 9 min read Read on X
So what's it like to be a #CISO? I was Acting CISO of a billion-dollar crypto company for three months during the spring bull run, and am currently Deputy CISO. I'm still feeling the burnout. What mistakes did I make? What are my lessons learned? A 🧵 1/x
#infosec #cybersecurity
As a #CISO, the stakes are high. This is not a drill. Your decisions affect the success or failure of the enterprise. Totes no pressure. 2/x
You make a *lot* of decisions as a #CISO. Mission-critical decisions based on too little information. And you make them *fast*. You're not sure what's going on, and you have to make a decision *now*. Got it? Good. 3/x
The cyber domain has so many known unknowns that the ability to reason in the face of unavoidable uncertainty is a key trait a #CISO must have to be successful. 4/x
So how do you deal with the uncertainty? By understanding that you are not "building a wall against hackers" or "preventing a hack," but you are managing risk. 5/x
Side note: Any #cybersecurity professional who tells you they can "prevent hacks" is a fraud. That's like saying you can "prevent cancer"--you can't. You can only reduce the risk with diet, exercise, etc. 6/x
Risk Management, the one class I hated while doing my Masters in Cybersecurity @BerkeleyISchool, turned out to the most useful and practical of them all. Tell me how much cyber risk your business is prepared to carry, and I will tell you how to get it that low. 7/x
So let's talk about management. Security is a process, not a product. That means #cybersecurity is fundamentally a management problem, not a technical one--systems, human and machine, must be modified to reliably operate in a secure way. 8/x
Getting people to do the stuff you need them to do does not have a Linux man page. Security requests can seem counterintuitive, even capricious--employees need to understand *why* these changes are taking place. Training and internal comms become critical to success. 9/x
But no security program can be successful without active buy-in and support from the very top. Carrots and sticks. Ask nicely. Lots of times! You want security-enthusiastic employees. But for those you can't cajole, you must be able to compel with executive writ. 10/x
Which leads us to burnout. Burnout and exhaustion are not the same thing. Exhaustion can be exhilarating! Working hard on something you love and making progress is great. Pushing a rock up a hill that keeps sliding down is such torture it's part of Greek myth. #Sisyphus 11/x
Security is not just another department, like Finance, or HR. #Cybersecurity must be a fully-integrated executive flex, or it will fail. If the CEO doesn't have your back--actively, and loudly--then you will fail as #CISO. 12/x
So how do you cope if you're a #CISO and nobody has your back? Well, you can consider going to work somewhere else. If that's not an option, you need to focus on self-preservation of your mental and physical health. You will only change so much. Accept the rest. 13/x
Being a #CISO is all about reasoning in the face of uncertainty and accepting imperfection. You will never eliminate risk, you can only manage it. These personal qualities are the Zen desiderata of the profession, and the attitude I will bring to my next outing as a CISO. 14/x
Resilience is the goal. For your enterprise, for yourself. Your employer *will* get popped. You *will*, at times, find yourself the internal screeching minority. How you respond to inevitable failure is the test of both a good security program, and yourself as #CISO. 15/x

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with J.M. Porup

J.M. Porup Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @toholdaquill

Apr 2, 2020
New: My two-month investigation of the bug bounty platforms reveals serious concerns about their business practices, and accusations that NDAs are being used to cover up security issues. 1/
csoonline.com/article/353588… @CSOonline
HackerOne's latest annual report claims they have 600,000 hackers. But do they? More likely 600,000 email addresses. CEO Alex Rice told me in 2019 only 9,650 finders filed valid vulnerability reports on H1. That's a difference of two orders of magnitude. 2/
Bugcrowd is playing the same game. When I challenged their numbers, they were unable to offer any clarification. Both platforms appear to be stretching statistics to the breaking point of credulity. 3/
Read 11 tweets
Oct 16, 2019
THREAD — So many remarkable passages in #PermanentRecord. Here’s what stood out to me. 1/
The ideals of the so-called “Inteligence Community” are to subvert our democracy, destroy our freedom, and to rule us in secret. There was never a golden age when the “IC” was anything other than state-sponsored criminals and terrorists who deserve to stand trial at The Hague. 2/
Technological illiteracy creates a technocracy—those who grok rule those who don’t. Combine with a lack of right to repair laws, and you have a recipe for “technological tyranny.” 3/
Read 35 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(