«

Feb 18

Mordac – The worst thing for any information security program

Over more than a decade of direct and indirect work in Information Security, I found that the level of success of an Information Security Program in any organization can be summed up with one thing: the opinion that the teams have for their company CISO.

The prevention of Information Services

The prevention of Information Services by Scott Adams

There are numerous KPIs that can be applied to corporate Information Security Program. And those KPIs can be good either because of a good CISO, or in spite of a bad CISO.

Let’s clarify things – what is a bad CISO? Bad is not incompetent. When a CISO is incompetent, things fall apart rapidly, and the KPIs fail left and right. But a bad CISO is not incompetent. He/She may have a lot of knowledge and experience. What matters is is how he/she behaves.

A good CISO builds and develops the program, advises and collaborates with the superiors and the operational teams on both security and tactical ideas. He/She investigates initiatives and changes to the standards, creates new ideas and supports the need for rapid business with new solutions.

A bad CISO pushes and repeats the program steps, only plays politics with the superiors and treats the operational teams as minions. He/She changes nothing unless mandated by a regulator, and for any changes insists on a new written procedure that will be controlled in the next control period.

The comic series Dilbert has the archetypal character of a bad CISO: Mordac, the Preventer of Information Services.

If you can match your CISO to more than 2 of the following sentences, you have a Mordac:

  • Doesn’t deliver any security analysis, instead requesting that some other department make a security analysis and hides behind that analysis.
  • Doesn’t provide final approval or definitive opinion of anything.
  • Refuses to define a minimal or optimal standard, asking that the department make a standard which is then berated at the next control period.
  • When things are obviously within his/her domain of operational work they get deferred indefinitely .
  • Uses the direct channel to the board as a channel to push his office politics agenda – even to the extent of personal retribution to colleagues that may have wronged him/her

Remove a good CISO from the picture, teams will know what is good information security practice but the lack of direction, innovation and creativity will be felt. Remove a Mordac from the picture, teams will continue doing what they did before, since they did the work anyhow. But with a lot less pressure.

1 ping

  1. Cyber Sec News 2017 – Feb 15+ – Our Security Blog (c) 2015-7

    […] A bad CISO pushes and repeats the program steps, only plays politics with the superiors and treats the operational teams as minions. He/She changes nothing unless mandated by a regulator, and for any changes insists on a new written procedure that will be controlled in the next control period. The comic series Dilbert has the archetypal character of a bad CISO: Mordac, the Preventer of Information Services. here […]

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>