How to be incredibly unsuccessful at everything cyber security as a CISO

Part one

Far too often, things go unsaid in our industry, so we attempted to take a satirical look at how to ensure you're incredibly unsuccessful in your role. The views and items may offend, or be taken in the wrong light. To those people we apologize. To the rest, we hope it provides food for thought. Here we go.....and please feel free to comment if we missed anything important!


  • Do not use open source solutions, ever, rather buy expensive technology, so you can justify your budget next year. And buy lots and lots of it, the shinier it looks on the box, the more value it adds.

  • Money is the only currency you should use as payment for security, not time and effort.

  • Do not get the basics right, because you can always throw something expensive at the problem later.

  • Cultural, Sex and thought diversity does not work, hire like minded people only, it makes management easier.

  • Do not define a purpose, vision, and strategy, and please do not discuss it in detail at every opportunity.

  • You have nothing to learn, I mean, you are the CISO.

  • The best vendors and partners buy the best lunches. Trust them on the quality of swag, coffee, and entertainment only.

  • Do not keep up with trade-craft and trends, if you have not been hacked yet, everything is fine, and your strategy need not keep pace.

  • Regulatory certifications should be chased for the certification alone, it really helps waiving these around after your customer data has been made public. Integrating them and making them work for you should only be a secondary concern.

  • Internal Audit findings are just findings by a group of people who don’t get it, find closest carpet, and sweep underneath, address them next audit cycle.

  • Hire expensive consultants for external audit and praise them for telling you what your staff have been telling you for years.

  • Being hit by <Insert threat here> was a technology/partner/people failure, not a failure in your strategy. Just replace the above and move on.

  • Penetration testing, attack simulation tests and vulnerability scans are very much the same thing and test the same defenses, don’t spend here, if you have to spend get a vulnerability scan in pen-test clothing to get that awesome tick in the box.

  • Don’t send people to conferences, its unproductive time away from the office, and if they go make sure they come back and don’t share the experience and learning, it makes it more exclusive.

  • Policies exist to pass audits. You can copy them from anywhere, and do not need to implement the content.

  • Operations will manage the technology. It is not necessary to monitor compliance all the time.

  • Do not be concerned about your or your staff’s EQ or business acumen.

  • Outsource the problem. Google, Amazon and Microsoft will keep you secure, by default.

  • Every problem has a technology solution.