"If I'm being honest about our situation, we're on our own when it comes to building out the infosec program," wrote Todd Barnum, CISO at GoPro in his book, The Cybersecurity Manager's Guide: The Art of Building Your Security Program. "Neither the culture nor any executive sponsor will provide much support."
These are facts cybersecurity managers have to accept -- despite the complex and fast-paced nature of the cybersecurity industry.
However, Barnum said, "the level of awareness has generally raised amongst corporate leadership and people in general about information protection."
That's good news, but confusion continues to surround the roles of cybersecurity managers and their teams, as well as what others' responsibilities in contributing to a company's security posture are.
In his book, Barnum discusses the internal corporate challenges faced by security leaders and their teams and how teams should face these challenges.
Here, Barnum explains why security isn't at the top of others' agendas and why people don't fully understand cybersecurity leaders' responsibilities. He also comments on vendors' use of fear tactics and more.
Editor's note: This transcript has been edited for clarity and length.
In Chapter 1, you discuss three truths cybersecurity managers have to accept -- the first being 'Nobody really cares.' Why isn't security at the top of anyone else's agenda?
Todd Barnum: If you're a cybersecurity manager at a bank, your position is super important because the information you're protecting is super sensitive. You can't lose account information, and you can't have theft of peoples' finances. If you're working at the public library, your position is not as important because there's no information to be protected.
For most companies, other than staying out of the news -- due to a breach, ransomware attack or the latest vulnerability -- security doesn't reach the company agenda. Security is a back-office function. I use an example in the book: Look at your last security incident, and tell me who in the company really cared about it. The fact is: Nobody really cared, except you and your team. Unless it was a big breach or attack -- then they care. They want to meet me and find out what I've been doing.
I say 'don't care' tongue in cheek. It's just not that important in the corporation's priorities. Take a food processing company, for example. Do you think security is as important there? There are companies where it's more important, such as financial services and hospitals. But, in general, for the other 80% to 85%, it's not that important.
Learn about a day in the life of a cybersecurity manager in an excerpt from Chapter 1 of The Cybersecurity Manager's Guide by Todd Barnum, published by O'Reilly.
In response to this truth, you wrote, 'It's all up to you.' How can CISOs help make security a priority for others?
Barnum: There are three ways you can get your program to be valued more by the company. One is through education. As you educate more people, a light will go on, and they'll have an epiphany -- they'll start to get why cybersecurity is important. Education is the best way to go.
The second way involves the ego of the person sitting in my chair. They need security to be more important for themselves. Security is then driven by their own pride and needs to be seen as important.
The third way is through an incident. If there's a breach, we are going to be in the newspaper. Then, we go, 'How did we neglect this area?' This is very important going forward. That's usually when a CISO gets fired and the organization hires a new a new person for the job. Security is usually then elevated on the company's agenda.
My advice: Start with education.
Another fundamental security truth you wrote about is that fear drives the cybersecurity industry. What are your thoughts on this mentality?
Barnum: I use the word industry in the book because I didn't want to alienate the vendors. Vendors come to me every day, and the first words out of their mouths are fear-induced. We are on the heels of what the Center for Internet Security rated the worst vulnerability of all time with Log4j. In reality, it was a nonevent for some of us. But that's how vendors come at you because they want to sell you a tool. That's the fear message. That's what you get from every vendor. It's hard to listen to.
Why don't people, including executives, understand the role of a cybersecurity manager?
Barnum: Few people understand the number of domains that exist in cybersecurity. In the book, I talk about the Deloitte chart that breaks down cybersecurity into 176 different topic areas. And each topic is a huge area to deal with.
My boss often says, 'Wow, I didn't realize, with cybersecurity, we have to think about that, too.' There's always something. But, remember, every company is different. A security policy at one company will look very different than the security policy at another company.
What's the greatest misconception about a security leader's role and schedule?
Barnum: It's more of a lack of understanding than a misconception. I just don't think there's many people that understand the ins and outs of cybersecurity work. I used to work at a company with 60,000 people, and I needed to protect all their devices. With a team with eight or nine people, that's a monumental task. We had 220,000 assets attached to the wire on the network -- that's a big infrastructure.
In the book, I included a daily agenda to show the variety of the tasks cybersecurity managers have to handle. Some include discussions with privacy attorneys, working with programmers for source code development, looking at the router with the networking team and then encryption with database administrators. No other field has that kind of diversity.
About the author
Todd Barnum is CISO for GoPro Inc. Barnum started with GoPro in 2015 and is responsible for the company's cybersecurity efforts, which secure and protect information important to GoPro and personal to its customers. Before GoPro, he held CISO positions at Warner Bros. Entertainment and Amgen Inc. Earlier in his career, Barnum served as a naval officer and held a variety of technology and cybersecurity leadership positions. He holds a master's degree in IT from the Naval Postgraduate School and his bachelor's from the University of Hawaii.