With only a skeleton crew, and no budget for consultants, I've been borrowing IT staff from other departments to get things done. That's been helpful, but none of them has the specific skills to analyze complex firewall and NAT rules.
I recently discovered some serious holes in my company's firewalls, and my lack of staff has meant that I've had to perform the needed firewall audit myself. Nothing wrong with that, right? My thinking is that by doing some engineering, some administration and some architecture work as well as managing the team, I'm adding value. It's almost like having access to extra staff when I change hats from manager to techie. But that's not my CIO's thinking. He's been on my case to stop doing technical work and focus only on management. Honestly, I don't see how that could work, given that we haven't been able to hire technical staff, and attrition has cost us some of our most experienced people. What good is an IT staff composed mainly of managers, when there's hardly anyone left to manage?
In fact, the budget situation is really bad. After we completed budget planning for 2012, the executive staff decreed that we need to cut it almost in half. That means no new projects, technologies or head count for next year. It could be even worse than that, but I'm not yet willing to face the possibility of layoffs. However, the fact is that my company, like a lot of others, is really struggling to survive. I don't know what to expect next, but it can't be good.
Meanwhile, I continue to get hands-on with the technology, despite m CIO's misgivings. Mathias Thurman recently wrote about his CIO's scrutiny of his investment in SIEM. I'm fortunate to be in the same boat, meaning that I bought my security incident and event management tool before the current funding crisis. So at least I have a peephole into what's going on in my network. Unfortunately, I don't have anybody to monitor the SIEM tool, nor the budget to outsource the monitoring. So in my spare time, I've been writing rules that will generate alerts that go directly to the help desk -- which is contrary to my CIO's directive to stay away from the technology in favor of management. But again, who else is going to do it?
One more thing on my plate right now: It's SOX season again. My company is crawling with auditors demanding reports on all kinds of things -- access rights, incident logs, security reviews -- and it's all mandatory. Activities related to compliance with the Sarbanes-Oxley Act take precedence over everything else, and so much of my focus for the rest of this year will be distracted by them. One good thing about this costly, time-consuming regulation (and I hate to think about how much we're paying those auditors -- I'm sure it's more than my department's budget for head count): Things get done when the government requires it. I'm constantly amazed at how companies try to get by just doing the minimum required for compliance, instead of doing things (like security) just because they are right and have value.
You know, it occurs to me that I always seem to talk about how bad things are economically in my world -- budget cuts, lack of staff and resources, layoffs. I'm looking forward to a day when we're not in a really bad recession and I can write about how nice it is to have all the resources I need to really do a good job.
That day will come, right?
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
To join in the discussions about security, go to blogs.computerworld.com/security.