As a consultant, I give a lot of advice. There’s one piece of advice that I never give. I’ll never tell you to quit your job, not to your face anyway. There are a few reasons for this. First of all, your company is paying for the advice, not you, so professionally I need to act in their best interests. Secondly, it’s generally precluded by the contracts I have with my customers. Thirdly, it’s just kind of a jerk move.
But frankly, it’s one of the things I’m often thinking. I see good cyber operators in situations where they’re not effective. Their company isn’t listening and is fundamentally insecure. I often feel like the cyber professional is being setup to take the fall for an inevitable breach.
There’s negative unemployment in cyber! For Pete’s sake, why stay at a place that’s going to make you look foolish? Why work for people who are just not listening to you? How can that possibly be worth it?
I talk regularly with people who have suffered breaches. Trust me, you don’t want to be someone who knows in their hearts that they did not do the things they should have to prevent or minimize a breach. All the blamestorming in the world is not going to make it right.
So, if you’re now concerned that this may be advice I failed to give you, here are some handy ways to identify a situation that you probably should leave.
All the cyber technology deployed at your company was developed in the last century. You have firewalls, anti-virus, and SEIM but when you ask for something to stop new threats, your company explains that you already have a bunch of security platforms that you committed to in the 1990’s.
You have no ability to react to a breach. No forensics, no response plan, no resiliency.
You have little or no staff. You can buy products but don’t have any people to monitor or react to alerts.
I think a good exercise is to imagine your situation the day after a breach. You’ve been breached. Can you look yourself in the eye and be OK? Did you do the right things? Are you ready to recover? Or are you angry at what wasn’t done and how unprepared you were? Are you thinking of a list of executives who are really to blame?
You know the answer.