No Book to Be By

In some cases, hiring a project manager is the most sensible thing you can do.   A seemingly can’t miss action that preserves the status quo while getting the organization where it needs to be.   But it is a huge mistake.  This rant is written with all due respect to project managers everywhere, but read on and I’m sure you’ll forgive me.

Nothing gets the job done like a really good project plan.  The tasks get laid out and assigned.  The milestones have due dates listed.  Resources are allocated.  The paths are critical and the dependencies are dependent on one another.

If you’re in the C-suite and you get handed a list of findings from an auditor, a consent decree from a regulator or a spreadsheet full of vulnerabilities from a risk assessing consultant, you know what to do.  You need a project manager to get the job done.  And since one of the tasks on the list is “hire a CISO” and since the PM is going to get the job done, might as well make the PM your CISO.

This really happens.  I’ve seen it twice (from a distance) and heard about it a half a dozen more times.

It makes sense, right?  It is efficient.  A strong PM is the perfect person to get all those tasks completed and checked off.  And they are usually paid less than people who have CISO experience.  In addition, the GANTT charts alone make the Board and the other executives really comfortable.  Not to mention the fact that a PM working a list according to PM methodology is going to defer to the executive sponsor of the project so the hiring manager responsible for getting the list addressed maintains control of how it all happens.  End to end.  You get to keep it all.  Accountability.  Efficiency.  Methodology.  And GANTT charts.  Security by the book.  Problem is: there is no book.

By putting this article in Security Current, I’m preaching to the choir.  But I am hoping what follows will find its way into the in-box, LinkedIn groups and even printed out and left on the chair of the folks that it is addressed to: those in charge of hiring the organization’s first CISO following the creation of a list of remediation steps hanging over the organization.

Let’s look at those attributes that are usually so attractive in a PM and relate them to the CISO role:

1. Accountability.  The CISO/PM can be counted on to be accountable for getting things done on the list.  But the timing and staffing for those things will be in the hands of others.  So the CISO/PM will be accountable in the way PM’s are: tracking the resources as they are assigned to the projects by their superiors.  And the executive sponsor or steering committee will be accountable for determining if the tasks are being prioritized appropriately.
2. Efficiency.  No question.  Why hire a CISO and assign a PM when you can accomplish both tasks with one resource?  In addition since having a single person accountable for Information Security is often a task on the list, you can mark that complete, too.
3. Methodology.  There are a number of project management methodologies and they are all well suited to taking a list of tasks and ordering them, tracking them and being able at any time to report on the progress of them.  Monthly meetings with the Executives?  Quarterly meetings with the Audits & Examination Committee of the Board?  The CISO/PM can report with confidence on the progress of the remediation plan.
4. Those GANTT charts.  Love ‘em.

If you don’t see the down-side in what you’ve just read then this article was written for you.   If you do see it, go have a hot beverage and connect with me on LinkedIn; we’re two of a kind.

Here’s the same list but from a different angle:

1. Accountability.  The truly accountable CISO prioritizes protecting the information assets of the organization above just about everything else.  So, when a supervisor of a team of server engineers says they can’t get to the patching that the auditors found had not been done in a year for another four weeks because they’re building a new environment that’s been on their schedule for the past 8 weeks, the CISO does not say “ok, those resources are not available for the next four weeks, I’ll list patching as beginning in four weeks from now.”  If the patches are really that long overdue, the CISO does what they can to get patching prioritized above new builds.  They may not get those priorities changed, but they will make sure the person making that call is the appropriate person to accept the risk of that delay.
2. Efficiency.  I argue against efficiency a lot for lots of reasons.  For the sake of brevity here, let me just make this point: the hacker community is like every weed in the entire world trying to take hold in your front lawn completely at random.  Why would you get some really efficient weed killer that just attacks the one your auditors listed in their findings?  To be blunt, the best CISO’s have a little bit of inefficiency built into their way of looking at the environment so they can respond to the unpredictable part of security.   More on that below.  What’s great about a good PM is their focus.  Not the right skill set here though.  Which leads to:
3. Methodology.   The list of remediation steps has 147 tasks on it.   By the time the CISO/PM has taken the findings and input them into a project management tool, the organization might be hacked (again).  Consider the amount of project management steps involved in handling the finding “Anonymous FTP is active on three servers in the DMZ facing the internet.”  The CISO/PM reads it off the list; the CISO/PM enters it into the tool; meets with the network team;  gets them to schedule the change; they implement the change; the CISO/PM marks the task as complete.  A real CISO doesn’t get to the end of the phrase “in the DMZ” before they’re in the CTO’s office respectfully explaining how those servers get fixed (NOW) or taken off the network (NOW).
4. Those GANTT charts.  Still love ‘em.

Finally, here is the most important reason the CISO/PM while accountable, efficient and methodical actually poses a risk to the organization.  The list of tasks they are working off of is a snapshot.  If it has 147 tasks on it and they put a new found vulnerability, say FREAK, as number 148 just below “implement quarterly review of data center visitor access log” then the risk based component of prioritizing has been lost.

And since they don’t have their own information security risk assessment skill set, then even “evaluate risks of new vulnerabilities as they are announced and prioritize remediation efforts” ends up  as a task on the list.  A task  that is accurately assigned by the CISO/PM to the CISO.  Oh. Right.