Photo Credit: Ernesto Vicinanza via Compfight cc
In days of old on sailing ships, the helmsman had the vital task of having his hands on and keeping control of the wheel, even in the toughest most violent storm. Storms would bring waves and wind working together to try to wrest control of the ship away from him.
At other times, lookouts would spot reefs, shoals or unexpected sand bars due to imperfect charts, changing undersea landscapes, eruptions or sailing uncharted territory. Navigation by the Helmsman therefore relied heavily on tight cooperation with lookouts, depth measument sailors and of course the captain of the ship.
The role of the Helmsman was vital and required a strong and steady hand. Captains would want to find and keep a good man at the wheel because, when it mattered, the survival of his ship would depend on him. Often a captain would double as Helmsman and would call out commands to sailors based on what he saw, heard and what sailors would shout to him.
Let’s illustrate that further with a quote kindly discovered for me by Sarah Clarke: Roland Dobbins summed it up nicely in a recent BBC Technology news article
“This may come as a surprise to non-specialists who view the internet as a high-tech affair comparable to the bridge of the USS Enterprise of Star Trek fame,” he said. “In actuality, the internet is more akin to an 18th century Royal Navy frigate, with a lot of running about, climbing, shouting, and tugging on ropes required to maintain the desired course and speed.“
If we transpose the role of the Helmsman into information security, then I strongly believe a CISO/Head of Information Security plays a strikingly similar role to the role of the Helmsman. The CISO is the Cyber Helmsman/Helmswoman.
Organisations today need a good strong guiding hand. This person should be able to steer the ship over time, stay strong and in control during times of crisis (storms) and not let the elements (threat landscape, changing regulatory/compliance environments, auditors, security assessment results) wrest away control of the ship. The Helmsperson should follow the plotted course to emerge unscathed on the other side, also by listening to and reacting to information passed to him/her from sailors, instrument readers and so on. The Helmsperson should ensure the reefing, trimming, or adding of sails, change tack, steer into or away from the wind and waves as is optimal in each specific situation. In other words, ensure the overall adjustment of his ship’s (the organisation’s) security posture to changes in the threat landscape.
When incidents happen – and they will – the Helmsperson should be the one at the wheel, now and over time. Mapmakers and instrument producers (Infosec vendors) are doing their best to create new maps and better instruments for the ships, but the most important thing for the cyber wellbeing of your ship remains the team of sailors and the Helmsperson.
So make sure to hire a great team and someone who can steer the ship with a strong, steady hand and don’t let them go/blame them when you hit an unexpected sand bar, because they’re not the ones deciding where the ship is headed, they’re only trying to keep it afloat to get there.