Why is it such a struggle to work in security? Show me a security professional who hasn’t felt misunderstood and undervalued. Who hasn’t complained that they are treated like a pariah? What are we missing? Is it our fault or is the world not ready for us yet? Does a major security breach have to happen before the penny drops?
Finding an answer to these questions,H.L. Mencken springs to mind:
"For every complex problem there is an answer that is clear, simple, and wrong"
I don’t believe there is a single answer or a simple one.
An unorthodox path brought me to the CSO role; suffice to say that my background is in operations and then consulting, where I learned about security policy. When I commenced as CSO, there was one technical team member left, no real handover and security was embedded in an inexplicably irrelevant IT stream — apparently the group had been moved and restructured five times in five years as each successive manager tried to offload this problem onto the next one.
IT management, let alone the rest of the company, had little or no idea what mysterious benefit the security group offered. Instead, the group was considered a bottle neck, an obstacle to be avoided where possible.
Nothing like a challenge! Over the following months, I set about recruiting, protecting the remaining resource and responding to the squeakiest wheels. What was clear early on was the diversity of skills necessary to carry out security. We recruited accordingly.
It was also obvious that the group’s scope was too broad. It was necessary to stake out some ground that could reasonably be managed and then delegate/raise risks for the gaps.
Another important observation was that the group was largely ineffective and tied up with fire fighting because we didn’t know what was going on untillate in the development lifecycle. With that understanding, I further directed the group’s scope to a business engagement model — to go to where it all begins. Remember I said I didn’t have a security background — well this actually came in handy. The business accepted me, which provided an opportunity when the time was right to bring the appropriate resources in to deal with the nuts and bolts and then gradually formalise the process.
Our IT stakeholders were also onboard and excited about what we were doing and wanted to be part of it. Things were going well, the security team was making a positive impact driving organisational change.
Then it all went pear shaped.
What happened was that new IT management from an ‘old school’ came on board. They didn’t get that becoming a business partner was the way forward forsecurity nor were they willing to listen or negotiate. Immediately, I raised the risks, lobbying management across IT and business stakeholders. Interestingly, the business considered this to be an issue of internal IT politics so was unwilling to get involved and IT management never understood the role of security in the first place.
So where is this organisation today? Sort of back where it was when I started,new team members gone, no leadership and lots of squeaky wheels. The difference is that there are a bunch of people in the business and IT scratching their heads wondering what they are going to do about security now — they had only just come to understand why it was important to them and it’s gone.
Looking back at what transpired, I wason track, made the right decisions and moved in the right directions but reporting into IT was perilous. IT management with an IT shop mentality became insecure (pardon the pun) and uncomfortable with the important relationships that I established directly with business stakeholders. There really was only one place to go.
Security needs to be protected from politics and compromise, it belongs with the governance, risk and compliance streams and its risk outputs require executive visibility. However what if the organisation is just not ready for this? I wish I had the magic formula here but I don’t. The security profession is still developing, still finding a voice, still considered an IT shop and in part it is. Until the security profession matures, I think we will continue to find ourselves in many organisations as collateral damage to politics, misunderstanding and management ambition but this is not reason to despair.
Perhaps we need those major security breaches to hit home, however I believe we are changing the perception of security through our collaborative efforts, by applying the abundant cleverness and passion that exists within our ranks to break down the stereotypes and misconceptions and to come up with new and creative approaches. We are still on the journey so hang in there and be prepared for some challenges along the way.
To offer some inspiration, did any of you catch the news that Bill Clinton recently attended a US security conference and referred to security professionals as “modern cops” — in a sense he’s right. This is our future!