Sections

Personal tools

You are here: Home → wikidblog → On the short tenure of CISOs and low-frequency, high-impact events

Recent entries: Debunking "Two-Factor Authentication Debunked by TSB Phish" admin Jul 02, 2008; New Howtoforge article - Postgresql admin Jul 02, 2008; World of Warcraft gets two-factor authentication - your bank won't follow admin Jul 01, 2008; Podwójne uwierzytelnianie admin Jun 10, 2008; ISP issues admin May 30, 2008

Recent comments: Re:Security and Oil admin Apr 25, 2008; Re:Security and Oil Paul feet Apr 24, 2008; Re:100% open source admin Apr 22, 2008; Re:100% open source Adam Apr 22, 2008; Re:Capital Gains Tax Rates and Entrepreneurs Lance Oct 23, 2007

2008/03/20

On the short tenure of CISOs and low-frequency, high-impact events

I came across this post which pointed to this article on how to hedge funds can write a series of naked puts on low-probability events and look like geniuses. I have equated this to the information security market before and I have pointed out other posts about low-frequency, high-impact events.

This is an agency problem in many ways. What occurred to me was that this same logic is probably impacting the average tenure of CISO/CSOs. If you're a CISO and you have not had a high-impact event at your company, then chances are: 1. You will be viewed positively by potential employers; 2. The likelihood of a high-impact event that would be your responsibility at your current employer is getting higher; 3. Any high-impact event at a new job could be blamed on a predecessor for some time.