evidence that the startling rise of cyber attacks year-on-year has caused boardrooms to recognise the dangers of hacking for companies' bottom lines, reputation, customer retention and employee confidence.
Except at Talk Talk...
Salaries for chief information security officers (CISOs) at leading European firms have hit €1m (£850,000) as the threat of data breaches grows, City AM reports. An experienced CISO told El Reg that only his counterparts in merchant banks could hope for such a salary. "Outside of investment banking I think total packages of £ …
if the organisation's project management culture allows these people to sign off on projects that then, almost immediately, show that they aren't worth the paper they were written on. I could name one organisation that spent ~£633,000 on a new backup strategy that was signed off by the CIO just 5 months before a massive, unrecoverable, data loss incident exacerbated by the design of the new system. I'm not saying any more, because I want to keep my job.
The hypothesis is that if these highly paid individuals DON'T do their job, then they won't get new jobs in that role if they prove to be incompetent. But then the embarrassment factor for the company when they get it wrong means it all gets hushed up and they keep their job because for them to leave would be far, far too obvious.
That's what happened.
*Roughly* £633,000? That sounds quite specific to me.
Some kind of fookin' tape drive that must have bought! Or was it £500 for the tape drive and tapes plus £632,500 on backup rotation design consultancy and tape changing training.
"Some kind of fookin' tape drive that must have bought! "
Sounds more like live backup to off-site SAN storage to me, tbh. Which could easily top 600k if you have enough data. Not sure how it would fail to prevent the data loss, though, aside from possibly if they put it in the same server room as the main systems...
I can't say much more, but it was ~£350,000 in capital costs, hardware and software, and the rest made up of ongoing costs relating to staffing, licenses and facilities charges. It was intended to replace an old tape backup system that had been identified as a weak point in the DR, but which proved to be the only source for restoration when the hardware failed. Live off-site SAN backup WOULD be what you think they'd designed and signed off on... snapshotting to the very same same SAN, on-site, as they were backing up was what they actually achieved. Heads should roll, but instead it's all being hushed up.
Sadly true. Also, of course, the principle that keeps high cost consultancy organisations in business.
I do wonder whether any studies have ever been done to see whether mega bucks executives are worth the money compared to cheaper ones. I suspect not for obvious reasons.
The other thing that makes me wonder is that the chief execs deputy seems to earn about half what the chief exec does, yet must surely be competent to step into his shoes at any time. So are the deputies wildly underpaid or...
I'd love to get some people who think this, to actually do some of the jobs these people do and then judge. My CISO does 90hrs a week, and literally reads 300pages a night...then goes to meetings about that 300pages, goes all over the place working on X and Y and grapples with massive problems (like PSD2 implementation, GDPR etc), which if they are wrong could end up with 1500 of us losing our jobs, and 2 million customers not being served. He still does all the other stuff, recruitment etc, and his working day does start until after 16;00 when he can get work done rather than goto meetings. He's on 200k a year, great you think, what if I told you everytime you are on annual leave you get recalled, and you haven't had more than 3 days off in 18months? It's easy to focus on the money, but not focus on what they do...and the sacrifices, i earn a good crust 1/3 what he does, i can take leave when i want, never get recalled, am responsible for a small chunk not the whole...i work hard, but no where near his level, I'm in by 08:00 home by 18:00, no extra reading, no logging on in the evening for an extra 3 hrs.
I do wonder whether any studies have ever been done to see whether mega bucks executives are worth the money compared to cheaper ones. I suspect not for obvious reasons.
Like these, the first three hits for "Harvard Business review directors remuneration" ?
https://hbr.org/2016/07/improving-the-way-boards-ceos-and-shareholders-interact
https://hbr.org/1999/03/new-thinking-on-how-to-link-executive-pay-with-performance
https://hbr.org/1990/05/ceo-incentives-its-not-how-much-you-pay-but-how
Not even that.
The CISO has been promoted to a full member of the golfogarchy(*), the ruling caste in a golfocracy. His dept has been in the news long enough for the people who have the caste entitlement to use the "I had no clue what my employees were doing" defense in a trial or parliament committee hearing (they are marked with C in the title nowdays).
That, however, applies solely to the CISO. The low caste scum reporting to him is not getting any more dosh or any more budget for technical equipment as a result.
(*)In the meantime, the proles pray for the day when they will have a golf club shoveled up their arse
Sir, please subscribe me to your newsletter. Post haste! Not since Ass Pennies* have I heard a more sound proposition; golfers with their clubs up their asses, yet I'm thinking, yes, they just play though like that! No hands, just assholes with their ass clubs. Thank you, and I look forward to the your next issue!
*Ass Pennies® are an invention, and registered trademark, of the comedy TV series:
https://en.wikipedia.org/wiki/Upright_Citizens_Brigade_(TV_series)
The joke is that you shove pennies up your ass, tons of them, then spend them around the town. You then get a positive mental boost from knowing that the person you are dealing with probably handled one, or more, of your ass pennies, thereby giving your a secret business advantage. I know, it's pretty awesome.
Really interesting article on why employees lose their jobs, particularly as it quotes DHR International. Of course, DHR are a master at getting rid of people. When a number of their employees sued DHR in the Employment Tribunal and won bigly, DHR simply put the UK business into liquidation and started again! See http://www.recruiter.co.uk/news/2017/03/dhr-global%E2%80%99s-uk-business-forced-liquidation and http://unofficial-dhr-international.blogspot.com/2015/11/dhr-international-in-united-kingdom.html and http://www.recruiter.co.uk/news/2017/04/ex-ctpartners-consultant-wins-dismissal-case-against-troubled-dhr-global
A cheap one could still say "patch early, patch often" as far as security patches go, don't use obsolete OSes and so forth, and when that causes pain like a patch that breaks stuff or expensive migrations off Windows XP, they have to be able to convince everyone affected that this pain is preferable to the pain of IP theft / malware / ransomware / etc.
I suppose spending a fat salary on a guy would impress upon everyone else "we think security is important enough to pay big bucks for", but it won't make convincing that everyone else of the above any easier.
Actually, it might.
It's an accepted cultural thing in business that a man with a bigger salary carries more weight in discussion. If your CISO costs a million quid a year, he has much more clout to argue for whatever his expert staff say should be happening than a 50k CISO who is there simply so the company can say it has a dedicated CISO.
Sure, the real way of stopping individual bits of malware is to have good techies... but the CISO ought to be able to take what the techies say, convert it into boardspeak, and then successfully make the case that it ought to happen. His odds of successfully making that case are at least partially contingent on his salary being big enough to ean the respect of the other executive board members.
I could do the job of a CSO, but I'll never get the title because I know far too much about security; that makes me a "technical specialist". If only I'd spent time going to dinner parties with the bourgeoisie and learned how to make small talk about house prices and the difficulty of finding good au pairs! Oh well, never mind, back to the PCAPs...
(I know more about non-tech aspects like risk, policy, ISMSes and frameworks, governance and the law than the next two layers of management above me, too, but as they've permanently filed me under "nerd" they pay no attention to anything I say on the subject. Saves me from getting into trouble for explaining what a risk assessment is, again, though.)
Then you clearly don't want the job. All layers of security are short of good people so go and do 2-3 years as an Information Security Manager at one or two places, then get a CISO job in a smaller place. If you're any good at it then in ten years you'll have shed the nerd specs and will be more worried about decent au pairs.
Or stick to what you do because it suits you but don't complain.