Posted by The other day I got a FedEx package containing a USB drive and handwritten note. The note said:
Please provide these letters as a tutorial to your Security Economics readers. They contain timely and important advice for all CISOs.
Security Screwtape
I carefully opened the USB files on a burner Linux box. The files were letters – apparently written by a seasoned CISO named Security Screwtape addressed to a younger first-year CISO named William Wormwood. Anyone who has read this blog will know I consider the letters the most horrible advice ever, but I reprint them here to show how some in our industry are operating.
Filename: Congrats.doc
Dear Wormwood,
Congratulations on your recent promotion to CISO! It is a challenging but rewarding position. Always remember that you walk a razor’s edge between saying that you have it all under control while also making sure to identify problems in order to grow your budget and build your empire. Well of course you don’t have anything under control. You’ve inherited a bunch of security tools and have no idea whether or not they work. Therefore, you have to always be doing contingency planning. And by contingency planning, I obviously mean planning who to blame when you get hacked. The list of people and things to blame are the CIO, your consultants, the Chinese, the Russians, Covid, and your puny budget.
Create your scripts now so they are ready to use when things get ugly. Also, now is the time to have your friendly Big-4 consultant do a “security assessment” where they summarize how bad your security program is. Then you can blame your predecessor and get your first big budget increase to get you going!
Respectfully, Security Screwtape
Filename: Board.doc:
My Estimable Wormwood,
I am happy to hear about your upcoming board presentation. This is an important milestone for you. I have been through many of these and would like to offer my timeless techniques for success. A bad board presentation can really hurt your career, so follow these slide recommendations without modification:
Start with a slide or two covering the latest big breaches in the news, preferably in your industry. Fear is the best motivator after all! Get them scared and keep them awake – they always slot you in right after lunch!
Next, have a slide or two on progress against your new 3-year plan. Show that you will have a major shortfall unless you get more budget. Make sure to warn that not getting additional budget will delay our “move to the cloud.” Executives love to move to the cloud, and they won’t question it because they have no idea what it means.
Next, you need to dazzle them with a lot of metrics. Make sure you show them how many thousands of missing patches you have, but show it is getting better since you entered the scene. Same with phishing. Hundreds of people keep clicking on phishing emails, but not as many as when you arrived. Also, since the execs in the room are the biggest phish-clickers, they won’t question you on it.
Now things get tricky – the Red/Yellow/Green compliance charts. Here you need to walk the fine line between having some “red” items, but not so much that they think you are doing a bad job.
Respectfully, Security Screwtape
Filename Board2.doc:
My Friend Wormwood,
It is frustrating to hear about the silly questions you received from your CIO about your draft board presentation slides. I see he asked you why the percentage of employees that have completed security awareness is green at 90% instead of 95%. Who cares? It is just an arbitrary number! Of course, you can’t tell him that. In the future, for any questions about your red/yellow/green charts, just answer “industry standard” and they will shut up. Of course for any items that are yellow or red, have your “blame script” ready. Why is ISO 27001 compliance yellow? Because of the move to the cloud. Why is application security red? Because the developers don’t listen to directions – but, you can fix that with an enterprise license for an app scanning tool. There is no problem a new security tool can’t fix.
He actually asked you if it is possible to test your security tools to see how well they work? What nonsense! What planet does he come from? You can never know if your security tools work. They are black boxes of AI and machine learning and other things he just doesn’t understand. That is way you must pile on security tools like a squirrel collects nuts for the winter.
The CIO’s other question is more problematic. Can we quantify security risk? Of course not! He has been reading those theoretical Gartner whitepapers and watching too many security webcasts. Has he ever run a Purple Team or studied the latest threat intel? No. He is pandering to the bean counters. Stick to fear. Remind him of the Ransomware threat. The Existential Ransomware Threat. You don’t have time for pie-in-the-sky financial calculations.
Your Grateful Mentor, Security Screwtape
Filename: Damage_Control.doc
My Inconsolable Wormwood,
I am truly sorry to hear that your board presentation did not go well. The fact that they asked about the top security risks to the organization makes me sure that the CIO sabotaged you. They would never ask such a pedestrian question after seeing your well-designed slide deck unless the CIO put a bug in their ears. As you described it, I think your initial response was well done. You shouted out “Ransomware!” and explained to them the private key, command and control, and lateral movement in impeccable detail. They were trying to trip you up when they asked about the systems and business processes that would be most affected. What do you care about the business! You are their defender!
Having said that, I believe you may have gone a little overboard when you said:
“I have a greater responsibility than you can possibly fathom. you have the luxury of not knowing what I know. I have neither the time, or the inclination, to explain myself to a board that rises and sleeps under the blanket of the very freedom that I provide, and then questions the manner in which I provide it. I’d rather you just say ‘thank you’ and go on your way.”
Regardless, I like your spunk, Wormwood. This was a terrible company that could never understand your incredible talents. Don’t worry, there are lots of jobs for security practitioners, and I will be happy to provide you more career advice in your next job.
Your Proud Mentor, Security Screwtape
Security Economics 