One of the German’s top X fastest-growing companies is using a hammer to fix a broken vase, as their security strategy.
Actors: CEO, CTO, CISO
Context: This SME (Small and medium-sized enterprises) COMPANY is not in Financial industry. Their website claims they take security very seriously.
Disclaimer: We’ve never had any contacts with the company. This is all based on our observations of public info, and a few assumptions. We discovered this accidentally.
We don’t know the CEO, CTO or CISO personally. We did have the opportunity to interview this CISO in the past, for a Director of Information Security role at another company, a past client of ours. We didn’t hire him as our client’s CISO.
Our intention is not to blame or shame anyone. It is to point out a real problem we’ve observed over and over. Hence, all the details are removed.
Here’s what most likely happened:
Step 1: CEO and CTO agreed they need a CISO. Kudos to them for such decision and understanding the importance of security. They decide that CISO will report to the CTO, so the CTO will be the hiring manager. [assumption]
Step 2: CISO job ad goes live, and states that the CISO will report directly to CTO. [fact]
Step 3: CTO hires a security manager with experience in Financial industry as the CISO. [fact]
Step 4: Within the first few months, new CISO starts hiring for more than a few new roles, to build a security team specifically needed in financial institutions and big enterprises. It is absurd to build this kind of security team, knowing the industry, type and size of the COMPANY. [fact]
Step 5: It remains to be seen
This CISO is using a hammer to fix a broken vase. The executives hope the vase will be fixed, and provide a budget for even more hammers. You can’t make this stuff up!
Based on our real-world experience, we can anticipate the results:
The COMPANY is wasting huge amount of resources on 2-4 unneeded hires in 2023. Their number will likely increase in 2024.
The COMPANY will waste even more resources on acquiring all the expensive “cyber next-gen AI” software and training this new team will need.
Not only that the new cybersecurity software won’t improve the COMPANY’s security, it will actually expose the COMPANY to even more security risks.
Being very conservative with the numbers, we came to a conclusion that the COMPANY will waste at least 500K EUR this year only.
Before we explain how and why this happens in many organizations, we need to mention something we at WIM Security call Core (In)Competency Factor.
WIM Security’s Core Competency Factor
As humans, we’re heavily biased. Including you. No matter your role, business size or net worth.
Think of someone really smart, who has legitimate experience, and it’s really helpful to you in one domain, like Tech, for example. Now think, whether you gave credit to this same person, for being equally smart, in some entirely different domain? Like, investment portfolio diversification. The chances are, you do this more often than you can remember.
This is in our human nature. And if you’re not aware of this core competency factor, you’d keep this behaving like this. The fact that now you’re aware of this trap, gets you one step further towards avoiding it.
It’s crucially important to be self-aware and know the limits of your own core competency.
From what we can tell, overview of what happened in the COMPANY could be summarized as: Wrong CISO hired -> Wrong security team built -> Worse security and waste of resources.
The main responsible people for such results are the CEO and the CTO. As security is not their core competency, they’re not capable of hiring a good security leader. Yet, they believe they are, most likely influenced by the overconfidence bias.
Once the incompetent security leader is hired, they’ll head with security strategy in the wrong direction.
You can trust us on this: The InfoSec is full of incompetent security leaders. We are swimming in incompetence.
One of their characteristics is using the same tools and tactics they used in the past, no matter where they work today. They’re ignorant of real organizational needs and company culture.
What’s the solution? Business executives need to hire a InfoSec expert who can help with with the hiring process. And no, recruitment agencies are not the answer. They only make things worse.
We’ve been there, and done that. That’s why we offer our help to those who need to hire security leaders. Get in touch if you need such service.
To get updates about our new blog posts and other publications, sign up below.