Really found it intriguing the statement - CISO job wasn’t to eliminate or even necessarily reduce risk but to help business leaders take intelligent technology risks, justified by likely business value.
It puts security as business enabler facilitating growth by quantifying the relationship between technology risk and business value. Partnering closely with executive functions.
Balancing resilience with business agility.
The company doesn't exist to be secure, it exists to generate revenue.
The CIACD framing raised a question for me about conflating concerns.
CIA is achieved through well-understood patterns and architectures, while deployment is fundamentally an engineering and operational discipline (DevSecOps/SRE/Platform-engineering). In my view, explicitly separating these concerns while tightly governing their interfaces helps.
For e.g. clear SLIs/SLOs (99.999% availability --> ~5mins unplanned downtime annually) while keeping deployment squarely in engineering/DevSecOps can achieve the outcome. Though I’d be interested in your perspective on when tighter unification works better.
Years ago I read that customers of a retail bank couldn’t access the on-line portal because of a DDoS attack. I happened to know the CISO from various industry events so I sent over a note along the lines of “sounds like a tough day with the DDoS attack.”
The CISO called me back
There was no DDoS attack
Somebody has misconfigured a router taking down the on-line portal
The local newspaper reported the event as a DDoS attack without confirmation
Corporate comms decided not to correct the newspaper on the theory that a DDoS attack sounded less embarrassing than fouling up a software update on a router.
Setting: a conference room at a large financial institution, circa 2013
The players: head of infrastructure engineering, Business Unit CIO, me (watching bemusedly)
Head of engineering: < explains DevOps >
BU CIO: so we'll get developer access to production again? Awesome!
Head of engineering: I don't thats...
Me: rubbing forehead in a futile attempt to fend off an impending headache
DevOps/SRE (combined with platform engineering!) definitely the way forward
DevOps without platform engineering is just a mess
Really found it intriguing the statement - CISO job wasn’t to eliminate or even necessarily reduce risk but to help business leaders take intelligent technology risks, justified by likely business value.
It puts security as business enabler facilitating growth by quantifying the relationship between technology risk and business value. Partnering closely with executive functions.
Balancing resilience with business agility.
The company doesn't exist to be secure, it exists to generate revenue.
The CIACD framing raised a question for me about conflating concerns.
CIA is achieved through well-understood patterns and architectures, while deployment is fundamentally an engineering and operational discipline (DevSecOps/SRE/Platform-engineering). In my view, explicitly separating these concerns while tightly governing their interfaces helps.
For e.g. clear SLIs/SLOs (99.999% availability --> ~5mins unplanned downtime annually) while keeping deployment squarely in engineering/DevSecOps can achieve the outcome. Though I’d be interested in your perspective on when tighter unification works better.
One nuance to my earlier statement:
Years ago I read that customers of a retail bank couldn’t access the on-line portal because of a DDoS attack. I happened to know the CISO from various industry events so I sent over a note along the lines of “sounds like a tough day with the DDoS attack.”
The CISO called me back
There was no DDoS attack
Somebody has misconfigured a router taking down the on-line portal
The local newspaper reported the event as a DDoS attack without confirmation
Corporate comms decided not to correct the newspaper on the theory that a DDoS attack sounded less embarrassing than fouling up a software update on a router.