Tech security honchos walk a tightrope as hacking soars




WASHINGTON — The paycheck is big. The career security is great. But the headlines are a headache.

The job is to guard the key digital secrets of a major organization, perhaps proprietary manufacturing methods of a company, or health records of a hospital system. Or credit card information at a major retail chain. Tolerance for failure is nil.

Yet hackers worldwide are on a tear, and breaches occur at a quickening pace. If something goes wrong, the chief information security officer, or CISO, gets the blame.

“Being a CISO means keeping that r?sum? polished,” said Chase Cunningham, a security and risk analyst at Forrester, a technology research company in Cambridge, Mass.

Equifax, one of the nation’s big three credit bureaus, announced Sept. 7 that it had been hit by a massive breach, and a week later it said its chief information officer and chief security officer had resigned. That didn’t calm the storm for Equifax, which guards the personal financial history of half of America, and chief executive Richard Smith was forced out Monday.

It is little wonder that some qualified people won’t take jobs as chief information security officers.

Cunningham said the job involves “guaranteed failure.”

“It’s about the only executive-level job I can think of where you are 100 percent accountable for the failures to come even though it’s a guarantee that (they) will happen at some point,” Cunningham said.

“It’s like playing chess with a blindfold on,” added Cunningham. “You cannot win.”

Tech honchos blame their higher-ups — the bosses who don’t understand the threats, don’t want to spend money in an area that has no apparent return and don’t want to take responsibility when things go awry.

The job of CISO (pronounced see-so) used to be the digital equivalent of stocking the moat around the castle with crocodiles and making sure the drawbridge functioned.

“In the past, it was about defending the perimeter,” said Godfrey R. Sullivan, a former chief executive and current chairman of Splunk, a San Francisco company that produces software to analyze high volumes of machine-generated data.

But Sullivan said conditions have changed. Most likely, hackers have already gotten past the perimeter and reside in target networks.

“The bad guys are in your building,” Sullivan said. Information security officers nowadays have to hone their skills at continuous analysis of data entering and leaving the networks, he added.

Indeed, breaches may be inevitable.

“The long-time folks have been saying, it’s not ‘if’ but ‘when,’ ” said Rich Barger, director of security research at Splunk.

For those caught by headline-grabbing breaches, job security may be shaky but a shortage of experts in cybersecurity is such that landing another job is nearly assured.