Computerworld - This installment of "Security Manager's Journal" appeared in Computerworld's print edition.
Leaving state government has been bittersweet. There were frustrations aplenty, but I was always impressed by the dedication of many of the rank-and-file employees. I feel privileged to have met and made friends with so many of them.
I certainly learned a lot about state government: the classification of employees, the rules and regulations related to employment, the budgeting process, and the endless politics. Politics was always my nemesis in my time in government, but in the end, it was the feeling that I was powerless to effect necessary change that drove me out.
I never would have lasted as long as I did if not for my boss, who empowered me to do my job as I saw fit. Micromanagers exist in the private sector, but they seem more numerous in government.
After nearly four years in government, I feel somewhat qualified to make recommendations for improvement. Topping my wish list is that all government workers should have a boss like mine. Unfortunately, the highly structured personnel system leaves little room for things like empowerment and autonomy.
But in a rigid bureaucracy, real change has to come from the top. The CIO or CISO must have a vision and the stamina to fight for money. We're talking about protecting taxpayers' personal data. Even the most tightfisted legislators can be made to see that these investments are worthwhile, but you have to wear them down. That takes a leader who's a politician with a backbone.
My state hasn't been lucky in this area. It has gone through three CISOs in four years. In a perfect world (the one that I'd design), a state's top security officer would report to the governor and have a separate budget. The legislature would listen to him and not stand in the way of making security a top priority for every state agency. Statutes that are now followed to the letter would undergo common- sensical revision. For example, there's a requirement that an infosec officer be appointed for each state agency. Currently, just about anybody can be named to the post -- even if the person has never used a computer. In my world, money would be available for training, and initiative would be rewarded.
In many ways, I would like government to work more like the private sector. But from experience, I know it can't be a duplicate. Politicians and taxpayers aren't the same as executives and shareholders.
And the truth is that the private sector would be even better if it could inspire the sort of dedication and commitment I have seen in government workers. We all want to hire people who will be creative problem-solvers. The government has them in spades. I have seen them do the impossible time and again with limited funds and resources. And they keep at it despite being paid considerably less than they would receive elsewhere. Something other than money and prestige is motivating these troupers.
At one point, I threw my hat in the ring for the top infosec job, and I almost snagged it. But my boss warned me, "You really don't want to get involved in politics at that level." Silly me. He was absolutely right. I was only thinking about security, not the likelihood that I would be consigning myself to even more frustration than I was already feeling. I probably would have ended up the fourth CISO to get kicked to the curb for all the wrong reasons.
But there is something compelling about having the opportunity to draft the information security vision for our state and then negotiating all the politics to bring the legislature and governor on board.
Now I have made my choice and moved back to the private sector. But I harbor hope that I can still effect change, from the outside. Wish me luck.
This week's journal is written by a real security manager, "C.J. Kelly," whose name and employer have been disguised for obvious reasons. Contact her at mscjkelly@yahoo.com.
To join in the discussions about security, go to computerworld.com/blogs/security.
Read more about Security in Computerworld's Security Topic Center.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
