But also according to the article, he’s not a very effective manager and difficult to work both for and with. That’s consistent with what I’ve heard in security circles outside of his infosec microcelebrity friends. You do need exceptional people and political skills to be effective in these jobs, and arrogance is a really bad attribute if your job is to influence.
This is a very naive view of information security. The most sophisticated approaches to modern security - either in technical app/net sec or in risk management - begin from the assumption that vulnerabilities exist and will be exploited.
Every security team should be proactively trying to eliminate security vulnerabilities. But they will happen nonetheless, and the mark of truly secure organizations is in the way they respond to such vulnerabilities.
At the CISO level this becomes even more important: a CISO is not only responsible for setting the organizational mandates for security. They are also responsible for being the public face which responds to notable security events.
Well, neither Yahoo's nor FB's security teams have eliminated the gaping security holes in question, from which I conclude that maybe he just isn't as good as his "public face" would imply.
From what I have heard from a CISO, they often get the job but not the power or budget. That turns then into a scapegoat if things go wrong. The day job is primarily politics to get some meager resources for security from somewhere and raising awareness.
That is only true if management follows your recommendations. If they decide profit is more important than security, than your job is to mitigate as much risk as possible and detect breaches as quickly as possible. Which he did.
Your most important job is to come up with recommendations that are tenable for the business and to sell the business on them. It’s not easy, but that is the job. Shouting that other people are idiots because you told them to unplug the internet and then blaming them for ignoring you demonstrates a lack of maturity required at that level.
A CISO's task is thankless.
Beyond financial compensation, which is comparatively lower than the "rock star developers" or executives, the CISO does not get thanked for making the product(s) more secure, ensuring security tends to add more dev time and QA steps which makes everyone working on the product feel like things are taking longer.
The CISO is fighting against the mindset of all other managers in the company who just want to "deliver" the features to make their numbers for the quarter (so they can get a bonus or be promoted), and the developers who are required to "cut corners" both in terms of quality and security in order to ship.
Both Yahoo and Facebook have a history of insecurity that dates back far before the arrival of Alex Stamos, who as others have said, is the "fall guy" when the leaders of the organisation prioritise short-term profits/growth over the security of user's data.
I didn't realize that Alex was part of the of the Oregon Trail generation till now. Heh, I feel a kinship with him, though we have never met. Having to let corporate types over rule you that security is a secondary concern to profit. And they may not be wrong in the sense that you need profit to survive. But much like burning oil for fuel, our security pollution is building up and the entire world is starting to pay for it.
Uhh, I grew up playing the game in public school in the 90s and certainly never considered myself identified by that particular game or felt connected with anyone because they happened to play a game in that series too. That's just weird. There were hundreds of games at the time.
The game was taught in many schools in the U.S. for a while. So many kids who weren't gamers, or didn't have a computer and home, would have played it. That makes it different from the hundreds of other games.
Stamos sometimes has a guest spot on the Risky Business podcast. He's incredibly insightful and candid. Other than Dan Geer, I can't think of anyone else that can articulate the current state of infosec as well as he can.
I haven't managed to bring myself to view any webpage owned by the Oath group, of which Yahoo is apparently part of since the GDPR came into effect.
They opt-in by default for dozens and dozens of advertising companies from all over the world, including many from Europe. Some of these companies are considered fundamental partners and one can't even opt out of having one's info pilfered by them. Google and Facebook are apparently two of them... which makes the whole exercise pointless.
I selected to view the privacy policy of one of the partners and when I returned everything was pre-selected again. Scum.
