Ridiculous information security salaries are the symptom of a bigger problem. Why salaries and job ads are superb indicators to your organisation cyber security maturity, how it can be improved, and why your organisation won’t do anything to fix it.
By Eh’den Biber
October been an extremely hectic month for me. It’s been a while since I travelled and worked in so many countries, that at some point I slept in 5 different places during one week. Amazing and exhausting at the same time, see post photo which was taken along the way.
When I came back, I decided to see if I can identify any shift in the job market, to see if I can make my wife happier by finding a role which doesn’t requires me to travel so much. Sadly, the results are grim.
Over the years I’ve developed a sort of a mentalist skill, and after 5 minutes into the job interview I could already tell the interviewer things I shouldn’t have known, such as the fact they recently experienced a severe breach, auditors’ blues, or simply someone just left in a hurry.
This brings us to the question – why? How come the responsibility and accountability of a person who takes such a role is not being rewarded in the right manner?
HR in most cases have no clue about the role they asked to recruit for, and yet they are supposed to filter for the hiring manager. They then subcontract the hiring to a group of agencies, some of which have no clue what they are hiring. I’ve been asked recently by a recruitment agency manager “What is a CISO?”. Enough said.
Take home message to hiring manager: Speak with the recruitment agencies, ask for recent references, meet them, or use the ones you trust.
What is your role? What are you supposed to do (objectives)? What are the current KPIs you need to maintain or contribute to? These are basic elements that needs to be part of a job description, yet companies sometimes have such unclear job description which makes you wonder how they could have any metrics for success. Others have a role description that makes you wonder how many FTEs are expected to perform all the tasks mentioned in the ad, only to realise that there will be one FTE and that is going to be you, if you will want to join the madhouse. Once I received a job description that spread over four condensed pages, and when I asked if they identified what are the short-medium-long term priorities I’ve been told that all of the tasks are high priorities, and all are required to be done by me.
Last but not least – most of the managerial roles don’t mention the budget you are in charge of, and when you ask what is it (I did) you don’t get an answer. How can you estimate if you’re going to be able to fulfil your role if you don’t know how much budget you got?
Take home message to hiring manager: Specify a role that include in it things like role purpose, financial responsibility (at least to be shared at final stage of interview), direct reports, role objectives, KPIs needs to contribute and deliver, qualification, skills/knowledge, experience etc.
I’ve mentioned role objectives in the previous one, but we must speak about this because it is where the shit hit the fan in many cases. If you are hiring someone and you want to him to succeed, the role objectives should be related to the organizational objectives. However, even when that occurs (rarely), in most cases it’s a pseudo relation, because in most organisations employees’ performance measurement is a joke. Most of my career I’ve been asked to provide my yearly objectives before I received my manager objectives, and that’s because he didn’t receive it from his manager. If your manager performance is not measured correctly, how any measurement of you will mean anything? And if you want to hire a person, how can you hire the right person if you don’t know how to measure him?
Take home message to hiring manager: If you don’t have the ability to map the role objectives of the person you wish to hire into your objectives and the org objectives, perhaps you should work on it before hiring anyone.
Infantile Risk Maturity
This leads us to a much bigger issue, which I can summarize in ten simple words:
Organizations do not know how to measure cyber security risks.
Let me break it down to you:
- Do not know
- How to measure
- Cyber security risks
Here’s an example – remember the role objectives? If your organization can’t associate the risk reduction that is related with specific role objectives, or god forbids quantify it, how can it really know that the salary which is supposed to be paid to that person is correct?
There is a systemic, cross industry lack of understanding on how to perform risk analysis. It’s also size agnostic – Last year I spoke with a person holding a very high role in an undisclosed large bank. He admitted to me that his bank realised they don’t have the right tools to measure cyber risk in a workshop they did in 2015. Mind you, this occurred in a huge bank, while most organisations didn’t even reach that “A-Ha” moment (Thank you Oprah).
When people don’t know how to measure risk, you can’t be surprised they come up with silly salaries for such risk mitigating focused roles. If you don’t even know how much risk you have, how do you know that the salary that you offer is appropriate?
Take home message to hiring manager: If you can’t quantify the risk reduction that will be associated with the role you wish to fill, don’t be surprised this “finger in the air” measurement method will attract the wrong types of people, and that the salary you offer is too low. Ah, and don’t trust the market average, the same way you don’t trust the advice of a ship full of fools, or ask for direction from a group of blind people.
Most organisations have 3 lines of defence – operation, risk, and audit. Your auditors are supposed to provide assurance to the management of the company that it functions as they wish it to be. When it comes to information security, ISACA is the de-facto authority of certifying auditors, and they don’t do their job correctly when it comes to risk measurement, a critical element in the security posture of an organisation. ISACA allows certified auditors to accept point estimates (AKA risk heat maps) as a valid risk measurement. Most of the current risk methodologies are not-fit-for-purpose and should have been long decommissioned, yet here we are, in 2017, and still risk people are allowed to use them.
We (in general) have a systemic bad practice of risk management even though there are alternatives. Jack Jones FAIR (Factor Analysis of Information Risk) was Founded in 2005. It’s been an open standard for years now, yet you see risk heat maps everywhere, rather than probability distributions.
I have many friends who are part of ISACA, I’ve even been a director once. So how come ISACA don’t use its power to push for a change? To understand that, I invite you to see the following video that explains it all. It is called “human motivation and Zebra Camouflage”
In short – people are driven by fear of being anxious or in pain, avoid suffering, NOT by the drive to be happy. Change can lead to suffering, hence, people will do anything to “keep what we have” if the new is unknown, and since we been using the same outdated methods for so long people stick to them, and refuse to involve until they are being hit.
Take home message to hiring manager: If you want to see a real change in your cyber recruitment, you must work with stakeholders to change the risk methodology of the organisation, and you should have of sessions with the auditors to see if that is possible. If you see you can’t change the risk methodology, embrace yourself for a breach which you will be blamed at.
© All rights reserved, 2018