Introducing…The ITC Canary
As all the experts say, and like the Tour and Mont Ventoux, finish at the top. And although I am not a cycling fan, other perhaps than as a means of getting to the station of a summer morning, somehow this seems apt. The ITC Threat Files have shuffled off, at the peak of their powers and untarnished by time. We shall all miss them, but ITC has entered a new era under new leadership and the time is right.
Adieu, then, Threat of the Week.
Which leaves the obvious question and I am apparently the one chosen to answer it; how, precisely, does one replace an institution? At first I don’t quite know where to start, and the blankness of the page persuades me to give Ole a call; don’t try, is his sage advice, but do get on the bus and watch out for SAF, though you’re not him, you’re you, so be you. I ponder this; who am I? Without getting too existential, I am someone who understands this issue at a strategic level, who isn’t technical and is frankly a bit bored by that aspect of the subject, and who brings what he hopes is a dose of reality to what can be a somewhat smug and after-the-fact industry. So that’s me, and so that’s the new blog; a fortnightly and askance look at the industry, the subject, and the problems in both. Generalissimo of the Bi-weekly, I’m calling it, or GoB for the familiar. Probably.
First up, RFPs. Aren’t they ripe for disrupting? All those dry, thoughtless questions which are asked routinely without much consideration as to what the questioner wants to know and are completed with only one thought in mind; what is the minimum I can get away with that isn’t technically an untruth? RFPs should be important (and at decision time they feel to remain so), but I struggle to see that many of them are useful. This year already we have been asked for “non-essential, mandatory” accreditations, and, simply, “Can you evidence this” with a drop down yes/no answer. Who puts no, ever? Please provide a list of your top ten clients, and their annual spend, is also common. That’ll be a no, then; not because we are being awkward, however tempting that might be, but because it’s impractical and just a bit, well, rude. We cannot disclose that, full stop, and nor will we, so don’t ask. But why on earth does the prospective client want to know that anyway? What possible value can it add? If it’s a question about longevity, then ask it differently (and if it is, how would an honest answer tell you that?). If it’s a silent plea for a reference, then ask for a reference (we have them). If it’s something else, then ask for whatever else you want. And herein lies my biggest bugbear with RFPs; done thoughtfully (and some are) they are a great means for an organisation to get what they want, from the right people, at the right price. Too often, they’re not. Effort in effort out, to end.
Something which becomes more starkly clear to me with every passing day is, still, the dissonance between the cyber security industry and the boardroom. Five years ago, when I left government, this was an issue; it still is. It’s rooted in language; the cyber industry has more neologisms than acronyms, and it has an awful, awful lot of those. Put another way, our key client demographic struggles to understand us. We must, starting now and as an industry, change that. We need to learn to think and talk in a language our clients understand, not speak more slowly and loudly and wave our arms around like a tourist in a Spanish hire car office. This is crucial. It can’t go on. I shall return to this subject in a later blog – and possibly ad nauseum.
Finally, I want to whet your appetite for something I think will be revealing and fun. I have, through a friend of a friend, secured the services of a CISO who will write occasionally in this column and provide an unvarnished view of the life of a CISO, their frustrations with their employers and employees, and their opinions of us, the people who feed them. Don’t bite the hand that feeds? Not a bit of it – this will be revealing stuff. It will, I hope, be the inside view of the security industry.
For clarity, this is a person (man or woman or not disclosed) with no connection bar friendship to ITC, who is not and has not been associated with any ITC client. Again, it’s not a client and never has been. Clear enough? Excellent. It’s just a friend who is a CISO who wants to get something off their chest, hairy or once or no. They won’t reveal their employers past or present, neither directly nor by association. I shall edit and own the output. I shall call it the Secret CISO. Yes, we owe a debt to the Secret Footballer/Barrister/Civil Servant, but then I am not employed for my originality. CISOs, by the way, aren’t employed for long; the average tenure is 16 months, give or take, so we need to enjoy him or her or them whilst we can. Coming soon, to the not threat of the not week.