When The Security Director Knows He's There to Take the Fall!
Hey. I'm Max Clark. Wanna share modern day realities for security teams. I think now we we're supposed to call them SecOps teams because, you know, we love acronyms in tech. And we had DevOps and PeopleOps and HROps and SalesOps.
Speaker 1:Now we have SecOps, which also then means that we have SecOps, security as a service, just as a tangent. Some profile. Okay? Without getting too specific, company is a unicorn. Right?
Speaker 1:So over $1,000,000,000 in market cap, over a 1000 employees, has a dedicated security team. We talk about that kind of profile of what kind of IT resources you have in that size. Usually, depending on how you break down your help desk service or what your, like, traditional IT function is. Then if you have network engineering, any sort of, like, database team, specific application team, like, that's your IT team. You know, for 1,000 people, hopefully, you've got more than 10 people on your IT team.
Speaker 1:You should be, like, somewhere between 15 20. Otherwise, people are probably so burnt out. They don't even know what's going on anymore. If you're a a tech company, obviously, you have a lot more people in IT. Actually, probably not IT.
Speaker 1:Probably call them engineering. You have a dev ops team, and then you have an engineering team. You have a software development team, and and you might have at that point, you know, 200 engineers actually developing software. But then if you think about it and you go back and you look at what your actual IT team is maintaining your infrastructure and your actual internal resources for your employees, you're gonna have a small team. And thankfully also with automation and tooling nowadays, if you're not running an MDM or UEM, go out and get one because they will make your people's lives much better and make it much easier for you to manage your devices.
Speaker 1:Okay. Anyways, so this company so we said Unicorn, 1,000 employees, reasonable size IT team, actually has a dedicated security team. That security team has 4 people on it. There's a manager and 3 people. That's actually a pretty large team.
Speaker 1:Now what came out and the reason why they have this team and why there's a dedicated security function is because of compliance mandates. They have compliance mandates that they have to adhere to in their business. What their business does actually also generates an actual need for them to have this presentation and security. So I'm talking with the director of the security team, and let's just call it, like, just venting therapy. You know?
Speaker 1:Like, just what's going on, what they're dealing with, what I'm seeing, you know, with other clients and other companies, what's normal, what's not normal, what are they doing, you know, how does he manage his day to day life. And the thing that he said to me was to paraphrase or something along the lines of he's well paid and he has no real ability to make a meaningful difference for the business because of budget and handcuffs that are placed on him. So what he can and cannot do and how he can and cannot influence things within the organization. And that he knows that he is there effectively to check a box, So that way, the company can say they have this function and also to serve as the fall guy. So when something does happen, and he expects it to happen just a matter of time.
Speaker 1:And, you know, as much as they try with the resources they have available to them to prevent something from happening, he knows it's not you know, it's just their threat surface is just too big. The value for, you know I mean, outside of just some sort of automated ransomware style attack, the value of their data, of their logo is just too high. It's just a ticking clock. You know? Like, it is just a ticking clock.
Speaker 1:And, of course, he hoped that when it does happen that they're able to contain it and prevent it as much as possible. He's looking at this like a, you know, not even a prevention at this point. It's just a detection and containment as quickly as possible to limit damage. Right? But very much in this position mentally where he knows that his job you know, he's there.
Speaker 1:So that way when it does happen, he's the one being shown the door. You know? And it gives the company and executives above him the ability to say that, yes, they have it, meet their compliance obligation, and then also, hey. It was that person's fault that this happened. Out you go.
Speaker 1:I've been in similar situations. Personally, I've been in similar not this, like, specific example, but I've been in similar things. It's incredibly depressing to be in this role. Right? And it's incredibly depressing to be on the other side of the conversation and to listen to somebody who is earnestly trying to do the best they can with the resources that they have available to them and genuinely wants to improve things and protect the business.
Speaker 1:And really, when we start talking about protecting the business of this case, protecting the jobs of everyone else working for the company. If you have a significant event that results in loss of goodwill, you know, downtime, significant outage, loss of revenue, loss of client, you know, public perception, like, whatever these things are, the long term effect of that. I mean, it's I always say long term. I mean, the relatively, like, short to medium term effect on that usually ends up becoming expense rationalization. And the fastest lever that a company can pull on is employment and layoffs.
Speaker 1:If a company loses 20, 30, 40 percent of its revenue and doesn't have a path to replace that quickly and doesn't have a long runway in the bank of capital to pull on, you know, there's not very many decisions that company can actually do in order to maintain. Like, it's just a reaction, you know, that happens. And it's a weird position to be in. It really kinda, like, to solve an answer for this. And I feel like there's a lot of things in tech and IT that fit in these ones.
Speaker 1:I rant about this all the time. People that are doing purchasing based on trying to say, you know, what's the ROI for this? There's a lot of things in IT that do not have measurable ROI against the purchase cost or the contract cost. Cybersecurity, things that have ROI attached them can be measured because they have an impact on your productivity, or they have an impact on your revenue, or they have an impact based on on reducing expenses, which is probably productivity. If you're trying to measure ROI, you're measuring ROI against financial metric that's in one of those buckets.
Speaker 1:We can make our team more efficient so we can do more work with the same amount of people. Okay. We can measure ROI with that system. We can move into a new market, or we can service more customers, and we can generate more revenue. You can measure ROI with that.
Speaker 1:We're currently spending this much money on something, and we're gonna change it. We're gonna bring this other system into play, and that's gonna reduce our overall expense, which usually also means you're gonna gain efficiency as well and probably revenue increase. We can measure that ROI. Let's talk about things that you cannot measure in terms of ROI. You cannot measure well, you can measure the cost of outages.
Speaker 1:You can say you know, let's say you're an office based. If your office is offline for 2 days, what's your loss in productivity? And then you come up with a number, and you can say this potential risk threshold. I have not seen very many companies actually use that as something to contract to mitigate that risk. You know, let's just say $1,000,000.
Speaker 1:Let's say if you have an outage at your office and it cost you $1,000,000 in lost productivity because people can't work. You can't fill orders. You can't service customers. People can't come in. It's a little bit antiquated nowadays because hopefully you're mostly cloud based, and you have, the ability to work from home.
Speaker 1:But let's just go with the example for a second. Let's say it's a $1,000,000 outage, and let's say there is for a $100,000 or so for 10% of the potential risk on the table, you can alleviate that $1,000,000 outage. The buyer's mentality and psychology that then comes into play is, oh, well, you know, we're probably not gonna have that outage in the first place. So if we do have the outage, it's gonna cost us a $1,000,000, but we're probably not gonna have that outage. So, therefore, if we spend a $100,000 to prevent this outage from happening, then, you know, we're just we're wasting a $100,000.
Speaker 1:We've increased our expenses for a $100,000, and we have no return on investment to show for. Right? And, again, when that event does happen, you know, let's say the outage occurs and you save yourself that $1,000,000 outage, there's not a correlation process that then runs and say, hey. You know, our ROI on this $100,000 was 10 x. We saved a $1,000,000 here.
Speaker 1:You know, like, this was positive for the business. It's very disjointed and disconnected. And this also comes up in other places. Right? And I think risk mitigation is a big place where I see this a lot.
Speaker 1:And I'll I'll say risk mitigation from a sense of backups, disaster recovery, business continuity, cyber security. These areas, they're very difficult from an ROI standpoint to quantify and say, if we deploy an EDR, it's gonna cost us x dollars per device that we have to have this EDR running on. And now we have a quantifiable reduction in risk or potential exposure, and so therefore, our ROI is zed. It's not connected linearly. Backups.
Speaker 1:We have to have backups for our data because if we have an outage, this is gonna be the impact of the business. By the way, best case scenario is you have an impact to the business that's a few days that leads to then staggered, you know, return to operations. And a lot of cases, disasters at these scales can lead to the business failing. You know? And this is actually way more fragile than people really anticipate or think, but you cross a point where your customers stop doing business with you and they don't come back.
Speaker 1:And if you have an outage of that length and you've crossed that point where your customers are making alternative plans, once that starts happening, that revenue doesn't come back to you. And that becomes death spiral of the business just going out of business as a result of whatever event it was. So cybersecurity backup, disaster recovery, business continuity, these are the areas I see this in the most in terms of that disjointed ROI, you know, trying to come up with some sort of ROI. What you're really investing in is you're investing in the survival of the business. I mean, that's what you're investing.
Speaker 1:You're investing in the survival of the business and the continuous employment of your employees. That's what you're invested in. I've asked anyone who's had a cybersecurity event or data loss or a disaster that required some sort of Doctor, disaster recovery, or business continuity plan. Ask them about the event that they went through and what their takeaways from those events. And I will tell you that any single person that went through that is absolutely not gonna be in a situation where they would like the risk is not reasonable anymore.
Speaker 1:If you've had the experience, you don't accept the risk. There is never a conversation with anybody that's gone through this process on any of those situations that say, oh, you know, the likelihood of it happening isn't that high, so we don't have to spend the money to protect against this thing that I don't think is gonna happen because it's never happened to me. You have a lock on the front door of your house, not because you've been burglarized, but because you know the risk to you is not acceptable because the amount of people that have been burglarized for not having locks. You have a lock on your door. You should have backup.
Speaker 1:You need to have a cybersecurity program that makes sense. Why? Not because you've experienced the event yet, but because you don't want to experience the event. You don't wanna experience the event. You don't wanna have data loss.
Speaker 1:You don't wanna have ransomware. You know? And, look, there's no such thing as perfect. You know? My wife tells our children this.
Speaker 1:You know? Like, it's a thing. You know? We're now at the point where myself or my wife make you know, say something, oh, it's perfect. Our boys will say, nothing's perfect.
Speaker 1:And you're like, yeah. You're right. Nothing's perfect. You know? It's almost perfect.
Speaker 1:You know? Nothing's perfect. There's no perfect in data, you know, and backup. There's mostly perfect. There's no perfect in cybersecurity.
Speaker 1:There's mostly perfect. And there's tiers of this. And it's not like a you know, like, oh, we've implemented EDR, and so now we're 10% more protected. Like, a lot of these things you get huge step ups on, you know, huge step ups on. Anyways, I'm gonna circle back around to where I started with this whole thing.
Speaker 1:This conversation was depressing. It's depressing because of the consistency of it and the, you know, futility of the position almost and just the awareness, the futility of the position. It's also depressing because in this case, if an event does happen and there is a significant cybersecurity related breach and this person does lose their job because that's their role, another person's gonna come in, and that person's gonna come in and get a blank check to fix this from happening again because in the organizations, it's gonna have the bowel damage. It's gonna have a scar tissue, and it's gonna know it doesn't wanna do it again. So it's gonna invest in the infrastructure necessary to prevent it from happening again.
Speaker 1:So now we have somebody who wants this stuff and wants the resources to prevent it from happening, who won't be able to get it, will be shown the door, and the next person's gonna get it. And that's the frustrating thing, and that's just the position a lot of people are put in and a lot of companies put put their teams into, and it sucks. It just sucks. This is just a sucky thing of IT that until you've had a DOS attack, maybe you don't invest in DOS mitigation. After you've had a DOS attack, you invest in DOS mitigation because you don't wanna experience it again.
Speaker 1:After you've had data loss, you invest in backups. After you have an office go offline for a week, you invest in Doctor. After you have a cybersecurity incident, you invest in cybersecurity. There's no ROI on these things in that sense of, like, being able to say, oh, we increased our revenue x dollars, but you've learned the lesson of don't do that again. Just don't.
Speaker 1:Anyways, rant over. I'm Max Clark. You know, like, maybe this helps you. Maybe it doesn't help you. Maybe it's just venting because I needed to vent.
Speaker 1:If you've got a story along this, I'd love to hear it. Seriously, I'd love to hear it. Comment. Tell me your story. What happened?
Speaker 1:You know? If you can't do it publicly, send me an email. Call me. It helps to talk about these things. It does.
Speaker 1:We can't fix them, but it helps to talk about them. All I can do is just be here to listen and talk to and just share some more stories, you know, so to speak. Happy to do it. I'm Max Clark. Have a great day.
