I finally decided to leave public service and go back to the private sector. The decision wasn't easy, because I hate to leave the team. My boss is adjusting, but he's not happy. I am very excited, though, to be going back to what I enjoy - security consulting.
In almost four years in public service, I was able to make significant changes to the agency's computing infrastructure. Building an information security program from the ground up is always satisfying. Even under frustrating circumstances, we made monumental headway toward a more secure environment.
One of the first things I did was an information security assessment to get the lay of the land. I found servers that hadn't been patched in months and had hundreds of open ports, network switches that allowed Telnet connections with no password, and PCs that weren't patched and weren't running antivirus software. I also found public Web sites containing Access databases full of confidential health information, unfinished policy documents, an unstable network (is it any wonder?), no firewalls, no intrusion detection, no network monitoring and basically no plan for improvement.
I remember early on witnessing one of the sysadmins reboot the main switch whenever the network seemed to slow down. When a server failed, it was days before the system was rebuilt and back online. Backing up data was hit-or-miss. There was no plan for disaster recovery, and tapes were reused and stored on-site.
With all this staring me in the face, personnel issues were even more pressing. People needed training, mentoring, direction. But, as I was finding out, seniority is an entrenched concept in government staffs. It's all about your grade level, not your skill set. How can time on the job trump experience, skills and execution?
Even though I wanted to get to work on the technical problems, I had to fix the people problems first. That meant changing the way people thought about themselves and their jobs. If you tell a group of state employees that their seniority isn't as important as teamwork, chances are you're going to be met by a lot of blank stares.
But I made it clear that I would judge performance based on teamwork and execution. That was the only power I had over my employees. I didn't threaten. I encouraged cooperation and set clear expectations. There were no secrets, no politics and no games.
Fairly quickly, I lost a couple of employees. But I doubt that I would have been able to get through to them, and I was able to hire replacements who understood where I was coming from.
Fortunately, my boss had hired me knowing that I would want to change the atmosphere as well as the technology. And he had budgeted for the changes and just needed someone who understood what needed to be done and would execute. I was very lucky to have him on my side.
In the end, my job in government was all about vision and communicating that vision. If you can imagine a secured environment and understand what needs to be done, you can do anything. Communicating that vision is an art, and it's where many managers fail. I created numerous presentations and network diagrams. I wrote plan documents and road maps, and communicated the vision to management, never forgetting that the team that was going to achieve that vision was the most important part of the mix.
One of my employees said to me just the other day, "We don't want to lose the vision. How can we make sure the next manager keeps us going in the right direction?" Those words are nearly reward enough for the past four years. But it's going to be up to the team to self-manage and keep its goals in sight.
This week's journal is written by a real security manager, "C.J. Kelly," whose name and employer have been disguised for obvious reasons. Contact her at email@example.com.