The Illusion of Due Diligence: Notes from the CISO Underground
Book Review by Canon Committee Member, Dawn-Marie Hutchinson: The Illusion of Due Diligence: Notes from the CISO Underground (2010) by Jeffrey Bardin
The Illusion of Due Diligence: Notes from the CISO Underground introduces the complicated and challenging career experiences of Chief Intelligence Officer and sometime Chief Information Security Officer, Jeffery Bardin. The Illusion of Due Diligence highlights the relationship between executive risk tolerance and its intersection with the professional standards of information security professionals. Bardin suggests that these interactions often intersect in ways that are ethically questionable and even unhealthy for the business.
While I hesitate to advocate The Illusion of Due Diligence as a candidate for the Cybersecurity Canon, the book provides a variety of examples illustrating the complexity of acting as an information security professional. This book provides a powerful reminder that not all of the obstacles to information security reside outside of the organization. Bardin posits that the battle to maintain the confidentiality, integrity, and availability of systems may be lost easily in the day-to-day political contests fought in organizations of all sizes. Bardin’s work reflects an easy style reminiscent of peers commiserating over coffee, trading anecdotes about the internal challenges they face, but, in relying upon what are effectively parables, never quite gets to the lessons that today’s information security professionals require for maximum effectiveness.
The Illusion of Due Diligence confronts the moral, ethical, personal and professional challenges associated with the field of information security. Using a narrative style, Bardin walks us through the day-to-day experiences confronting many security professionals. Beginning with an executive manager who not only failed to understand the role of information security but then actively interfered with the security officer’s function, Bardin relates a story that is common to many information security professionals. Using examples of specific CIO actions to evade compliance, disabling of critical controls to protect revenue, and competing information technology objectives, Bardin illustrates the challenges that leading information security executives are confronted with. Bardin’s treatment of these challenges places a bull’s-eye squarely on the back of the information security executive who is tasked with delivering and maintaining a secure environment at a level that reflects the enterprise’s risk tolerance but where enterprise risk management decisions may either be made informally or in such a way that the success or the failure of the program won’t rest with the executives making the decisions.
Adequate authority, resources, and reporting structures are the challenges Bardin alludes to amid the technical and political adversaries today’s information security professional must confront. And with this observation – that each of these adversaries may be just as daunting as battling nation-state actors – hackers and organized crime represent an important contribution to the literature. Although ultimately, while the explicit articulation that managing up and across represents one of the most pressing challenges in information security today is useful, The Illusion of Due Diligence never quite gets to the techniques and strategies to doing so and is, therefore, likely to leave some readers’ thirst for solutions unsatisfied.
The book is organized into a series of non-fiction, short stories based on actual experiences of the author. While Bardin makes some attempts at masking the sources of his narrative, it remains clear that we are seeing experiences from particular government agencies, contractors, and other personalities. While the tell-all, behind-the-curtain format offers some limitations, Bardin reels in the reader, creating a shared sense of struggle that is quite relatable.
"Being a security professional is a formidable career choice. To do it right you must take an oath of allegiance to your craft that is not welcome in the corporate world that ultimately employs you. The very credentials that make you marketable are, in the end, the very thing that can put you in the job market, again, and again. Taking ethical stands to live up to the code of the CISSP and the CISM takes courage, tenacity, thick skin and the willingness to walk away from an employer."
The challenges facing security executives are nothing new to those who have been in the industry for many years. Bardin, however, creates a narrative that offers an opportunity for many professionals, especially those climbing the corporate ladder, to learn important lessons by observation rather than experience – an opportunity that many would say is the preferred route for those seeking to remain in their position and navigate these challenges.
While the war stories aspect of the book is endearing, the work is sometimes difficult to follow and, like many works featuring technical authors, leaves some room for greater accessibility and clarity. In particular, the level of granularity, coupled with strained attempts to obfuscate the identities of the parties sometimes creates an impression of sour grapes and detracts from the key insight of the book: that managing up and across is among the most important obstacles to success for information security leaders. For example, Bardin relates the story of a wayward business partner, "Ariel,” focusing on character development but never fully embraces or explores the moral, ethical or related challenges confronting the situation or how such issues might be addressed pragmatically. Ultimately, it is this missed opportunity for greater depth and exploration of the lessons growing out of each of these mini-case studies that limits what this book might have been, which is a business school-like series of mini-case studies that could prepare executives for what remains a recurring series of challenges as the security function and profession matures.
While the book highlights the ethical imperatives confronting many organizations, Bardin sometimes seemingly too easily conflates differences of business judgment and risk tolerance with potentially unethical behavior. At its core, information security represents a risk-focused discipline, and accepting the risks remains a very difficult practice for many information security professionals to stomach. That’s okay because our perspective is often juxtaposed with many other competing business needs. In the end, we cannot fire all of the employees, or shut down the enterprise, even thought the result of those efforts would often be near “perfect” security. In this regard, Bardin could have identified additional tools or techniques to address the relationship between policy and reality. For example, developing and maintaining policy exception processes that create executive accountability represents an important tool to drive accountability while maintaining opportunities to manage and accept risk purposefully. Similarly, The Illusion of Due Diligence never quite highlights the importance of drawing distinctions between and organizational consequences of failing to adhere fully to policies or contractual obligations as compared with legal obligations. Complaining about the former can often place the information security professional in the role of Chicken Little or an adult in Charles Schultz’s Peanuts cartoon. Sound the alarm too early or too often and management eventually stops listening.
At the core, Bardin seems to identify one of the most pressing challenges facing information security executives: how and when should issues be escalated when multiple business objectives compete with the enterprise’s security objectives? Unfortunately, the book provides little guidance on structures, tools and techniques that might be utilized or relied upon to confront these challenges. While consistency across the application of policies, procedures, guidelines and technical controls, and the subsequent transparency to management remains critical, perhaps more important is the recognition that many CISOs would benefit from a broader business perspective. Such a perspective would help navigate avoiding being labeled as myopic and obstructionist while remaining true to the role, function and responsibilities within the organization. Although the detail of the narrative provides for some juicy storytelling that keeps the reader’s attention, beyond cataloging many common scenarios that can challenge security professionals, The Illusion of Due Diligencedoes not quite accomplish Bardin’s objective to help the information security professional forge better outcomes, including securing their existing position.