This economic recession has cost all of us. I was laid off first in 2007 after six years as the top security manager at a company where I had built the security program from scratch. In my case, it cost me my job - twice.
I was laid off again just recently, after two years during which I first tried to build a new security program, but then had to cut my already very small staff. Needless to say, I think that was a poor decision, and I don't say that because I lost my job. Finally the security program was shut down entirely. Just before the ax fell, I had been working on cost-cutting initiatives. I figured that there had to be a better way to save money than ejecting large pieces of our corporate knowledge base. I had hated cutting my staff, and I was determined to ensure that no more layoffs would be required.
After digging around, I found two very expensive services that the company was paying for while getting very little value in return. But just as I was feeling good about the prospects of this proposal, I was called in to the CIO's office, where I found myself facing our HR director and a bunch of layoff forms. It looked to me as if we could eliminate those expensive and underperforming services, and then use our in-house staff and infrastructure to perform the same work at a lower cost and higher level of quality. Clearly, the company had chosen to go down the well-worn path of cutting staff rather than reducing costs in other areas. But now I have a new position that I'm feeling pretty good about.
It was a devastating blow. My job-loss trauma was thankfully brief, and I can look back and realize that I'm probably better off not working for a company that made such terrible decisions. This time, I don't have to start from scratch exactly; this company has many good security practices ingrained into its processes, mainly because the technical staff is young, smart and savvy - they get security, and its importance. I'm a security manager again, but in a different industry, and in a company with a different culture and work environment. It looks like I won't have a very large staff once again, maybe two or three people, but the rest of the IT staff here is very aware of what constitutes good security practices, and that could make a huge difference.
I'll be facing some new challenges here that I hadn't encountered in the previous eight years, but I've also learned some things from my experiences, so when familiar challenges present themselves, I'll react more effectively. With everybody pulling in the same direction, I might not need a lot of full-time employees dedicated to security. For instance, I had to kick off my last security manager position with a focus on patching, as I tried to turn the steering wheel of a big company toward an effective program of consistently applying security updates to operating systems in a timely fashion. Instead, a collaborative approach with the IT administrators and a focus on getting management to provide the right resources and priorities can be more effective. I had mixed results, but I learned in the process that it doesn't pay to push too hard in the wrong places. That is a lesson that should be applicable in many situations, even though in my new company, patching is recognized as being important.
I will need to raise the visibility and priority of the efforts so we can make improvements, but I don't have to try to get everyone to understand why it's needed. It's being done, though not consistently and not comprehensively. What a relief. Account management is being done fairly diligently, although it could use some improvements, especially in the area of terminations and deprovisioning. It's also good that our IT administrators have a pretty good hardening standard for their Windows and Unix systems, and they seem to be applying it uniformly. Administrative access could use some fine-tuning as well; currently, everyone's an administrator, and there are many shared passwords in use.
Overall, I would rate this environment 7 out of 10 in terms of general security practices. I'll definitely want to address that. My first priority will be to start making small, incremental improvements in the current practices to make things better and introduce more maturity and consistency into the environment. This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. This is a new challenge for me, one that I hope will be fun and exciting as well as successful. Contact him at jf.rice@engineer.com.
0 comments:
Post a Comment