Most hiring in business is functional, with roles tied to specific problems that executives identify. If a company has a marketing problem, executives hire a marketer. Launching a new product? Hire engineers, designers and product managers. A lot of the friction between new staff and their new companies stems from a lack of precision on exactly what problem is being solved for.
Then there’s risk and security. Risks are multiplying for all companies and in all domains, from financial risks and supply chain disruptions to climate catastrophes and pandemic-induced workforce debilitation. Ditto for security: the digital attacks on computer infrastructure, physical attacks on employees, and disinformation attacks on brands and reputation have combined to create an almost infinite ‘threat matrix’ of daily terrors.
These are all problems, but not ones that can be solely solved through functional expertise. Instead, they can and must be handled at all levels of an organization. You don’t hire for security, you create security cultures that are imbued in all decisions and strategies. You can’t throw bodies at risk, but must make resiliency and risk analysis a vital and constant concern.
Yet, companies still bring their functional, problem-solving approach and expect that with a human in place, their problems are solved. Companies hire a Chief Information Security Officer (CISO) and expect data breaches to stop, and they hire Chief Risk Officers (CRO) to stave off all those risky concerns. Problem identified; hire made. Those leaders hope to inculcate organizational cultures of course, but talk to any CISO or CRO and they will tell you horror stories about the difficulties of systematizing their thinking into the fabric of an organization.
All this was on my mind this week as I read more about Peiter Zatko (who goes by the online identity Mudge) and his whistleblowing complaint against Twitter, where he was formerly its head of security before being fired by the social network earlier this year. On Thursday, Cara Lombardo in the Wall Street Journal reported that Zatko received $7 million in compensation as part of a settlement with Twitter, that in part included a non-disclosure agreement. As a whistleblower to the SEC:
Mr. Zatko said in his complaint that he “uncovered extreme, egregious deficiencies by Twitter in every area of his mandate,” including privacy, digital and physical security, platform integrity and content moderation.
There’s now been extensive reporting on Zatko’s firing, namely due to Twitter’s legal battle with Elon Musk to force him to buy the company, which is set for Delaware Chancery Court in October.
Twitter’s pattern of behavior is all too familiar to security and risk professionals. Twitter clearly identified that it had massive security gaps across its systems. For instance, just last month, a former Twitter employee was found guilty
of conspiracy to commit wire fraud, falsifying records and money laundering while spying for Saudi Arabia in a case stemming back to 2014 and 2015. The company’s moderation of speech has been a perennial PR nightmare, and the company also disclosed a data breach
in July affecting more than 5 million accounts.
Problem identified; hire made. Zatko was brought on as head of security, bringing his long-standing reputation and stature in security circles to bear on one of the most influential global social networks.
Yet, this wasn’t a hire made, it was an operating system downloaded. Fixing Twitter’s problems would require rebuilding the foundations of the entire company, from retraining engineers and prioritizing security reviews to evaluating internal threat risks and developing much more comprehensive trust and safety systems for content moderation. Security, at least for a time being, would have had to become the overriding priority of the company to rebalance a culture that by all appearances is woefully inadequate for the threats the company faces.
Unfortunately, Zatko’s work came at a time when Twitter’s business — and its products — needed extensive shoring up to meet the demands of Wall Street. It’s little wonder then that as he went about his work, he seemed to have an ax to grind.
Security and risk professionals face the daunting task of always making their work stand above daily business challenges. Profits must always be sought, new products launched, and it’s hard for security — even at the most enlightened companies — to not feel like a general tax on productivity. Something must always get the ax, and unsurprisingly, it’s often security and risk that takes the brunt of the blows.
Security isn’t a job, it’s a culture. It’s not a person, it’s an organization. Security means overcoming the insecurities of leaders who would rather feign ignorance at the challenges their companies and institutions face rather than devote the resources and attention that the issue necessarily deserves.