A CISO’s Day at the Fair


By Ed Snodgrass, CISO, Secure Digital Solutions

Last summer I played ‘whack-a-mole’ at the State Fair.  The objective is simple – hit as many ‘moles’ as you can in the allotted time and the more you hit, the greater the measure of ‘success’.  But what’s the ultimate objective?  The moles will just keep rearing their heads so long as the game is plugged in to the wall.  Is the measure of success to hit the greatest number of endless moles – requiring more people with more hammers – or to unplug the game, stopping the moles for good and eliminating the need for a hammer altogether.

In a perfect world, we as security leaders would be able to simply unplug the proverbial game and stop the moles, but that’s not always feasible. On some projects though, it might be. The real challenge is that there’s a preconceived notion of what the rules of the game are. They’re accepted at face value. The only way to deal with the mole problem is ‘x’ or “It’s always been done that way.” And when we step up to the game and give the attendant our money, the idea of unplugging it probably never crosses our minds.

There are virtually no limits to the number of “games” you have to play as a security leader, but as I have learned the rules are often stacked against us when it comes to security project success.There is good news, but the solution may not be the one funding the after party at the next security conference. It may not be sexy, or the coolest thing to talk about with your peers, but it’s a cornerstone of project success – communication. A recent article on Fortune.com agrees.

“The biggest positive change any organization can make,” the BAE report summed up, “is not necessarily to buy the latest and greatest security product, but to improve its own internal communications.”

So, the moral to the story? No matter how much we spend on the latest and greatest technology, it won’t yield maximum value on its own. To get maximum value from our limited budgets, we need to make sure we are communicating why we are doing the project and the value it delivers to the business. In other words if the goal of the project is to unplug the game, we cannot expect to achieve project success if the business communicates that the goal is to continue whacking the moles. I’ll take the ROI from a security project that isn’t “cool” but demonstrates clear business alignment and communicates value to the business any day, versus a project implementing the latest technology that is being pushed by millions in marketing, endless emails, and voicemails.

This is one of many challenges in our industry that I am passionate about solving and why we developed the TrustMAPP platform.