Shoveling Sand Against the Tide

The frustrations of slashed budgets and inadequate manpower come to a head. Is it time for a change?

I was recently shocked to discover that one of our primary Web sites was not properly secured.

The site includes a form that recipients of our services fill out with personally identifiable information, including Social Security number, name and address. This was a security breach waiting to happen.

I literally ran down the hall to talk to the webmaster.

On my way, my mind was racing as fast as my feet were carrying me. I knew that the Web site had been secure a few years ago. What had changed?

As it turned out, when we implemented SSL a couple of years ago, we changed domain names for the Web site. But we had to keep the old domain name active for a while, forcing a referral to the correct page each time someone tried to access the old domain pages. A few important pages had been missed when the changeover occurred.

It took only half an hour to correct the problem, but the idea that people had been submitting confidential information without the proper security in place made me shaky. Still, I wasn't about to chastise the webmaster. It was just a human error. And human error is inevitable, given our lack of resources.

Stretched Too Thin

The root cause of any problem we encounter in my state government agency is that we are sorely understaffed. Our webmaster, for example, is more than just a webmaster. He's also a Unix and Windows administrator, as well as an IT tech who takes a turn on the help desk. There's only so much the guy can do in the course of a week. And it's the same for everyone here.

Being understaffed means we have no time to check one another's work, or even our own.

Consider our intrusion monitoring. We have installed the technology to log events, but we can't afford to have someone monitor those logs full time or separate the false positives so that the system is a truly worthwhile tool for identifying events that need our attention.

We needed that technology, and when I made the request for it, I also requested funding for a new position so that we'd have a full-time staffer to monitor the system. We got the technology, but not the position. How do you convince the myriad layers of bureaucracy that one without the other is just a waste of money?

Losing Hope

The entire situation is a recipe for disaster with no end in sight.

And when one disaster hits after another, you can't help but feel that there's no hope in sight. Our slashed budgets are being cut again, and even future budgets are being trimmed as the economy slows to a crawl.

When I have a moment to take a look at the situation that I'm in at work, I see how crazy it is. I have an impossible job that keeps me switching between my manager hat and my techie hat multiple times each day. Things are so bad that it's becoming harder and harder to drag myself to work every day when I know all we can do is shovel sand against the tide.

At times like these, I wonder whether the grass is greener on the other side -- in the private sector, that is.

I have a friend who used to be my partner in consulting. She has a very successful business and for years has been asking me to join her. It would be a big change for me.

My role, oversimplified, would be to accompany her on sales calls as the subject-matter expert who could explain in plain English to C-level executives why they need security technology.

I'm seriously thinking about it.

This week's journal is written by a real security manager, "C.J. Kelly," whose name and employer have been disguised for obvious reasons. Contact her at mscjkelly@yahoo.com.

Join in

To join in the discussions about security, go to computerworld.com/blogs/security

Related:
Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon