My mate Angelo phoned me last week with a challenge: is security awareness – our professional field – truly necessary in modern business? Or should it be optional? My immediate reaction was to argue for our work before Angelo explained why he was asking.
Angelo explained that he’d interviewed with a potential new employer last year for a “head of security awareness” posting with an East Coast firm. Angelo was fully qualified, met all the listed experience requirements, and felt confident that he could handle any awareness-related duties the new company threw at him. He was, he explained, wrong to think that.
Angelo expected his interview to focus on capabilities: could he design interesting training modules? Could he communicate effectively? Could he design educational phishing simulations? He’d figured he’d spend about half of his interview discussing the normal work associated with the role and maybe up to half going through the usual list of “best interview questions” that the untrained, inexperienced hiring manager had pulled off the web. Easy-peasy.
Instead, the young hiring manager spent the entire “interview” asking him to debate whether or not they should hire someone to do security awareness for the new company or put their money into – and this is an exact quote – “a fresh college graduate who’s really good at Facebook.”
Angelo was floored. I was equally floored when he quoted the interviewer to me. Trying to compare the two things seemed as daft as comparing a bear to a babysitter. The two roles are unique and don’t have much overlap. Also, swapping one for the other is likely to end in tears.
Still, I pressed Angelo for details. As soon as he mentioned that the new company was a dot-com style “start-up” everything fell into place. “In light of that,” I told him, “Yes. The question does make sense and when you consider the essential nature of the organisation, our role probably is completely optional to them.”
Angelo gently asked me if I’d recently suffered head trauma. I sighed and walked him through the pivotal element in the equation: he was trying to join a bloody start-up.
I’ve had plenty of experience with these. They’re interesting. My all-time favourite was the dotcom that I helped create down in Houston back at the turn of the millennium. Unlike a traditional business, where the owners and operators are focused on long-term success, the dotcom crew I worked for was after one thing only: that sweet, sweet IPO money. They couldn’t give a toss what happened to anyone long term. Not their clients, and certainly not their workers.
If you’re not familiar with this business model, I envy you. Back during the first Internet boom of the 1990s, Wall Street and investment capital funds looked at the stratospheric returns they could reap by backing a tech company and started showering new start-ups with cash. It didn’t matter if a start-up’s founders had experience, or a sound business plan, or even common sense. All that mattered was that the start-up’s product or service would “wow” investors. The whole idea was to burn cash getting the company moving and then, once its brand resonated with the public, take the company private via an Initial Public Offering and CASH OUT™ to the tune of several multiples of their investment. That is, the backers and founders would ride the huge spike in initial valuation, then sell most or all their shares and leave the start-up to find its own way.
As you can imagine, the entrepreneurial model changed overnight. The hot thing in the late 90s and early 00s wasn’t to build a great product or service, but to create a great brand. Something that the markets would love. That is what the corporate owners of the dotcom I was working on were interested in. They had zero interest in the product their company was creating, or in their customers that they were underserving, or in the market they were trying to “destabilise.” All they cared about was reaching an IPO within a year of launch. So long as the company didn’t self-destruct before then, they could CASH OUT™ and everything would be fine.
As a consultant, my job was to do what the client paid me to do. In this case, it was to build their internal IT department – people, processes, and equipment – and then turn the functioning team over to a newly-hired company director. The dotcom offered me the position. Sure, it was a major violation of corporate ethics for a consultant to take a job with a client, but a dozen of our people had already jumped ship to get in on the sweet, sweet future IPO action. After all, they weren’t just offering salary and benefits … they were offering stock! STOCK!
That is to say, the promise of getting valuable stock in the future … in a company that was the third entrant in a market niche that could only support one … in a company that was offering an online service that didn’t add anything new to a perfectly functioning non-Internet process … in a company that was run by people who only wanted to get rich on dotcom money and had zero knowledge of or interest in the customers they pretended to “serve.” I respectfully declined. 
That, I told Angelo, sounded a lot like the sort of company he’d interviewed with. This East Coast start-up he described didn’t seem interested in creating a long-term success story or building lasting relationships with their customers, partners, or suppliers. Their focus was probably just on the CASH OUT™ … burnishing their start-up’s brand until their theoretical value was high enough that some larger, cash-rich business would buy them and pay them extra to go away.
That’s what legendary local entrepreneur Mark Cuban did with his streaming media pioneer Broadcast.com during the first boom. He built a thriving and innovative tech company, sure, but he built it with the end goal of selling it. Which he did, even though it never made a profit. Mark sold his creation to tech industry dumpster fire Yahoo! for a 5.7 billion dollars and bought himself the local basketball team. Per John Emerson’s 2011 article at GuruFocus:
“I doubt that Mark Cuban will be giving any value lectures to the students at Columbia Business School in the near future; however, he will likely go down in history as one of the world’s greatest opportunists. Few men or women have ever gamed a system better than Mr. Cuban. He remains the consummate purveyor of the ‘Dot Com’ model for creating wealth, and for that he deserves at least a modicum of credit.”
I’d second that. I worked there right after the handover. Yahoo! Broadcast (née Broadcast.com) was a high-energy, high-morale outfit. What it wasn’t was a company focused on security, sustainability, or long-term value. We were pushed by our corporate masters to grow the business, retain paying customers, and burnish the brand. “Long term” planning only referred to the numbers that would be presented at our next quarterly earnings call. Anything beyond that was irrelevant. Counterproductive, even.
I told Angelo that in such a culture, “security” is something that you invest a bare minimum of time, attention, and resources in. Why should you? You only need “enough” security on paper to satisfy investors; the last thing you want is complex security controls that create roadblocks to growth. When your sole objective is to look fantastic to the markets or to a potential buyer, anything that impairs the illusion of limitless growth is counterproductive. Paint over the rust and they dry rot; by the time the new owner realizes what they’ve bought, you’ll have cashed their cheque and legged it.
It should come as no surprise, then, that the start-up Angelo had interviewed with was more interested in a hiring an inexperienced social media “hype man” than an experienced security expert. Their focus was on creating buzz, not on investing in the company’s long-term future. In light of that, did they need security awareness? I argued that – to their minds – they didn’t. Think of them, I said, like an aircraft manufacturer: they weren’t trying to build a jumbo jet that must fly reliably and safely for 50 years; they were building a cheap assault glider that would be flown once and discarded.
Investment in security programs, people, and technologies indicates that an organisation intends to stick around. They’re willing to trade some growth and profitability for protection and sustainability. Training workers on how to protect themselves, their company and their customers takes time away from those workers’ primary duties. It’s a cost of doing business that owners and senior leaders agree to accept when they intend to remain with their organisation through the inevitable hard times. It’s not something that owners and senior leaders do when they intend to abandon their creation as soon as they can CASH OUT™.
Angelo listened politely to my argument and agreed. He shared that his confidence in the start-up was completely dashed by his interviewer’s bizarre behaviour. He didn’t bother re-engaging with them after his first encounter, as it was clear to him that the company was dysfunctional.
I countered that the start-up might not truly be dysfunctional, so much as markedly different. They simply have a different worldview and different priorities to what Angelo is accustomed to. That doesn’t make them insane. If anything, it might be a sign of shrewd pragmatism. They know who they are, what they want, and what they’re willing to sacrifice to achieve their primary objective. Specifically, they seem to be willing to screw over their customers to get rich and walk away from their creation.
I don’t agree with that mindset and wouldn’t do business with such a company, but that doesn’t mean much. Business with that worldview would never hire security awareness people like me and Angelo unless we were really good at Facebook.
 Good thing I did. The company didn’t even last a year after I left. The owners pulled the plug and fired everyone once it became obvious that the bloom had come off the rose for tech IPOs.