Good Security Leaders Feel the Weight

You’ve probably heard me say this many times:

Information security is NOT about information or security as much as it is about PEOPLE.

 

When I say this, people usually nod their head in agreement, but beyond that it might seem like nothing more than a catchphrase. It’s not. Pithy catchphrases are mostly useless. This quote is a deep personal truth, rooted in a story.

The Story

The story predates FRSecure (2008). The story comes from my last “real job”. I was serving as the information security leader (CISO equivalent) at MGI PHARMA (MGI), a ~$4 billion pharmaceutical company based in Bloomington, MN. MGI was a GREAT place to work and I’d still be there if it hadn’t been acquired by Eisai Co., Ltd., a Japanese pharmaceutical giant. MGI was run by a great leadership team, fostered a great culture, and most of all, owned a great mission. Prominently displayed on MGI’s homepage was our purpose, “Making a real difference in the lives of our patients”.

The way we made a “real difference in the lives of our patients” was through our drugs, most notably Aloxi, a highly-effective drug used by adults and children (1 month and older) to prevent nausea and vomiting caused by chemotherapy. Chemotherapy induced nausea and vomiting (CINV) is a common side effect experienced by many cancer patients (approximately 70%-80% of all cancer patients receiving chemotherapy). The sad thing about CINV is how it can result in delay of chemotherapy or even discontinuation of treatment.

We improved people’s quality of life when they needed it the most. We also played a role in prolonging people’s lives. All of us rallied behind our mission and the positive difference we were making in the world.

We all came together regularly to watch and hear testimonials from our patients and it motivated us to do our best every day.

“As a nurse, I knew that chemotherapy would be uncomfortable, but I felt I could handle it. The nausea and vomiting that I experienced after chemotherapy was much worse than I had expected. In the three days following my first treatment, I experienced severe nausea and vomiting – even the slightest movement made me sick. Before my second chemotherapy treatment, my nurse told me about Aloxi. Aloxi enabled me to better tolerate my chemotherapy without nausea and vomiting. I was able to go back to work and take care of my family again.”

– Joanne, Breast Cancer Survivor

 

“Before I was treated with Aloxi, chemotherapy was very difficult to tolerate. I couldn’t eat or sleep, and did not feel like doing anything. I saw my oncologist and was made aware of Aloxi. I couldn’t believe what a difference Aloxi made! I was able to enjoy dinner out with friends just hours after my treatment.”

– Ina, Ovarian Cancer Survivor

 

Stolen Money

Late in 2006, network access control (NAC) was all the rage. Being a “network guy” for 10+ years at this point in my career, I was intrigued. Our workforce was very diverse and distributed, and I felt like NAC was something MGI could benefit from. So, I started doing some research. Long story short, I found a few potential solutions that I thought could fit our need. I settled on one, and made the $300,000 purchase. Exciting!

The day came when my new toy arrived and the team couldn’t wait to rack it. We tore open the boxes, racked the devices, and got to work. Before the first day was over, we’d made a lot of progress getting this thing configured, but we’d all lost our initial excitement. We weren’t excited anymore because we all realized that this thing was going to be a lot more work than we’d imagined. We also realized that we would not realize all the benefits we originally thought we would.

Our new NAC solution sat in the rack. Dark.

It didn’t take long before I realized that I’d failed. Worse, I felt like I had stolen $300,000 from our company’s mission. This was $300,000 that couldn’t be used for much better investments like lowering our drug cost, increasing our marketing to make our drug better known, or more research and development for better drugs. How many more people could have been helped with that $300,000? I’d bought a blinky light at the expense of our mission.

Truth

I am hard on myself. Somebody has to be, especially in this industry where there’s a severe lack of accountability. I am the “expert” who’s entrusted to make expert information security risk recommendations. I am responsible for furthering our company’s mission, as is every person working at MGI. While I did not “steal” per se, I did make decisions that led to less money for our mission. Whether we call it money that was “stolen” versus money that was simply misspent, the end result is the same.

I don’t feel guilty for this mistake, I feel convicted. Big difference. Guilt tears us down and fools us into thinking that we’re not good enough to overcome. Guilt is bullshit. Conviction, on the other hand, builds us up by reminding us of a mistake we made for the purpose of being better next time.

The point: Good CISOs/vCISOs know that their performance affects people and they feel the weight of it.

Subscribe

I don’t do spam. I don’t eat it and I don’t send it. Not to mention, it’s also illegal!

I’ll write a privacy policy soon (that you won’t read).

About the Author

Leave a Reply

You may also like these