YCP Mentor Notes | Owning Cyber Risk
I'm on my way back from Boston where I taught at a SecureWorld conference.
I lived there for eleven years when I was a kid.
What's funny, looking back, was how I took the local history for granted when I was in school.
For example, in class, we'd read about the Pilgrim's landing at Plymouth Rock in the 1600s. Then we'd get on a bus and go see it.
Same thing for the Boston Tea Party, etc.
What a cool experience.
In contrast, there's Enrique Lores. Please don’t be like him when he recently said:
“We have seen that you can embed viruses in the cartridges. Through the cartridge, [the virus can] go to the printer, [and then] from the printer, go to the network.”
Did you see this quote already?
That was Enrique Lores, the CEO of Hewlett-Packard (HP).
The printer people.
He was talking with a reporter. It was his justification for bricking HP printers when owners load them with third-party ink.
Owners are outraged.
I’m disgusted.
I don’t like it when people either knowingly, or unknowingly, throw cybersecurity under the bus for their own gain.
You might think I’m focused on how HP is using security justifications for blocking people from using less expensive, but probably just as good, ink made by other companies.
Yes, but it’s deeper than that.
HP doesn’t own the risk when viruses are in the 3rd-party ink cartridges. The people using the printers own that risk.
So they should give users of HP printers the option of either turning on the protection or leaving it turned off.
There’s a very valuable lesson in here for you: On the job, remember who owns the cyber risks you are managing. Respect their decisions about how to deal with those risks, even when you don’t agree.
And, don’t go around grumbling and complaining to other people about the risk owners’ “bad” decisions. Doing that is disrespectful and violates an important reality: People do business with people that they know, like, and trust.
If you let people know that you don’t respect their decisions (especially using passive-aggressive methods), they’ll eventually not like you and not trust you.
Then, it’s game over for you at that organization. There’s almost no coming back from that place of relational contempt.
I’ve seen cybersecurity practitioners make this mistake over and over again. It often costs them their jobs.
How are you going to do better than Enrique Lores?
Hit comment and tell me.
领英推荐
I read every comment you post!
-Kip
Current Resources:
Current Podcast Episode 153: “NIST AI Risk Management Framework, part 1”
What’s in the NIST Artificial Intelligence Risk Management Framework (NIST AT-RMF)? And, how do you use it? Let’s find out with your hosts Kip Boyle, CISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.
Trying to get your next (first?) cybersecurity job but you’re feeling stuck? Is it your resume? Interviewing skills? Something else?
Now you can discover and take advantage of the Hiring Manager’s secrets and strategies for flourishing in the cybersecurity (InfoSec) industry .
You’ll learn how to:
We have 4.8 out of 5 stars rating and 1,225 students have signed up so far.
Here’s a recent comment from one of them:
“A must-have course for anyone thinking of becoming part of the CyberSecurity Industry.”
And, please share my “Mentor Notes” with everyone.
Thanks!
Kip Boyle is a husband, dad, entrepreneur, and experienced cyber risk manager. He founded Cyber Risk Opportunities LLC in 2015, after seven years as the CISO of PEMCO Insurance in Seattle. As a captain on active duty in the US Air Force, he served in the Combat Archer and F-22 Stealth Fighter programs where he was the director of enterprise network security. These days, he serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!
Risk Manager For Startups & High-Growth Businesses
8 个月Great reminder on respecting cyber risk ownership and decisions! ??