It’s funny how certain data points get manipulated to bolster the corporate message. At least how the trade press portrays they anyway. If you read’s coverage of Veracode’s State of Software Security report, you will see the subhead that the CISO is really the Chief Information Scapegoat Officer.

CISOs are often the first victim following a major security breach. Given the prevalence of such breaches, the average tenure of a CISO is now just 18 months; and this is likely to worsen if corporate security doesn’t improve.

That’s true. CISOs have been dealing with little to no job security since, well, forever. What’s curious is how the article goes on to discuss software security as a big problem, and a potential contributor to the lack of job security for CISOs everywhere.

The problem, suggests Chris Wysopal, co-founder and CTO of Veracode, is that “A developer’s main goal usually doesn’t include creating flawless, intrusion proof applications. In fact the goal is usually to create a working program as quickly as possible.” The need for speed over security is what creates the buggy software that threatens the CISO.

These are all true statements. But as math people all over the world like to say, correlation is not causation. There are many contributing factors making CISOs scapegoats when the finger-pointing starts after a breach. And it is much simpler than poor software coding practices. I can sum it up in 3 words:


You think the CEO is going to take the fall? The CFO? The CIO? Yeah, right. That leaves the CISO holding the bag and getting run over by the bus.

The article does mention some new training materials from the SAFECode alliance, which are good stuff. Education is good. But that only addresses one of many problems facing CISOs.

Photo credit: “Didn’t get to try any of this unfortunately” originally uploaded by Jen R