paulmudgett.com

Last night I was thinking about my start in the information security field.  I was working as a network analyst for an international company and was simply assigned “the firewall” for the relatively new Internet connectivity.  I quickly caught the security bug, attended a conference or two, read anything I could get my hands on and then presented a new idea of an “information security” function for my boss and his boss.

I thought I was being diligent in explaining the security triad – Confidentiality, Integrity, and Availability when I hit a road block.  The Director at the time said “Availability isn’t a security issue at all… you don’t know what you’re talking about.”   Perhaps I could have talked about Denial of Service attacks or viruses preventing employees from accessing resources needed to do their job.  I could have talked about lost revenue, customers going with alternative products, or other examples of how “availability” could impact the business bottom line but, I didn’t have the skills at the time to counter her argument.   Security remained an “other duties as assigned function” for the rest of my tenure there.

Revisiting with the organization after 18 years I found their security posture to have matured dramatically since then (along with my business, communication and security skills).  Good for them!  They have a fantastic security team that has the ear of senior leadership.

What’s funny is after 18 years, I will still come across similar failures in understanding.  For instance, at one organization their primary servers filled with customer data, including personally identifying information, sat outside of their firewalls.  The executive leadership at the time didn’t think that was a big deal because “the servers are secure”.   Another time, a plan to eliminate social security numbers that weren’t needed on a server was met with near hostility and a comment of “it’s protected by a firewall anyway”.

Examples like this continue to plague the information security field.  Is this an executive problem or a problem with CISO’s not educating or communicating the issues in a way that is understood by “business-minded” folks?  If we can’t relate the threat in terms that are used in other business disciplines, in 18 years, we’ll be hearing the same stories repeated by the next generation of security professionals.

CSOOnline ran a recent article entitled “7 Ways to Stay Happy in a Miserable Profession” which listed items from a Mike Rothman presentation “The Pursuit of Security Happyness.”    No doubt the information security profession requires a certain level of mental toughness but I just can’t buy into some of the suggestions made in the article.

Accepting that we can’t win

I’m not sure a defeatist attitude is all that apprpriate for information security professionals.  You’ll always run into difficult budgets, management and staff that are trying to buck the system, and a threat from bad guys who communicate better than the good guys.  Part of being happy and successful in the information security profession is having passion for what you do.  It is up to the information security leader to share that passion, to be the evangelist of information protection, and to “sell” information security by demonstrating how it enables business.   The article certainly is right in stating that “YOU define personal success”, however, your attitude goes a long way.  Nobody will buy into your security agenda if you start off with a sulk in the corner attitude.

Focus only on what you CAN control

Absolutely.  However, you can’t ignore senior management, budget, user stupidity, DBA “dimwits”, office politics and the host of other issues listed in the article that are part of the environment we work in.  The security leader needs to shape and influence these areas, not just shrug the shoulders and say “I can’t do anything about it anyway”.  We need to excel at the things we control while working to influence behavior and decisions outside the coverage of our umbrella.

Look for NOT normal

Information is essential to successful security programs.  The concept of looking for unusual activity isn’t anything new but it is something that isn’t done very well in many organizations.  The better you get at looking for the unusual events, the better you get at stopping unauthorized disclosure and data theft.

Communicate the good and the bad

It’s all about setting expectations and Rothman hits the nail on the head with this one.  Openness and clarity are fundamental components of a good information security program.  It builds credibility with senior management and helps influence decisions when done properly.

Roll with the punches

Good days and bad days are part of the deal in any field, not just this one.  Information security is a tough field to play in and if you can’t maintain a professional attitude during the tough times, you’re probably in the wrong field anyway.  It’s not about being addicted to controlling what you can’t control as Rothman suggests.  It’s about doing the right thing.   At the end of the day, that’s what matters if you are intrinsically motivated.

Cover thy behind

Documenting everything is usually a good practice anyway.  If you build relationships rather than throwing your arms up in defeat then this simply becomes part of doing business.  It’s never personal.  It’s providing professional service to the business and keeping track of decisions so that everyone is on the same page.   If you can’t operate professionally and find yourself having to CYA on everything you do, it’s time to find a new job anyway.

Know thyself

I’ve never seen a headstone with these word:  “If I’d only spent more time at work”.   I’m not a believer in the separate work life, home life, play life, school life.   It’s all life and it’s yours.  Decide what is important to you and maintain a healthy balance.

————————-

The bottom line is information security is a difficult profession that constantly changes but that is what makes it challenging and fun.   It’s never going to be filled with glory and the only headlines tend to be negative.   The quickest way to make this profession miserable is to become a defeatist and apologist, hunkering down in a corner with an attitude of “I can’t do anything anyway”.  You don’t fight cynics and grouches by being cynical and grouchy.

An information security leader and a good information security program becomes fun when it is based around passion, humility, openness, clarity and agility.   We don’t need more negative security professionals.   Have fun.  Share your knowledge and keep trying to influence others to build a positive security culture.