Why would anyone be a security manager/admin/analyst in any company?
March 9th, 2007 Drazen Drazic Posted in WTF, governance |
Let me from the start, take consulting dudes (external) out of the picture, because, obviously we / they know everything and recommendations and reports presented by them / us weigh a tonne compared in most cases to what internal dudes say.
Now, to the point of the question - why would any normal person want to be an internal security manager/admin/analyst when:
1. You’re everyone’s mate when you join. You’ve been brought in as the golden child to solve the company’s problems. Every IT dept manager is keen to meet and “brief” you on how life in the organisation is and should be, and within a month or so, as you start to display your talent, you’re no longer a “team player”.
2. Everything you were told before signing the contract about your sway in the business, your ability to effect change and improve things, in reality means: the organisation that pays you, will fight you every step of the way before allowing you to perform what you believe your role to be. In most cases, you won’t be able to.
3. Your fellow IT guys will have no sympathy or empathy for what you do. (You think, how are some of these people working in IT? You see you are the minority)
4. You feel like you’re the sole voice in telling the dudes you work for that they have major problems. Even when you get an audience with “management”, you get lip service only.
5. You battle every step of the way to achieve even small gains.
6. You spend most of your time wondering why TF you are there and life must be better elsewhere.
7. The company engages consultants (See section on “Management Consultants” chapter in Scott Adam’s “Dilbert Principle”) who come in, cost heaps, tell the company what you already told them, their recommendations are taken on board and you are asked why this isn’t happening already.
It’s a rare breed that does this role. My first post on this blog talked about “Irish” - this post covers that again.
Keen on your thoughts.
March 9th, 2007 at 9:03 am
You’ve got it right in every respect.
March 9th, 2007 at 3:01 pm
Hello !
I’ve been in the IT business now for almost 1/4 of a century now. Of those 25 years, I’ve spent the last 10 specializing in Information Security.
Why would anyone want to be a security specialist in any company? Hopefully the answer to that is that like any hobby you do it with a passion. If NOT, I feel sorry for you. Here is why:
You will never learn the “secret” to succeed in this business. Reality Bytes, as clearly put in this BLOG.
However, those that do this with a passion, hopefully have learned the secret?
The secret my friends is to put the responsibility for these decisions back where it belongs, on the BUSINESS. It is a business decision at the end-of-day to accept or avoid risks. If you don’t do this, you will be caught in the dilemma described in this BLOG.
What do you gain by clearly making your job simply a TRANSLATOR of security to the business?
(1) You start enjoying your job fully. When you make recommendations and others don’t agree, leave it up to the business to decide.
(2) Those that fight you along the way start to realize that you are not the ultimate decision maker. Like a courtroom, they have an opportunity to present their case to business. All because business decides.
(3) The empathy turns into sympathy and respect.
(4) Management can’t no longer play the game that they’ve shifted the burden on YOU, the security professional.
(5) Your battles are GONE !
(6) When third party consultants are brought-in, sometimes because the companies have lot’s of money to burn in the budget, the business is responsible for deciding the fate of that recommendation.
So the secret to succeed in this business is to make sure you create a governance model where business is clearly the JUDGE and JURY. NOT YOU….
Remember, you are not getting paid what it would take for you to become JUDGE & JURY for the firm who has hired you. Instead, spend your time developing relationships and your skills.
Most important, keep a positive attitude about LIFE and your chosen career. When you’ve accomplished these things, you are truly blessed with many other things in return…
Thank You for this opportunity to share my thoughts….
Anonymously,
FANTOMAS !
March 12th, 2007 at 1:26 am
Anonymous #2:
I totally agree with your basic thrust - it is the business who leads.
But… You make it sound like the ‘translation’ process is simple and effective. My experience is that this is not the case. The business often doesn’t understand risk in the same manner IT Security folks do and many of our risk metrics/measurements do not readily translate into business terms.
The simple example I use is credit risk - ask a retail banker to assess the risk and potential loss for a non-performing home loan and they’ll have a solid figure for you damn quick and a decision about whether the loan would be viable.
Now try to do the same thing with an IT security risk? Not so easy. What’s the risk of exposure? How do you measure that in dollars? What the likehood of exposure? What’s the resulting potential loss? And then finally how do you make an often intangible risk REAL to a business owner?
Sure there are models for this (ALE etc etc) but none of the ones I have seen are truly effective and result in the same risk measures the business use to make decisions.
Until we can articulate risk with the same ease as the business does we are going to have issues communicating risk.
Just my 0.10 cents…
March 12th, 2007 at 1:47 pm
True that the business doesn’t understand at times (or often) the risks, it is our jobs to educate the business when they don’t understand. I was asked the other day what is the most important in this career, my answer was “communication” and relationship. With none of these two, your chances of “teaching” the business those risks are much more difficult.
The example you use (re: credit risk) is a business risk and not a information risk? I am not trainned as an information security professional to determine credit risks????? Not sure if this is a good example to use in INFOSEC?
In IT Security Risk can be managed, provided that you first classify the information you are trying to protect. Without the data classified, you have no idea how to protect it. After you classify the information, then you can apply the security controls (pre-defined by policy) that must be implemented (e.g. encryption, authentication etc. )
Now the difficulty lies between developing a risk analysis process that is subjective vs. scientific. I subscribe to the more subjective simplistic approach, since the person who is driving the process is usually security professional (you trust on his/her analysis skills). The more complex and scientific this process becomes, the more difficult it becomes to implement.
So what have we said so far:
(1) Create a governance model that clearly identifies the business owners as the ultimate decision maker (Judge & Jury). When you peform a risk analysis for each application, each business owner must accept or reject the risks identified as part of the the risk analysis process.
(2) Create a risk analysis process that first classifies the information and then provides recommendation for mitigating each risk identified. The classification is based on confidentiality, integrity and availability (the impact on the business).
Now, there will never be a perfect process, all you can do is try to come as close as possible. Most important, be a good communicator and translator of those risks. When you hit upon someone on the business side that just don’t understand, make an effort to spend more time. Is not a perfect world out there, this is not a scientific process.
FANTOMAS
March 12th, 2007 at 2:57 pm
There are thought provoking posts here. Just to add, I think that one of the positives of working in a security role is that (if you are lucky) you get to see lots of different aspects and technologies across a big organisation, rather than just focusing on one technology or business area.
I very much agree with Fantomas about being a translator and communicator of risks. If you have the balance of technical and inter-personal skills to do this you will have a good chance of succeeding, where ever you go.
March 12th, 2007 at 11:27 pm
Comments as promised…
http://bsdosx.blogspot.com/2007/03/elves-and-shoemaker-part-1.html
Still taking some time out…. redefining the undefinable..
D.
March 12th, 2007 at 11:48 pm
Eeek, post truncated URL.
http://bsdosx.blogspot.com/2007/03/elves-and-shoemaker-part-1.
html
E.g. Elves and the Shoemaker
March 13th, 2007 at 6:13 am
Anonymous #2 - Sorry my point wasn’t clearer regarding credit versus information risk.
I was trying to articulate the different degrees of difficulty in expressing business risk versus information security risk. A credit risk is easy to articulate - it has clear and tangible costs and consequences. In comparison an information security risk is a lot harder to articulate - especially in dollar terms. Thus it is often hard to explain to the business - whose business risks are generally easy to understand and quantify - exactly why they should pay/decide/act on an information security risk.
March 13th, 2007 at 6:37 am
I think Fantomas sums it up pretty well when he says:
“Why would anyone want to be a security specialist in any company? Hopefully the answer to that is that like any hobby you do it with a passion. If NOT, I feel sorry for you.”
The really good guys you meet doing our line of work are those guys with the passion for it….and there’s plenty of us out there. The journeymen, and there’s plenty of them also - the guys who stumbled into the roles or are there because it sounds like a good place to be because IDC or Gartner said it was ,do the industry a disservice much of the time. Hell, there’s even plenty of CSOs out there who I would classify in this category. It’s not hard to distinguish between the passion and journeymen.
The alignment of the message to business is key…..yes - always has been, and this is a driver of success in our field, but what happens when you don’t get that chance to talk to the business?
I remember when I left the global investment bank I was working for in 2001. Much of the world outside of Australia (in particular, my area of management - Asia) operated far differently in terms of risk management practices and how security people were seen within the organisation. Even at that time, very little went into production without my team’s signoff. If it did, it was at that business units own risk.
The regulatory environment in the likes of Japan, HK and Singapore laid down pretty strong requirements on the financial sector players and if you did not toe the line, the risks to the business were severe. By severe, I mean, operations in that country could/would be shut down.
Coming back to an Australian financial player was a culture shock to say the least. All of the sudden, I was in an environment where pretty much most things that went into production had not been reviewed by the IT Security Team. Regulation? Yeah right…..lip service again.
Have things changed in Australia for IT Security guys? Not that much to be honest.
Yes, talking to the business is key but what happens when your voice to the business is through the CIO, who decides that he knows what the business wants to hear?
March 14th, 2007 at 3:28 pm
“What happens when your voice to the business is through the CIO, who decides that he knows what the business wants to hear”
If that happens, I believe the company looses the ability to provide independent unbiased clear information to the business. The CIO is front-ending and assuming risk for the business. Hey, if that CIO want’s to sign the dotted line ? GOD Bless HIM/HER
!
Reality is that if you report to him/her, you have no choice. I say that CIO then is one blind fool for taking on that role.
Perhaps a naive response….? What happens when independent auditors walk in and start raising audit points ?