Another inspirational quote on the topic of failure comes from best-selling author Denis Waitley: “Failure should be our teacher, not our undertaker. Failure is delay, not defeat. It is a temporary detour, not a dead end. Failure is something we can avoid only by saying nothing, doing nothing, and being nothing.”
I have been fascinated by this topic of studying failures in careers, and especially cybersecurity leadership decision-making, ever since I became a state government CISO in 2002.
Why?
I’ve had plenty of failures in my career. In fact, I wrote a piece for CSO Magazine in January 2006 entitled "Are You the Party Pooper?" because (as I wrote at that time) “I learned that many internal customers thought of me as the party pooper. I was the guy who always said, 'no.'”
Those early CISO mistakes almost cost me my job, but they also taught me many valuable lessons on how to lead, build a team, mentor others and much more.
Fast forward to December 2023, and Carter Schoenberg, a friend and respected cybersecurity industry colleague, published his book entitled Why Cybersecurity Fails in America.
But before I dive into the book, you may be wondering: Who is Carter Schoenberg?
His description on Amazon says it best: "Carter Schoenberg is a Certified Information Systems Security Professional (CISSP), Boardroom Qualified Technology Expert (QTE), and a CMMC Certified Assessor (CCA). His company is an approved CMMC Third Party Assessor Organization (C3PAO) and has been helping defense contractors prepare for CMMC and DFARs obligations since 2021. He has over 30 years of combined experience in criminal investigations, cyber threat intelligence, cybersecurity, cyber risk management, and cyber law. His expertise has been featured at MITRE’s quarterly Cyber Supply Chain Risk Forum at the request of DOD and DHS, InfoSec World, SecureWorld Expo, and the National Association of Insurance Commissioners (NAIC).
"Mr. Schoenberg actively contributed to the GSA/DoD Final Report to the White House ‘Improving Cybersecurity and Resiliency through Acquisition.’ His work products have been actively used by DOD, Department of Education, DHS, the ISAC communities, Smart Cities, and the Georgia Bar Association for Continuing Learning Educational (CLE) credits on the topic of cybersecurity risk and liability. Mr. Schoenberg also recently co-authored ‘Guidance for Smart Cities and Municipalities Cyber Supply Chain Risk Management (C-SCRM)’ published by NIST. This book highlights how the interdependencies between the U.S. Government, Human Resources, Institutions of Higher Education, Corporate Boards of Director, and Cybersecurity Professionals all contribute to how and why cybersecurity is not more successful."
I first met Carter more than 17 years ago when he was working for Motorola as their client engagement manager and I was the Michigan CISO. He immediately impressed me with his subject matter expertise, attention to detail and strong work ethic.
Over the years, as he switched leadership roles multiple times, moving to different companies and focus areas within security, I have relied on Carter as a go-to expert on many cyber topics, including compliance with federal mandates and much more.
MORE ON THE BOOK: WHY CYBERSECURITY FAILS IN AMERICA
According to Amazon: “This book highlights how the inter-dependencies between the U.S. Government, Human Resources, Institutions of Higher Education, Corporate Boards of Director, and Cybersecurity Professionals all contribute to how and why cybersecurity is not more successful. This book is designed to help security practitioners, human resources, and the C-Suite better understand how to overcome legacy approaches towards enterprise risk management. My sincerest hope is for individual readers to affect change in the aggregate by improving operational effectiveness and efficiency.”
Topics covered include:
- Case Studies and Presumptions
- Why Legacy Risk Modeling Is Flawed
- Safeguarding Versus Resilience
- Impacting Corporate Bottom Lines
- The Failure of Government and Higher Education
- The Failure of Human Resources
- Degrees vs. Certifications vs. Apprenticeships
- The Impacts of Regulations and Change Management
- Cybersecurity Professionals, Get Over Yourselves, Learn the Corporate Way of Life
- How to Attract and Keep the Attention of the Board
I found the stories in the book to be both interesting and compelling. Carter tells us about many different interactions, decisions, successes and failures in his career. He also neatly packs these experiences into a variety of topical areas.
For this reason, I think young cyber professionals will especially benefit from this book. They can learn so much from his experiences and see things, perhaps, from another point of view.
Many of his lessons ring true from my career as well. For example, the story on pg. 33 is similar to my experiences mentioned at the beginning of this piece. Here is an excerpt:
“ISSOs work very closely with technologists, and at the time and even true today, Government CISOs report to Government CIOs – that in and of itself is an issue we will dissect later in this book. As a result of this relationship, ISSOs were generally the voice of “NO.” No you can’t do that. No, because this is clear violation of policy.
"The CISOs name was Jeff Eisensmith, and I remember a meeting with him from 2011 like it was yesterday. He scheduled a meeting with every ISO. About 50 of us. He made it clear our role is not to say “no.” Our role is to identify issues define risk exposure, identify alternative solutions and the decision to say no resides exclusively with his office. I LOVED THIS!
"Wow. A Government employee in a high-level position of authority actually grasped the core concepts of risk management. Candidly I was a little taken aback.“
Carter goes on to discuss the importance of relationships, how to repair damages done and much more.
After telling stories and describing failure (and success), he has great tips and helpful nuggets in many sections, such as this one from pg. 56:
“When evaluating risk modeling techniques, it is critical to understand that the outputs are only as good as the inputs. Look beyond impact. Look beyond probability. Understand the nature of the business you support as its cybersecurity representative. Evaluate war gaming scenarios that may result in a cybersecurity event based on the business and not merely technical threats. Identify responses and provide context to your leadership team.”
His section on HR and cybersecurity roles has many great lessons learned and should be required reading for public- and private-sector organizations who are trying to attract and maintain cyber talent.
Overall, I really like the book, and enjoyed reading the stories from Carter’s successful career and the insights he has gained.
CARTER'S TAKE ON RECENT CYBER EVENTS
Before I wrap up this review, I want to offer some insights from Carter on some recent events in 2024. I asked him these two questions:
Dan Lohrmann (DL): What thoughts do you have about the CrowdStrike/Microsoft incident regarding failure?
Carter Schoenberg (CS): The gap in their SDLC obviously caused significant havoc. However, let’s look at the issue with context. When I evaluate the impact against decades of data stemming from actual cyber attacks, I still struggle to see how the news outlets say that this is the worst event ever. I was surprised to learn that only a few hundred thousand assets were impacted from Code Red, Nimda and WannaCry per incident, yet I am well aware of airlines having outages due to MSFT vulnerabilities.
I do believe there is a level of contributory capacity on behalf of Microsoft as the update did not negatively impact Linux systems. But to what extent remains to be seen.
The biggest takeaway, in my opinion, is if this will act as a bellwether event for how boards of directors evaluate the chief executive officer. CrowdStrike shareholder value has diminished well over 30 percent in just two weeks. This equates to billions of dollars in market capital valuation.
I do believe George [Kurtz, CrowdStrike CEO] has acted honorably, and the company has made all best faith efforts to resolve and to reduce the risk of a future similar transaction. All of which I firmly believe should be part of the evaluation criteria by this, or any, board of directors.
DL: Are there any other major recent cybersecurity incidents in the past year you can point to in order to highlight lessons from the book?
CS: I have already enjoyed two cases of success in communicating cyber risk to global companies. While initially these stakeholders were consistent with legacy receivers of information … "I don’t believe this, this is too expensive, it’s never going to happen to me." When translating the material facts into a business narrative and showing the relationship for lost opportunity costs, alignment with resisting corporate risk tolerance levels … at the dollar level … has proven to be a viable means of obtaining buy-in to initiate change management from within the highest levels of a company bringing in over $300 million a year.
Another observation: I recently saw an article in CSO Magazine talking about the cyber skills shortage once again. As mentioned in my book, I do not concur with these assumptions that ... artificial intelligence can be used to overcome cyber skills shortages. I believe that effort will fail.
FINAL THOUGHTS
No doubt, this is a provocative book title. And yet, it grabs your attention. My editors for the books I have written like Cyber Mayday and the Day After have generally wanted a positive twist in a subtitle (like: A Leader's Guide to Preparing, Managing and Recovering from Inevitable Business Disruptions).
One (slight) concern regarding this book is that it is a bit expensive at $35, but I found it to be more than worth the price.
The stories and experiences that Carter shares, which cover people, processes and technology, can help any reader overcome the many failures that Carter identifies in cybersecurity — and help you and your organization succeed in your cyber journey.