Seeing the rise of the Cyber Security incidents around the world a non-IT person asked me about the problems with the security domain and the challenges that make it difficult, or sometimes impossible to protect systems and data. My explanation starts with a hypothetical startup company that grows up during the decades and becomes successful. After the first data leaks they decide to take care of security, and we pick up the story at this point.
Owners, CEOs or other high level directors decide about hiring a security leader to take care of the organization’s information and cyber security.
Their limited knowledge and their endless love of power and money makes them hire some close friend, or relative to build a security team. The new director’s first task is to find a technical leader for the daily shoveling.
The newly hired security leader will measure the knowledge of the employees being selected into the new security team.
As the security director and security leader are not people of the security domain they hire based on sympathy, or gut feeling. They are affected by the opinions of each other based on non-technical factors.
A newly hired incompetent team will build up a non-existent security solution, carefully taking care of the office politics, the interests of the (friend or relative) security head, and using their limited knowledge of the domain.
The potential high performers are going down the sink early in this process as they would show too much contrast in the “company culture”. These possible performers are the biggest enemy of the lazy and careless team.
Then this non-functional team with a very limited knowledge will hire new people tactically choosing the dumber and less performer candidates to protect their own territory. They will use everything to fiercely protect their job and their own illusion of knowledge and respect. A potential “thinker” who could do the work is the biggest enemy.
This is why the collective knowledge of a company is freefalling during the years (and decades), and giving more and more space to cyber criminals and even internal people to misbehave with critical information.
Despite the original idea of this post is about Cyber Security, it applies to other technical teams and positions from System Administrators to Software Engineers. I am sure we all knew at least one underperforming colleague who was the good friend or relative of some managers, and despite their incompetence they climbed the power ladder efficiently.
Tom's IT Cafe 