Sign in / up

back to article How to survive as a CISO aka 'chief scapegoat officer'

Chief security officers should negotiate personal liability insurance and a golden parachute when they start a new job – in case things go sideways and management tries to scapegoat them for a network breach. And if they blow the whistle, it's best not to sue their employer as well, lest they get blacklisted. Those were among …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    Yes but,

    I agree with this article.

    One point,

    > HR departments operate for the benefit of the employer, not the employee,

    Yes, but. HR reps are required to keep and document some information, and retain that information, and are subject to legal discovery. While you can say the same about e.g. e-mail being recorded for everyone in the company, I personally consider this a higher bar. (It's also "enriched" data - no one has to put together 30 streams of e-mail and try to figure out what's going on.)

    If something is amiss, if you're having any sort of problem in the company with another, make HR aware. You don't have to follow-up, you don't have to document it or ask for their intervention, but ensure that HR is aware at the earliest opportunity. If something happens later that appears to be an escalation of this, you have documented evidence of a timeline if needed, for internal processes or external legal processes - and they're required to document it and it will be discover-able. It also gives you something to reference, and perhaps even something to reference back on when you're explaining to HR that an issue is growing your concern, "what should I do here?" Make them tell you, and record, what you should do in that interaction. If they tell you to break the law, it'll be documented, right? :-) So they won't. (If they do, it was a company order, doing your job, documented the problem, yada yada.)

    Overall, ensuring that things operate smoothly is in the best interest of the company. Ensure problems are resolved, ensure that they don't develop, don't escalate, and don't become dirty secrets. Use the HR team -- they're responsible for ensuring that you don't have a problem. Use them _early_ so that you don't end up being a _problem_ that they have to deal with.

    Personal take: If you're having problems at a company, whether from HR or managers, or even just multiple coworkers, perhaps you shouldn't be at that company. Perhaps you should leave of your own accord, before things get bad. Look for something else while you bide your time, and GET OUT. I mean - the alternative is forcing their hand, right? That means you're a problem.

    2 0 Reply
  2. Anonymous Coward
    Anonymous Coward

    "never to trust human resources"

    Pratchett's Archchancellor Ridcully offered his expert opinion that an individual ..."would only be a burden to the profession... [that] can look at a sign sayin' 'Human Resources Department' without detecting a whiff of brimstone."

    Understandably the Archchancellor also didn't have a particularly high opinion of comparative fretwork.

    A Collegiate Casting-Out of Devilish Devices

    2 0 Reply
  3. Anonymous Coward
    Anonymous Coward

    Is a CISO role really a CISO role if you don't attend board meetings?

    The majority of CISO roles I have seen advertised have not been CISO roles at all, much more like a senior ISO or even just Security Managers.

    I wouldn't regard "Head of Security" necessarily to equal "CISO" either. There is little standardisation in these roles I suppose.

    And if you've actually done your time working in security you should already be well versed on covering your own arse. It should be taught in the apprenticeship programmes.

    6 0 Reply
  4. abend0c4 Silver badge

    I think I'd be inclined simply to do something else.

    Whereas I may be no great loss to information security, creating an ever-more hostile environment is ultimately going to backfire.

    1 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      There will always be some creeping bastard ready to pick up any job that even implies C-suite.

      They won't know much about security but they will be gifted in greasy talk, avoiding blame and jumping ship just before the iceberg hits. I'm sure you know the type. They usually do very well.

      If you care about doing the job well you probably have already avoided being promoted too far, been pushed out, or you're so jaded you no longer give a toss.

      2 0 Reply
  5. Anonymous Coward
    Anonymous Coward

    not worth the headache

    Was going to be CISO, decided 5 years ago I didn't want the liability.

    I went from being the info sec problem solver to a report monkey, 'cause the new management couldn't value in things that they can't put on a pie chart.

    glad I'm old and almost done with - everything.

    Enjoy your life! I wish I could but it's to late.

    Tech/work/ has no real value, find love if you can.

    1 0 Reply
  6. Joe Gurman

    I kind of got the clue….

    …. when the outfit I used to work for changed the name of Human Resources (the organization formerly known as Personnel) to “Human Capital Management.” In my experience, all the employees began pronouncing “Capital” as “Cattle.”

    2 0 Reply
    1. I could be a dog really Silver badge
      Reply Icon

      Re: I kind of got the clue….

      For me it was when "personnel" changed to "human resources". One implies that the employees are people, the other implies that they are mere resources - no more worthy of consideration than (say) a forklift, just an item to manage.

      2 0 Reply
  7. Claptrap314 Silver badge

    Documenting email?

    I've always wondered about this. That email is fully under company control. If you make a copy, in any form, and remove it from company control, then you are almost certainly in violation of your employment agreement, and very likely the law.

    And it's been more than twenty years since I was at IBM when they implemented a 99-day auto-delete policy expressly to avoid discovery.

    I'm not saying that there is no value in documenting email--it can certainly buy you a few more months standing on the plank. But actually getting the documents to court? Sounds much more difficult.

    1 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like