Empathy for the CISO - Lessons from Twitter's security debacle

Last week, when a senior security executive at Twitter , Peiter "Mudge" Zatko filed a whistleblower report, it was the first time such a damming move was made against the CEO and Board of a publicly traded $30 billion market cap company. At the core, this blowup highlights a fundamental challenge of security - being a CISO is a thankless job. Almost 24% of Fortune 500 CISOs last in their roles for just about one year. The average CISO tenure is ~18/24 months.?How can our businesses stay secure in such circumstances?

A CISO is the vanguard of a business’s immune system - always alert, managing risks, quietly tackling the unwanted while ensuring the lines of business thrive. But when a CISO does not have top-level support, the oxygen is choked up and the immune system is compromised.?Frustrated, overworked and often the fall-guy, the CISO is an unsung hero of modern day cyberwar. Instead of being seen as a trusted executive, reducing risk and enabling business growth, the CISO is seen as disposable, promptly discarded after a major breach. How can we change this? What role can the CEO, Board and employees play to build a more resilient cyber posture??

Let's start with a picture of Twitter's inner workings - the 84 page whistleblower report is a bit more than 140 characters. Can you spot the patterns within your own company???

• IT Service calling, what's your password please: A group of 17 year old hackers called Twitter employees, pretending to be IT support and gained access to their passwords. The teenagers had widespread access to “God” mode. They took over accounts of Barack Obama, Joseph Biden, Elon Musk to name a few. Sharing passwords with strangers on the phone is not a great idea. On the flip side, as many as 5000+ full-time employees had privileged access to Twitter's entire production systems. Role Based Access Control (RBAC) often used to manage access was non-existent. All engineers had access to production systems and it was indeed a “free for all”. And it gets worse.?
• Logging? They do that in Montana: There was no logging (of data, not trees) whatsoever - who went into the environment or what they did is tracked in most organizations. Not at Twitter. Over 3,000 employees had their devices disabled for software and security updates. So you had insecure endpoints, no logging and no Mobile Device Management (MDM). The company had zero visibility or control. While others have zero trust, Twitter was languishing in the dark ages of zero visibility.?
• Data security be damned: On Jan 6th, when the Capitol was under attack, the Twitter security executive “Mudge” wanted to ensure the integrity and stability of Twitter’s service. It was a period of heightened risk and he wanted to make sure the systems were protected from any insiders, rogue or disgruntled engineers. But he learned that there was basically nothing he could do. Nobody knew where the data lived. Which data was critical, and what is the best way to protect it? Nope. There were no backups. And as all engineers had some form of critical access to the production environment, any one could essentially detonate the guts of this social-media machine. It’s a minor miracle nobody went nuclear. Ravi Ithal and Amer Deeba of Normalyze Security have built one of the industry leading data security platforms. Their company is backed by Lightspeed and Battery Ventures . They shared that the leading technology companies are adopting an automated approach to ensuring data security.? “It’s easy these days to auto-magically discover, classify, validate all data – including shadow datastores, abandoned data stores – across all cloud accounts. Security teams to stay in lock step with data and engineering teams” says Amer Deeba .?
• Governing like dancing in the dark: On multiple occasions, executives expressed their beliefs that the best type of Board was one that was uninformed. To keep the Board hands off and mostly out of Twitter's business, it was best to leave them in the dark.?

As we look at the Twitter cyber-saga, all of the good cyber practices sound so utterly obvious - don't give passwords to strangers. Make sure you have a logging policy. Secure & update the employee machines. Plan for data security. Make sure the board is up to speed on cyber risk. Yet none of it was put in place. All this chaos, at a leading technology company in the heart of Silicon Valley, supposedly at the forefront of best practices.?

When I reached out to my CISO friends in the industry, they bluntly told me that they see such poor hygiene everywhere. One Silicon Valley CEO with 20 years of security expertise brought me down with a sobering observation “Why are you so surprised? We see this pretty much in every major enterprise you can imagine.” It’s just that Twitter blew up into the open while the others have not. At least, not yet. Mark Zuckerberg once described Twitter as a clown car that fell into a gold mine. The clown car generated $5 bn in revenues last year -- yet failed to fix its basic cyber posture. Nor could it build empathy for its CISO.?

Rick Snyder , the former two-term Governor of Michigan has been a Chairman and COO of multi billion public company and a VC across two funds. Managing high performing teams in complex environments comes as second nature to him. His gubernatorial campaign was built upon the mantra of relentless positive action. He recently launched SensCy to proactively help develop cyber resilience. Their stellar team includes the former CIO of Michigan David Behen , and Raj P. who built a national security practice over two decades. Within weeks of launch, Senscy has attracted customers who see the value of a deterministic approach to managing cyber risk. “A trusted positive relationship with a customer is one of the simplest paths forward in building the next big cyber business. For Senscy, it’s day one” says Synder.

Building Empathy for the CISO:

• We have your back: When was the last time a CISO got an assurance from their CEO or Board with a statement “We have your back. Let's work together”? Probably never. When was the last time a board asked the CISO, how can we help improve our cyber-hygiene? Not as often. In fact, it's quite the opposite. Gaurav Banga , CEO of Balbix (who has raised several rounds of funding from investors like Mayfield and former CEO of Cisco John Chambers ) pointed out that “when the CISO, CEO and the Board can achieve alignment, everything moves like magic. It often begins at the top.” In this day and age when most security vendors are driving fear, uncertainty and doubt (FUD), Balbix and Senscy's approach towards alignment and positive action are a tectonic shift. If the CEO of Twitter had the board and the CISO all on the same page, aligned and rowing towards the same destination, I doubt if we would have seen such a storm.?
• Managing security budgets, not compliance penalties Not only CISOs have to do more with less, they are caught between the jaws of compliance penalties and aggressive adversaries. In recent years, AWS has been slapped with a $750 million fine by European privacy watchdog. T-Mobile settled a data breach class action by coughing up a hefty $500 million. And British Airways paid over $200 million penalty for a data breach. The list goes on. The various federal agencies like the SEC, DoD, DoE, TSA, CISA are all gearing up to increase reporting, vendor risk mitigation and oversight. One frustrated CISO told me that keeping up with these is more than a full time job. And it's a no win situation - if we get clobbered by the bad guys, the regulators step in to rub salt in our wounds. Anirban Banerjee , CEO of Riscosity has built and sold two security startups. “The CISO is caught between a rock and hard place - on one hand, you have to pass the auditors compliance checks. Doing it in a budget friendly practical automated way is not easy” he says. At Riscosity, he is enabling enterprises to perform software supply chain governance. If a compliance officer needs to look at their API maps, understand where data is flowing, and does it meet ever evolving compliance standards, Riscosity enables all that? and more with a few clicks. I’m sure if CISOs had a balanced security posture, they would not have to burn as much as $200m or $500m in penalties.
• Risk metrics over illusions of progress: No matter which Ponemon / SANS market study we look at, the state of the industry remains terrible. 50% of all servers in Fortune 500 companies are unpatched. In some companies, as many as 90% are unpatched. One VP at a $10+ bn company told me that “I’m scared we will break something if we patch” so we carry on, forget those patches. In F500 companies, it takes almost half a year (150+ days) to complete a patch process. Eight months after Log4j broke out, some are still fixing it. What should take hours often takes months.

In such a state of affairs, the singular question that matters in most companies - what is my top risk? Am I getting any better - month over month, year over year? As one CEO told me,”Most security teams are scattered - running around dousing false alarms and chasing their own tails.”?How should companies prioritize their risk posture and systematically reduce the risk?

If the CEO and the Board are largely disconnected from security and risk conversations, the CISO cannot monitor this, fight fir budgets and eventually stops caring. And then they get up one morning, give up, refresh their resume often, ready to leap onto the next rung of the cyber career ladder.?

Yet as the Twitter story warns us, sometimes the ladder is leaning against the wrong wall. It's only after you get to the top that you realize that you should have been elsewhere, ideally where they have more empathy for the CISO.

(Disclosures: (1) A former version of this article incorrectly stated that Peiter "Mudge" Zatko was the CISO. He was a security executive at Twitter. The CISO of Twitter Rinki Sethi left Twitter in January 2022. (2) Secure Octane is an investor in 20+ cybersecurity and data companies, including Senscy, Normalyze, Riscosity, Balbix.)