Note: I originally wrote this back in July of 2009 but was holding off on posting it until I landed a new position. I’ve decided to go ahead an post it, partly in response to the post Rafal Los on the CSI 2009 conference this year.
I usually don’t blog about stories that everyone else has blogged about. I know that I really get fed up when I go through my RSS feeds and see post after post after post about some story. Take the SSN numbers being predictable story. I know I saw at least 50 different write ups on it. I guarantee you that everyone of you who read my blog saw that same story at least 10 times so why in the world would you want to see me write about it? But this time I’m going to break my own rule and write a little about a story that has made the rounds. I’m talking about the survey that Mike and Lee did regarding job satisfaction. Why? Because I was (note the emphasis) one of those “unsatisfied” individuals.
My story started a little over 2 years ago. I had just started a new job as the Senior Security Engineer for a company. I started on Monday and Tuesday I got the news that they also wanted me to be the Security Officer for the company. They needed a good deal of work in shoring up the security architecture and program. That meant that I would do less hands-on technical work than planned and spend the majority of my time trying to get the security house in order. I was elated. I had done similar work as part of my duties at my previous 3 employers and was excited at the opportunity to really build a program from the ground up.
One of the early concerns that I had was when the news was given to me about the change I was told that I’d have a dual reporting structure. My day to day reporting would be to the Manager of the Infrastructure group and I’d have a “dotted line” report to the CIO. That sounded reasonable especially early on as things were getting started. Then they told me that the CIO did not want me to go to him directly for anything that when he wanted me he would call me. That sounded odd at first but I figured that since he is the CIO and busy that made a little sense. I assumed that he would schedule a meeting with me in the next couple of weeks to talk about the program and hammer out some of the things that he wanted to see. A couple of weeks went by and still no meeting request. I went to my direct report manager and tried to talk with him about some of the things that needed to be talked about and got what I soon learned was his standard answer “What are the industry standards and best practices?”
One of the first things that I started looking at were policies and procedures. I needed to get a feel for what they said so I could better understand the overall company perspective on things. That didn’t get me too far because they were so old and outdated that they didn’t reflect much that was currently going on in practice nor did they reflect the current company and IT goals. So I set out on updating them as best I could. Since I was still new I spent a good deal of time talking with everyone I could to get a feel for how they needed to look. I still wasn’t getting anything from Management so I put them together and submitted them for review. Most of them sat for quiet some time without ever being looked at (over a year in most cases). Now I knew that I was really facing an up hill battle.
Things such as this continued for much of the time that I was there. I continued to do the things that I felt were necessary to build the house but with out any real help from management it was difficult to know what they really wanted and expected. I tackled PCI, internal audit findings, current practices within the various technology groups, new projects, existing projects. All of this with the goal of building cohesiveness within the security program. Things like ensuring that the server team, network team and application team were communicating regularly to ensure that the security tasks one team was doing was not being undone by another. Making sure that security got visibility into every program and that security has a voice in what was happening from an enterprise level.
Things were going on fairly well but I was quickly becoming unsatisfied. I felt that even though I was making progress and things were really shaping up that management really didn’t care about the program and that as long as we were keeping the auditors happy then everything was OK. When I tried to move the program “beyond the check box” I got push back. When I tried to get clarification on the direction I was taking the program I got blank stares. It was becoming evident that the only reason that they even had me there was because the auditors told them that they needed someone to shore up their program. It wasn’t a enterprise mandate (which unfortunately security rarely is). It wasn’t a Technology mandate or even a technology priority. It was an audit mandate and the technology department was audit driven. Audit reports went to the Board of Directors and therefore whatever audit wanted audit got.
By now I was seriously on my way to unsatisfied. When you are passionate about something and when you truly desire to do your best and you know that it’s not really making a difference because of corporate culture or management push back it’s hard to stay satisfied. It affected me beyond work. Fortunately not to the degree where it affected my family life but it did affect my blogging. You may have noticed that in the last several months my blogging has not been nearly as frequent as it had been. I was just so mentally wore out by the end of the day that I didn’t want to write about security because I was unhappy at work.
I thought about looking for other positions but didn’t want to give up. I still held onto a glimmer of hope that I could enable change. So I stuck with it. I was able to get a few things changed within the program that I felt would really make a difference. One of the “problems” that I saw was that I reported under the Infrastructure group. That meant that even though I had responsibilities for security in other groups they often pulled the “you don’t work in this department, you work in infrastructure” card. Then there was the resistance I got from Infrastructure at times. The “you work for me and will do things as I want” card was used often. I knew that in order to truly be effective I had to have a reporting structure outside the other departments. I needed to either report directly to the CIO or to the Director of the team that was responsible for the ancillary functions of IT. This group contained Change Management, QA and Compliance. I felt that if I could get the security program moved under that group that I would have more authority when needed. Since that group was independent of the other IT groups and due to the way it was structured it had that authority. I was able to convince the CIO to approve the move and that made a difference.
Unfortunately it did little to make a difference in the audit driven mentality of the whole IT program. So my dissatisfaction continued. By this time I knew it was time to move on. Unfortunately before I could start a serious job hunt the economy bit me. Things were pretty well shored up in the house and now they could tell audit that we have things in order and money is tight so we had to make some changes. But that would be OK because they had the framework in place and they would continue to work under it as they had been for the last year or so. They now knew what to do to keep audit happy from a security perspective and since I didn’t do the hands-on day to day tasks needed to run the network I wa
s the logical one to go.
So now I’m no longer a unsatisfied security pro. I’m currently an unemployed one, but I’m thoroughly enjoying getting back into the swing of reading and writing about security. I’m enjoying a renewed passion for security that had been worn down somewhat. It’s refreshing and encouraging. That’s my tale. It actually has a happy ending even though the ending hasn’t been fully written yet. I’m currently riding off into the sunset and waiting to see where the sunset leads.
To the point that Raf made in saying that the participants in the conference were “lack-luster” and lacked passion I say “I completely understand”. I think that a big portion of Information Security Professionals are just flat wore out. They are having to do more with less and getting little support from management. That really can drain the energy from you and affect how you not only do your job but also your general attitude.