A Tale of Two Security Executives
With the firing of Chris Krebs from DHS, it is instructive to compare his background and competency with our nation's new CISO.

A Tale of Two Security Executives

You can learn much about an organization by comparing the executives who are being hired with those who are being fired. To that end, let’s have a brief look at two very different types of cyber security executives passing in opposite directions through the revolving door of the departing Trump Administration.

To start, you might not have noticed that the outgoing President recently hired a Chief Information Security Officer (CISO) for our nation. Way back on November 4th (seems like a long time ago), articles began to appear that Camilo Sandoval had been quietly appointed to one of our nation’s top cyber security positions in October. The previous CISO, Grant Schneider, had quit the job during summer to join Venable’s advisory team.

Like perhaps many of you, I’d never heard of Camilo Sandoval, despite four decades in the industry with my tentacles reaching into the nooks and crannies of our nation’s cyber community. So, I checked LinkedIn and found him to possess a nice resume that was certainly impressive. But it was also a background that would make him patently unqualified for the CISO position in any large organization – much less our country.

Let me explain: When hiring a CISO, and TAG Cyber has been involved in this process many times, the background of the candidate must include extensive experience in senior positions that involve selection of cyber security technology, management of policy and compliance initiatives, leadership of security teams, and immersion in the massive security community. As far as I can tell, Sandoval’s resume would be tossed in any reasonable search process.

Despite having held positions advising the VA in technical matters, serving as a chief of staff at a bank, and spending time in the 90’s as an intelligence analyst, the word “cybersecurity” isn’t even hinted on his LinkedIn resume. There is, however, the one position that jumps off the page: He spent over a year as the guy directing voter contact operations for Donald J. Trump for President, Inc. This is important work but has nothing to do with cyber.

I would ask that you set aside the partisanship for a moment and ask yourself: Is this a valid background for a cyber security executive for America? Take me for example: Would I have made a better choice? I’ve spent forty years in this area, and no one called me. Take Charles Blauner, or Jim Routh, or Phil Venables. Would any of these fine executives have been better choices? Did anyone in Washington call them? Answer: No.

Now let’s glance across the turnstile at someone Donald Trump just fired-by-tweet (I still can’t get used to that process). Christopher Krebs spent the last couple of years as the Director of the Cybersecurity and Infrastructure Security Agency (CISA), in our Department of Homeland Security (DHS). Unlike Sandoval, Krebs does have the word “cybersecurity” all over his resume, including time spent at Microsoft directing cyber policy.

I can personally attest to his fine approach to the job, and his immersion in our complex community. (He and I sat together for dinner at February’s RSA conference – the last event I attended before the pandemic.) Despite partisan correlation between his government and commercial appointments (he worked for Bush, left for industry during Obama, and returned to government under Trump), I can report that his approach has been anything but partisan.

Now – again setting aside the bias, have a second look at the background of this executive, and ask yourself if he looks like someone worth keeping in government. I believe that you will come to the same conclusion as me: This is exactly the type of person who should be making decisions about cyber security for our nation. His background could serve as a template for the academic, industry, and government experience required for a senior position in cyber.

Here’s another thing: I’ve watched the many sad eulogies about Krebs on TV these past few hours, and I can’t help but laugh. Krebs told the truth and got fired. As his punishment, he will now follow the path of prior fine executives like Andy Ozment who left DHS for a CISO position at Goldman Sachs. If you do the typical salary math on this type of transition, you will measure something like a twenty-X increase in annual compensation. Really.

So, I guess the good news in all of this is that while our nation has inherited a nakedly partisan vote solicitor as our temporary CISO, and while an experienced and capable security executive is now cleaning out his desk in DC and will probably be shopping for a brownstone in Tribeca pretty soon – we can at least come to one conclusion that might help us all feel a bit better: Telling the truth can be lucrative.

Stay safe and healthy.

Doug Meier

National Director, Information Security & Data Governance

3 年

Great observation, Edward Amoroso . Chris Krebs' successor's hiring was predictable, not surprising. You nailed it when you noted that his main qualification is having worked for the Trump campaign, not leading cyber security programs. No knock on the man, but Camilo Sandoval's hiring follows an established trend of filling leadership positions, including cabinet positions, with people who are most likely to put president above country. I hope that's not the case with Sandoval. Still, it doesn't change the fact that hiring the best fit for the position has rarely if ever been the objective of this administration. Anyway, thanks for the sanity check. And thank you Chris Krebs.

回复

Edward Amoroso , did you happen to see the testimony of Ret. Army Colonel Phil Waldron in Arizona today?

回复
David Bauer

Managing Partner and Co-Founder Holding Ground Decision Intelligence LLC

3 年

An excellent article Ed. It continues to be a shame that political affiliation is more important than expertise in critical fields such as this. As a note, after reading Sandoval's background, I wouldn't consider him for any senior technology executive role let alone CISO - too little time in any position to have made any serious contribution. He's generally unqualified for any role he has been put in during his time in government.

Krebs was remarkably credible during last night's 60 Minutes interview.

要查看或添加评论,请登录

社区洞察

其他会员也浏览了