[googlryas]

I wonder if Mudge was fired for, basically, being too good at his job. He didn't toe the CEO's line, and was pointing out how the house was on fire, which is not what Agrawal wanted to hear(maybe Dorsey wanted to hear it when he hired Mudge, but Agrawal had different ideas). I suspect that most people who make it ultra high level as "Head of X", are hired more for their organizational/social talents, which oftentimes involves capitulating to those more powerful/higher on the food chain, rather than being actually talented at X. Mudge actually has the bona fides for the role, which is why he got fired (I'm guessing).

[ImPostingOnHN]

It's worth noting that being good at IT Security is in huge part a function of your soft skills, since you should be able to sell security to the org, since your job is to make the work happen, not to identify it and complain that it needs to be done

any amateur can run some automated scanners and issue security diktats to the rest of the organization

[googlryas]

I mean...Twitter hired him as head of security. They ostensibly already cared about security. Or, at least Dorsey did, maybe Agrawal didn't. I suspect he wanted a yes man to offer some minor changes and say "Yup, everything's secure here". Before this, Mudge was facilitating the NSC in ultra high level briefings to provide accurate reports to POTUS. I suspect you don't end up in that position without some strong soft skills. But, as strong as they are, you can't convince someone who doesn't want convincing.

[ImPostingOnHN]

the head of security is responsible for getting buy-in from the organization on security measures, that's what makes them the head

"you can't convince someone who doesn't want convincing" is also a weak cop-out that would be totally unacceptable as an attitude of the head of anything. As head of IT Security, part of your JOB is convincing people who aren't convinced (easily played off as 'they don't want convincing' by people who fail to convince them)

if a head of IT Security came to me as a CEO and lamented "the organization isn't doing what I tell them to do", I feel like an appropriate question is, "what do you plan to do about it?" or "what options do you have in mind to get them to?" Every CEO knows security is a pain, they hire executives in order to delegate pains away

[googlryas]

That sounds like the response of a CEO supportive to the endeavor.

What happens when head of security tells the CEO that necessary, important security changes will cut their revenue by 30%?

[ImPostingOnHN]

being supportive of an endeavor doesn't mean being okay with your executives laying key parts of their own job description (remember, it's the CISO's job yo get buy-in, not the CEO's) at your feet and telling you that it's hard to do because "some people don't want to be convinced"

in your example, the CEO might continue to listen while the head of security explains why it's worth more than that 30% loss to secure the systems

examples might include the cost of lawsuits, the cost of regulatory action, the risk of actual harm to people (customers or otherwise), the cost of reputational damage, etc... security has to economically justify its internal projects just like every other department does

[googlryas]

Ok, and the CEO still isn't convinced, because he knows he will be fired and his lifetime earnings potential and reputation will be greatly diminished if the stock dumps like that, regardless of the readon.

Is that still the failure of head of security?

In this scenario, I feel like you've only left room for head of security failure and not CEO failure. Maybe I did the opposite, but it's based on mudge's long track record. Agrawal doesn't really have a track record outside of being promoted at near record pace to CEO in a company.