Shostack + Friends Blog Archive


“The Phoenix Project” may be uncomfortable

The Phoenix Project as an important new novel, and it’s worth reading if you work in technology. As I read it, I was awfully uncomfortable with one of the characters, John. John is the information security officer in the company, and, to be frank, John does not come off well at the start of the book.

Before I get to the details, I want to talk about Gene Kim, the lead author. Gene got his start in security, having written the first free Tripwire program. Since then, he’s done key research in control effectiveness. He also accidentally demonstrated how far the complianciness industry has to go, as the COBIT standard hasn’t been updated based on his work, nor have they attempted to replicate it or refute it. Regardless, Gene gets operational information security very deeply.

So let’s talk frankly about John. John is a shrill jerk who thinks it’s a good idea to hold up business because he sees risk. He thinks of his job as risk prevention and compliance, and damn the cost to the business.

I’ve been there. Perhaps you have too. And if you’ve been there, John is an uncomfortable archetype to watch. Perhaps John is even treated too harshly. But as I said to Gene, pride goeth before the fall, and the fall cometh before redemption.

Me, I went through a lot of learning when Zero-Knowledge Systems pivoted. We had an amazing team, great technology, influencers and supporters out the wazoo, and we didn’t deliver on the goals. I spent a lot of time wallowing in what sells in security, what value propositions motivate people to buy, and how security is often a feature, not a value proposition.

Understanding where security fits in a business proposition gives me not only understanding but even sympathy for business leaders who listen to someone claim that if only the CSO reported to the CEO, they’d have a voice. That’s backwards. If the CSO has an understanding of the business, they’ll have a voice, and won’t need to report to the CEO. Also, the CEO is not the person with cycles to mentor a CSO to that understanding.

So if you’re outraged by how John is portrayed, I want to encourage you to ask yourself, are you outraged because it’s wrong, or outraged because it hurts?

The alcoholics say, the first step is admitting you have a problem. If you’re not there, maybe the first step is to go read the Phoenix Project and see if it hurts.

4 comments on "“The Phoenix Project” may be uncomfortable"

  • Jared says:

    Wonderful book. I’d love to see the story retold from the different actors, Vantage Point style. I can imagine John’s story applying the New School alongside Bill’s operational revelations. Aligning biz objectives and controls, embedding security into sprints, streamlining compliance, data driven decisions. It sounds obvious when you read the story. It would be fun to dig into the execution how to collect measurements and incorporate them into decisions at Parts Unlimited.
    Good stuff.

  • Peter says:

    Well the problem is the convergence in the past two decades of audit/security/QC in the IT world. Many “security” positions are actually IT/IS audit/QC jobs and it’s a huge problem in our field. There is a REAL place for IT policy and regulation compliance nazi’s (which is what John really is) but it’s NOT security (who should be writing/developing/assessing those policies/regulations).

    Good review regardless, going to get the book and see what the hoopla is about.

  • Martin says:

    When I read the book the John character was painful to read. I had to put it down a couple of times. Only after some real soul searching was I willing to admit “there but for the Grace of God go I”.

    John’s transformation in the book will be seen as some as a trite plot point. I see it as I think Gene intended it – a sign that all of us in leadership need to transform security wherever we work or forever be pushed to the outside and hopelessly ineffective.

  • Dan says:

    I’m proud of my Twitter blurb: “IT Security Officer with a passion for using WISDOM to mold security practices. CISSP too.”

    Only when we realize our job is NOT to eliminate risk, but to manage it in accordance with your company’s risk appetite will we be successful.

Comments are closed.