(Scape)goats travel under the bus

By Mike Rothman

This drink is best served with a severance package...It’s funny how certain data points get manipulated to bolster the corporate message. At least how the trade press portrays they anyway. If you read’s coverage of Veracode’s State of Software Security report, you will see the subhead that the CISO is really the Chief Information Scapegoat Officer.

CISOs are often the first victim following a major security breach. Given the prevalence of such breaches, the average tenure of a CISO is now just 18 months; and this is likely to worsen if corporate security doesn’t improve.

That’s true. CISOs have been dealing with little to no job security since, well, forever. What’s curious is how the article goes on to discuss software security as a big problem, and a potential contributor to the lack of job security for CISOs everywhere.

The problem, suggests Chris Wysopal, co-founder and CTO of Veracode, is that “A developer’s main goal usually doesn’t include creating flawless, intrusion proof applications. In fact the goal is usually to create a working program as quickly as possible.” The need for speed over security is what creates the buggy software that threatens the CISO.

These are all true statements. But as math people all over the world like to say, correlation is not causation. There are many contributing factors making CISOs scapegoats when the finger-pointing starts after a breach. And it is much simpler than poor software coding practices. I can sum it up in 3 words:


You think the CEO is going to take the fall? The CFO? The CIO? Yeah, right. That leaves the CISO holding the bag and getting run over by the bus.

The article does mention some new training materials from the SAFECode alliance, which are good stuff. Education is good. But that only addresses one of many problems facing CISOs.

Photo credit: “Didn’t get to try any of this unfortunately” originally uploaded by Jen R

No Related Posts

Well, when CISO’s can’t read the SEC financial statements and derive their risk estimates of maximum possible loss from the enterprise’s balance sheet and cash flow statements, then either they are incompetent or they believe that the CFO is lying to the government.  In either case, they deserve any boots that they get.  Unfortunately it’s the enterprise’s shareholders and employees who suffer when the breach happens, not to mention the customers, and not just the CISO.

By Dean

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.