"C-Level " Professionals Jumping Ship

Well, I wouldn't say they're actually jumping ship but people are leaving at quite a frenetic pace right now. This is what happens when you hire people that are passionate about what they do for a living yet do not have the authority needed to get the job done. Sadly, this is all too common in information technology as a whole and especially within information security. Too often I think you get unqualified people who mismanage money because they lack the subject matter expertise to properly spend it. It is a given at the executive level that your technical skill sis probably not on par with those who work for you so listening and discerning becomes the critical skill when seeking funding. Being able to justify the funding requests is also a massive hurdle and this is often when we find out that an accountant is actually in charge of everyone.

This post from Richard Bejtlich's blog does a good job of explaining both the need for money and what you can do with it once you have it. So, what's the point here? The point is that you must find talented people to run your program and empower them, fund that program, and have a vision of what that program should look like. There must be a reasonable balance between security and convenience and you must always "sharpen the saw." Trying to have an infosec program without all of those elements is like trying to have fire without heat, fuel and oxygen.