Something that many people within the information security community rarely give thought to is how difficult and arduous the path to becoming “Chef” really is. It is not a role as defined by you or me, but rather by the CIA. No, I’m not speaking about one of our most well-known intelligence agencies, but of the Culinary Institute of America.
There are a number of commonalities between an Executive Chef and a leader within the information security community.
I’m not talking about being a cook at your local greasy-spoon, as that’s an entirely different vocation with its own set of challenges and responsibilities. For those who require more clarity, think Anthony Bourdain vs. “Shorty” the cook at your local IHOP.
A true Chef is a long time practitioner, a master of his trade and has commensurate responsibilities:
1) As captain of the ship, you set all standards 
2) Many people report to you – some who like you, some who resent you, others who are blazingly incompetent
2) You must trust that your people will execute their tasks properly, and in good faith
3) Your people must use the BEST possible ingredients –or technology –to meet the standards that you’ve set
4) There are various disparate functional units vying for funding, authority and you need to mitigate all of their needs while still fulfilling the business process
5) If your standards are not met and your product isn’t premium, you are in jeopardy of losing your client base. Maintaining quality control is a struggle that you will face at all times
Do these responsibilities sound familiar to the C-Levels reading this post? Exactly. A Chef and a CSO/ CISO face many of the same challenges.
Recently, as a Chef among Chefs, Howard Schmidt resigned from his second posting as a cyber security czar; this time after approximately two and a half years of service. Schmidt is the perfect example of an Executive Chef –at the top of his game, and very well respected within the industry. Does anyone remember how excited both ISSA and ISACA were that one of us –a real security practitioner and not a politician was taking a position within the administration?
In the same manner that a short order cook would not have the proper level of trade craft to successfully operate a nationwide five star chain, can we really expect a successful corporate executive to effectively navigate and implement our nation’s cyber security strategy?
While a CSO of a multi-national conglomerate will share many of the same challenges as their Federal counterparts, their respective business models are as disparate as that local greasy spoon versus a true fine-dining experience. Regardless, I was curious how such a doer as Schmidt is would fare within the grinder of the Beltway, which puts the grinders of our largest Fortune 100 companies to shame.
Even the most seasoned Fortune 100 caliber information security professional will find that being thrown inside the byzantine world of a presidential cabinet is daunting and often harrowing experience.
Rather than having to manage hundreds of business units, the executive now has thousands–all with differing hierarchies, mission statements and objectives. Factor in that he needs to achieve consensus with all the executives, as well as establish a globally encompassing threat model. Meanwhile, the consequences of these infosec failures aren’t just the loss of PII (Personally Identifiable Information) or credit cards, but the catastrophic loss of life. Were this not challenging enough, the position itself offers no teeth with which to enforce top-down compliance on other organizations. Effectively, what I’m describing is a complex labyrinth of policies, procedures and chains of authority, coupled with having Sisyphean responsibilities without the authority nor capability of fulfilling them.
With the mosaic of challenges facing our national cyber security executive growing in complexity due to an exponentially expanding threat landscape, the amount of inherent bureaucracy within our government, and much like within our Fortune-X organizations – the reality is that at the business unit level, there are minimal fiscal incentives to do things in the most efficient manner.
In the end, why did Schmidt take the position? Because much as a Chef finds his position a calling more than a job,I will conjecture that Schmidt accepted his role because he felt he could make a positive impact on our nation because he is not only good at his job, but he also loves doing the work.
If so, why did he leave? I haven’t seen any formal statements as per why, but I would venture to guess that he simply felt that he could offer no more value within the role because being a paper tiger is an exhausting position.
Now for the last of the epicurean analogies –in his role, Schmidt went from being an executive Chef of a global chain, to becoming a line cook with what is essentially an advisory role trying to convince other line cooks they need to play along with his grand ideas. Meanwhile, the uber-executive Chef is somewhere out to lunch. Now to finally beat the culinary analogy to death – what happens when there are too many Chefs working on a single pot? Nothing terribly good.
What we need to consider next is why do such positions continue to fail, and why will they in the future? In my opinion, our archaic hierarchical command and control model has ceased to function within the modern era of Cyber/Conflict/Crime/War/Terror. Why? Because attacks are performed under many forms of cover and executed in pico-seconds. Then when your ISR (Intelligence Surveillance Reconnaissance) tools and early warning systems give operators less than a micro-second of notice, it leaves little room for determining an effective response.
When dealing with such an ephemeral issue as information security, decentralization of control and localized distribution of authority are the only ways for business units to mitigate risk and deal with threats in any effective manner. Furthermore, top down edicts are lovely on paper, but operationally the communications and directives simply take too long to be effective or rational in every given environment.
When the weight of the decision support and command/controls systems prevents tactical execution of national security responses, we have effectively ensured their failure, and the failure of the executives initiating them. Until we have an information security ecosystem where all the line cooks work together, and we give each Sous Chef of each business unit authority to execute as required for their given market, we can expect to see continual security failures and the 1-2 year game of musical-Czar chairs continue.
COMMENTS