Lip Service Only

November 27th, 2006 Drazen Drazic Posted in Dumb Security, WTF, governance |

A good guy, (who I’ll call ‘Irish”) left the industry last week. There’s not that many good guys in this industry as it is, so he’s going to be missed. At least by me.

It’s not that he had something else, something better to go to – he didn’t. He’s just packed it in, fed up and sick of beating his head against a brick wall as an IT Security Manager in a large corporate.

I don’t have those same frustrations as much as I used to. I moved to the dark side (consulting) a few years ago and it’s not as frustrating on this side. People tend to listen more to consultants and I like to think my teams and I know a bit about we’re talking about so we’re actually making a difference for our clients. Does that make consultants special? Crap it does and I still reckon 90% of consultants are exactly as described by Scott Adams in his first book. You know the one. The chapter on ‘Consultants’ should be mandatory reading for all consultants………I digress and will leave this story for another time (maybe), but hopefully you get my drift.

So back to Irish. I know where he’s coming from and I doubt there’s any guy or girl who works in IT Security for a company that doesn’t. We must have certain shared personality traits. They’ll do a study one day and identify a gene we all share that drives us to working in what is generally the most thankless of all IT jobs.

I spent many years working inside large corporates in various IT roles. All aside from the security role that I eventually determined was my future were rewarding in terms of being able to achieve things and be listened to. Once I moved into the security position, the world flipped on its axis and things changed. A lot of that time I wondered why they had me there at all - you pay me good bucks to do a job and then you don’t want me to do that job. They loved me when I supported what they did and they tried to pretend I didn’t exist when I didn’t.

That was quite a while ago, I moved on as I mentioned but sadly things haven’t changed much at all. I see it every day. Guys like Irish – committed, working long hours, keen to make a difference, having to fight every step of the way to make just a small change. Why does this happen? Sure, there are times where we probably go a bit overboard but hey, sometimes better safe then sorry but seriously, in most cases there is method to our madness and at the end of the day, all Irish and co are trying to do is to highlight a mess and fix it! It’s not a hard concept to understand.

I remember not that long ago, a CIO telling me that security was not important, “we’re not a bank or something like that!” He’s still in that role.

A classic CIO story though belongs to the CIO in a very high profile organization that plays with money. Unfortunately this guy is not a one-off freak - there’s a lot of these guys out there and they’re a danger to their company but somehow life goes on. Now keep in mind, this happened years ago – well before my current business. We’re not in a habit of highlighting our client’s problems in public but since this happened before my current role, it doesn’t count. Anyway, we’d just delivered him two pretty bad state-of-security reports, provided remediation advice and demonstrated with a little bit of process change, nothing major and no money as such to be spent, significant risks would be quickly and easily minimised. Having only recently met this guy and having no reason to think him not overly bright, I actually believed he would take this onboard with a big thanks and “we’ll get onto it straight away – this is bad stuff and we need to fix it!” Silly naive me. Nope – he hadn’t even bothered to read the report before our meeting. His excuse; “I can’t do anything about this anyway”, (in reference to recommendations we may have put into the report). The rest of the conversation went along the lines of:

Me: “But you’re the CIO aren’t you?”
Him: “I am”, very confidently he replied.
Me: “So you can’t do anything?”
Him: “No, the business has to tell me to do it!”
Me: “So what is your role?”
Him: “I do what the business tells me to do”.
Me: “You don’t see it your role to tell them that they have significant security exposures?”
Him: “It’s not my role”.
Me: “Okay…thanks for your time!”

It’s no wonder guys like Irish decide that it just isn’t worth it.

DD

PS. CIO’s company had a major security breach six months later. (I had moved on by then but old contacts gleefully passed on the story). The board asked him what he was going to do to make sure this doesn’t happen again. The Risk Management Group nicely passed on the initial report to him again, from which he proceeded to cut and paste all recommendations into his own report which he presented to the board – making him the hero for a day or so.