In my last post I shared some thoughts on Howard Schmidt and his new CyberThingie position. I really wasn't clear on my "burning bridges" idea, and I need to correct that. Adam Shostack gently pointed out shortcomings in the post, and helped me focus my thoughts- the clarifications follow.
To clarify what I meant in the earlier post-
I think that Howard has no budget authority, and although he negotiated a significant improvement in how he reports up the ladder and who he reports to, he is still very limited in what he can accomplish directly. Adam had some very constructive suggestions, I think pushing for transparency, and helping build/publicize guidelines/standards could actually make a difference. But, I think he will run up against entrenched people who won't cooperate, and that's where a willingness to spend personal capital could be critical (at least in the mind of this curmudgeon). When persuasion and compromise fail, he has nothing to fall back on- except the fact that he can call people out, as publicly as necessary, and use all those contacts and connections he has built in his career to make it very uncomfortable to be a security obstructionist. I don't think that is something he should undertake lightly, or regularly, but I do think setting a "don't push him too far" expectation could compensate for some of the weaknesses of his position. I believe his situation, not needing the position, being able to go home and forget it all when he's done, could be empowering- he doesn't have to play the beltway clique games by the rules.
But, I don't think that is his style. As I said, I hope I'm wrong, and I'm willing to help him prove me wrong.
This leaves the question of how he should distinguish between those who deserve to be called out because they really are a problem, and those who have not been convinced by his arguments. Here I think Mr. Schmidt can turn to some of his trusted contacts before acting, but this will always be a tricky balance.