In 2012 when director Mueller created the FBI computer scientist program it was mainly intended to combat the highly technical attacks of nation states targeting the United States government and businesses within US borders. It was a great honor to be amongst the first 22 selectees and attend the training at Quantico. All of us took the job seriously and were then deployed to our respective offices in cyber and foreign counterintelligence squads. I often joke that these early years were us chasing each other around in cyberspace watching our foreign adversaries and gathering Intel. But this all changed somewhere around 2015 as cyber criminal activity became much more prevalent and targeted businesses of all sizes. By the end of 2016 we all knew this was different and was going to become the new norm.
Now looking back we can see that cyber security had its origin in the middle 20 teens and the technologies that we use to combat cyber crime and secure our networks changed fundamentally during that same period. As I speak to companies around the United states and try to determine their cyber maturity, the conversations inevitably come back to how active they have been in managing and upgrading their security technologies over the last six to eight years. Many companies have found themselves saddled with a unique form of tech debt related to outdated and in many cases unsupported security technologies because the conversations around security have been focused mostly on security as an IT issue instead of security as a corporate risk issue. So many of these new IT directors and CISOs enter their new role and are almost immediately working to bring their security posture into the modern age. it’s no wonder that many CISO’s burnout and leave the field early in their careers.
so how do we help? I am encouraged when I see experienced CISOs create security support teams and mentorship programs for younger security professionals. In days gone by most IT professionals expressed that they felt like they were alone on an island trying to manage their corporate environments and any support programs offered were viewed with skepticism especially if they were sponsored by technology companies. I am also encouraged that technology companies are trying to be less sales driven and more supportive of these security professionals and offering what they need versus what is the big sale. I often tell security suppliers that they need to take more of that consultative approach with customers and meet them where they are and what they need today and let tomorrow take care of itself.