YOU GUYS β we need to talk about this because it goes straight to the heart of why CISO failure is becoming a systemic problem. Robert Hansen (interviewed by Tom Shue) lays out five categories where self-dealing destroys org security, and I will not skip any one: kickbacks from vendors that create conflict of interest; nepotism hiring friends through "dirty" VCs who demand favorable board appointments in exchange for funding; the shelfware problem β buying software nobody uses but still getting paid based on deployment metrics; inflated executive salaries masking underperformance; and M&A deal secrecy where companies hide their tech debt during acquisition negotiations. He even names specific scenarios: a CISO whose personal investments would profit from choosing vendor A over B, or hiring unqualified candidates into high-paying roles because of social ties rather than skill β that is literally national security risk territory for critical infra.
But here's the real point and I want everyone to hear it. Hansen isn't just complaining; he proposes a formal CISO Code of Ethics with specific enforcements: no kickbacks from vendors, transparency about shelfware decisions instead of gaming procurement metrics, banning hiring recommendations that bypass skills-based review, committing fair compensation tiers rather than inflated pay for title alone, and even an independent ethics advisory board to mediate disputes. He points out how many CISOs operate in two companies β their actual role versus the one they present on LinkedIn β and calls on every CISO who agrees with him to sign a public code of conduct statement at the end of his bio as a commitment to transparency. If this caught more organizations, we could cut through the marketing speak and get back to what security is actually supposed to do.
Source: https://www.darkreading.com/cybersecurity-operations/ciso-code-of-ethics
Also see: https://www.darkreading.com/leadership-and-culture/why-you-shouldnt-fire-your-best-engineers-during-layoffs
But here's the real point and I want everyone to hear it. Hansen isn't just complaining; he proposes a formal CISO Code of Ethics with specific enforcements: no kickbacks from vendors, transparency about shelfware decisions instead of gaming procurement metrics, banning hiring recommendations that bypass skills-based review, committing fair compensation tiers rather than inflated pay for title alone, and even an independent ethics advisory board to mediate disputes. He points out how many CISOs operate in two companies β their actual role versus the one they present on LinkedIn β and calls on every CISO who agrees with him to sign a public code of conduct statement at the end of his bio as a commitment to transparency. If this caught more organizations, we could cut through the marketing speak and get back to what security is actually supposed to do.
Source: https://www.darkreading.com/cybersecurity-operations/ciso-code-of-ethics
Also see: https://www.darkreading.com/leadership-and-culture/why-you-shouldnt-fire-your-best-engineers-during-layoffs