[ImPostingOnHN]

It's worth noting that being good at IT Security is in huge part a function of your soft skills, since you should be able to sell security to the org, since your job is to make the work happen, not to identify it and complain that it needs to be done

any amateur can run some automated scanners and issue security diktats to the rest of the organization

[googlryas]

I mean...Twitter hired him as head of security. They ostensibly already cared about security. Or, at least Dorsey did, maybe Agrawal didn't. I suspect he wanted a yes man to offer some minor changes and say "Yup, everything's secure here". Before this, Mudge was facilitating the NSC in ultra high level briefings to provide accurate reports to POTUS. I suspect you don't end up in that position without some strong soft skills. But, as strong as they are, you can't convince someone who doesn't want convincing.

[ImPostingOnHN]

the head of security is responsible for getting buy-in from the organization on security measures, that's what makes them the head

"you can't convince someone who doesn't want convincing" is also a weak cop-out that would be totally unacceptable as an attitude of the head of anything. As head of IT Security, part of your JOB is convincing people who aren't convinced (easily played off as 'they don't want convincing' by people who fail to convince them)

if a head of IT Security came to me as a CEO and lamented "the organization isn't doing what I tell them to do", I feel like an appropriate question is, "what do you plan to do about it?" or "what options do you have in mind to get them to?" Every CEO knows security is a pain, they hire executives in order to delegate pains away

[googlryas]

That sounds like the response of a CEO supportive to the endeavor.

What happens when head of security tells the CEO that necessary, important security changes will cut their revenue by 30%?

[ImPostingOnHN]

being supportive of an endeavor doesn't mean being okay with your executives laying key parts of their own job description (remember, it's the CISO's job yo get buy-in, not the CEO's) at your feet and telling you that it's hard to do because "some people don't want to be convinced"

in your example, the CEO might continue to listen while the head of security explains why it's worth more than that 30% loss to secure the systems

examples might include the cost of lawsuits, the cost of regulatory action, the risk of actual harm to people (customers or otherwise), the cost of reputational damage, etc... security has to economically justify its internal projects just like every other department does

[googlryas]

Ok, and the CEO still isn't convinced, because he knows he will be fired and his lifetime earnings potential and reputation will be greatly diminished if the stock dumps like that, regardless of the readon.

Is that still the failure of head of security?

In this scenario, I feel like you've only left room for head of security failure and not CEO failure. Maybe I did the opposite, but it's based on mudge's long track record. Agrawal doesn't really have a track record outside of being promoted at near record pace to CEO in a company.

[ImPostingOnHN]

If the CEO's personal success is appropriately tied to the company's success, the CEO will be, for the most part, incentivized to do what's best for the company

if you don't have a benefit that outweighs the stock dumping like that (in other words, in the CEO's opinion, is the probability of bad stuff happening, multiplied by the downside of it happening, greater than that 30% drop?) then your proposal simply isn't something that should be done

that's not to say the CEO hasn't failed by hiring an executive who can't do their job when it requires soft skills and persuasion