[ImPostingOnHN]

the head of security is responsible for getting buy-in from the organization on security measures, that's what makes them the head

"you can't convince someone who doesn't want convincing" is also a weak cop-out that would be totally unacceptable as an attitude of the head of anything. As head of IT Security, part of your JOB is convincing people who aren't convinced (easily played off as 'they don't want convincing' by people who fail to convince them)

if a head of IT Security came to me as a CEO and lamented "the organization isn't doing what I tell them to do", I feel like an appropriate question is, "what do you plan to do about it?" or "what options do you have in mind to get them to?" Every CEO knows security is a pain, they hire executives in order to delegate pains away

[googlryas]

That sounds like the response of a CEO supportive to the endeavor.

What happens when head of security tells the CEO that necessary, important security changes will cut their revenue by 30%?

[ImPostingOnHN]

being supportive of an endeavor doesn't mean being okay with your executives laying key parts of their own job description (remember, it's the CISO's job yo get buy-in, not the CEO's) at your feet and telling you that it's hard to do because "some people don't want to be convinced"

in your example, the CEO might continue to listen while the head of security explains why it's worth more than that 30% loss to secure the systems

examples might include the cost of lawsuits, the cost of regulatory action, the risk of actual harm to people (customers or otherwise), the cost of reputational damage, etc... security has to economically justify its internal projects just like every other department does

[googlryas]

Ok, and the CEO still isn't convinced, because he knows he will be fired and his lifetime earnings potential and reputation will be greatly diminished if the stock dumps like that, regardless of the readon.

Is that still the failure of head of security?

In this scenario, I feel like you've only left room for head of security failure and not CEO failure. Maybe I did the opposite, but it's based on mudge's long track record. Agrawal doesn't really have a track record outside of being promoted at near record pace to CEO in a company.

[ImPostingOnHN]

If the CEO's personal success is appropriately tied to the company's success, the CEO will be, for the most part, incentivized to do what's best for the company

if you don't have a benefit that outweighs the stock dumping like that (in other words, in the CEO's opinion, is the probability of bad stuff happening, multiplied by the downside of it happening, greater than that 30% drop?) then your proposal simply isn't something that should be done

that's not to say the CEO hasn't failed by hiring an executive who can't do their job when it requires soft skills and persuasion

[googlryas]

What's good for Twitter the company and Twitter the stockholders is not necessarily what is good for Twitter users. Security breaches negatively affect the users whose data is breached. It only affects the company if it takes a reputational hit because it was announced that their security was breached. But, will India announce that they forced an insider in Twitter with access to all sorts of user data? Probably not. Will people swept up by India's secret police know that it was twitter that ratted them out? Probably not.

Let's look at a CEO of a cigarette company in the 1940s. The head of health comes to him with strong evidence that cigarettes cause lung cancer and are slowly killing their users. What would the appropriate action for a CEO be? Or for the head of health? Is the head of health a failure if he can't convince the CEO that they shouldn't be selling cigarettes? I don't think so. Because the head of the company might care more about money than about giving people cancer, and that is his choice to make.

Yeah, maybe the company may hit some rough times later, but if the CEO just hides this report, then the CEO can keep making money, and maybe the shit won't hit the fan until the CEO is already retired or dead.

Instead of stopping the sale of tobacco and shuttering the business, the CEO fires the head of health. Then, the head of health goes to a newspaper as a whistleblower saying that tobacco causes cancer and the CEO knows about it. In what world is the head of health a failure here?

[ImPostingOnHN]

I agree that cases involving harming people are exceptional ones for which both quitting in protest and whistleblowing should be on the table, but again, those are exceptional circumstances

an analogy in ITSEC would be knowledge of an actual (not potential) ongoing user data exfiltration and hiding knowledge of that

most ITSEC scenarios are not this, but rather a failure to explain why the potential loss of doing nothing is worse than the actual loss of doing something, just like a CRO must explain why the potential loss of not entering a market is worse than the cost of entering it