Even though I had promised myself I was going to settle down and be happy in my current job, I interviewed for a security manager position at a large medical center. It was closer to home and offered better pay, and the gung-ho recruiter made it sound like there might be interesting projects to work on.
I met with the CIO, the directors of IT and software development, and the director of internal audit, in that order. They all asked what my ideal job would look like. This perennial job-interview question always makes me laugh to myself, since my ideal is no job at all. I am honest to a fault, but there are some things you can't say in an interview, so I have learned how to phrase the truth so that I don't look like a complete idiot. I said that having enjoyed a few years of independent technical security assessment consulting, I would go back into that line of work full time if the business climate was right. Meanwhile, I am looking for a career opportunity that will allow me to contribute in a meaningful way. Blah, blah, blah.
No Hollywood Ending
The unvarnished truth is that I want to write a book that would become the basis for a hit movie series, and then travel the world and write stories about exotic places. The only technology I would hang on to would be a wireless laptop and cell phone. I don't want to ever look at another firewall configuration as long as I live.
But if I wasn't exactly transparent about what I want to be when I grow up, they weren't too sure about the position they were trying to fill. They all had different answers when I asked what they envisioned the new person in this position doing. That's not too unusual, but it was only the beginning of the confusion. The job description on the medical center's Web site suggested that this security manager would report to the CIO, but I found out it was being moved under internal audit. In fact, the position had changed dramatically in the past week or so, and the CIO was becoming acting chief security officer (CSO).
Now, I have strong experience in technical security, but it's a very different world from internal audit. Internal auditors talk about risk management, while security techies talk about specific device configurations. They are talking about the same things, but in different languages and from different perspectives. I know how to bridge the gap between the two, and I understand how open ports on the firewall, for example, can become a huge risk for a company and have material impact. But that doesn't mean I speak the language of auditors.
It was the end of the day when I finally met with the director of internal audit. By then, I had more questions than answers. But if one of those questions was whether this job would work out for me, it was pretty much answered when he said, "I have met with several people who have as many acronyms after their name as you do, but they are just going to do what I tell them to do." I just had to laugh and say, "That has never been me. I'm kind of opinionated."
He must have realized that I was concerned about reporting to internal audit, and our discussion led me to draw an organizational chart on a sheet of paper. On my chart, IT was separate from internal audit and from what I called "business controls." Under that heading were information security, disaster recovery and business continuity. Each of these three disciplines reported to a separate C-level executive, with IT reporting to the CIO, internal audit to the chief financial officer or CEO, and business controls to either the chief operating officer or CSO. This avoids the problem of the fox guarding the henhouse.
But my ideal organization is likely to be adopted about the time that I begin collecting royalties from my Harry Potter-style movie franchise. The bottom line is that most organizations, and certainly this one, don't understand the magnitude of the tasks they want these disciplines to undertake, and they aren't yet willing to properly staff for it all.
As we ran out of time, the internal audit director asked whether I would meet with him again so that he could convince me that the position could flourish under his department, given a chance and the right leader.
I had the Presidents' Day weekend to think. As I reviewed things, the organizational dynamics were a red flag. The fact that the CIO had rushed to have himself named acting CSO even though that meant surrendering a security direct report to the auditor led me to believe that he wasn't too keen about security being moved out from under him. The software development director was looking for application security guidance, which I am a little weak on. And then there was the audit director, who was new to the organization, full of ideas and wanted to shake things up and own information security. At least the IT director knew that his "WAN guys" had security nailed down, which would make his team an important ally. But what a mixed bag.
And in that bag, they wanted technical security architecture review, security assessment, security awareness training, internal audit, documentation, leadership and a whole lot more. What they need is at least one technical security expert in IT, security training for the IT guys, a person devoted to security awareness and training, internal audit as a separate function, employees devoted to disaster recovery, and business continuity planning under a separate banner. It came to me that maybe I should just hold on and write that book.
What Do You Think?
This week's journal is written by a real security manager, "C.J. Kelly," whose name and employer have been disguised for obvious reasons. Contact her at firstname.lastname@example.org