Computerworld - Every so often I meet with a group of my peers to trade war stories about life in the security trenches. Mostly we swap technical hints and tips about what works when trying to sell security to management. Recently, the topic was manager and staff issues.
The discussion revolved around what makes a good security staffer or manager. We all agreed that bright, inquisitive people seem to do well and that a mix of technical and people skills is vital. But these qualities are general and hard to identify in the people around us. It is difficult to provide guidance on what anyone who wishes to succeed should do, but in speaking to my colleagues, I've come up with some simple things to avoid.
The Arrogance Trap
The most common trap that security managers fall into is being arrogant. I'm sure I have suffered from this weakness myself at times but hopefully not as badly as some of the folks my colleagues have described.
A good security manager must have confidence in his abilities and make snap judgments under pressure. The problem is that these traits, when exaggerated, become a weakness.
I used to have a boss who would always show off the work he did to everyone he met. He also abused a secure investigations room our staff had set up for storing all of our tools and evidence from investigations. We had set a policy that everyone who entered that room had to be signed in and out. But this manager would hold meetings with external suppliers in the room because, I suppose, he felt it made him look like a security professional when he was surrounded by all the equipment - and white boards with the progress of investigations written all over them.
We kept a log of everyone involved in each investigation, such as those from the legal department and human resources, so we would know who had the details if the information leaked. This same chap used to boast over drinks at conferences about his work in such detail and with such a lack of discretion that I had to add workers at an external company to one list as knowing the full details of an investigation.
Such arrogance clearly can imperil the confidentiality that a security manager is supposed to protect, but an overzealous manager can also err by going too far the other way, hiding too much of the details of what he does. This "I'd tell you but then I'd have to
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
