Security Manager's Journal: A fresh start at a company that gets security

This economic recession has cost all of us. In my case, it cost me my job -- twice. I was laid off first in 2007 after six years as the top security manager at a company where I had built the security program from scratch. I was laid off again just recently, after two years during which I first tried to build a new security program, but then had to cut my already very small staff. Finally the security program was shut down entirely.

Needless to say, I think that was a poor decision, and I don't say that because I lost my job. Just before the ax fell, I had been working on cost-cutting initiatives. I had hated cutting my staff, and I was determined to ensure that no more layoffs would be required. I figured that there had to be a better way to save money than ejecting large pieces of our corporate knowledge base.

After digging around, I found two very expensive services that the company was paying for while getting very little value in return. It looked to me as if we could eliminate those expensive and underperforming services, and then use our in-house staff and infrastructure to perform the same work at a lower cost and higher level of quality. But just as I was feeling good about the prospects of this proposal, I was called in to the CIO's office, where I found myself facing our HR director and a bunch of layoff forms. Clearly, the company had chosen to go down the well-worn path of cutting staff rather than reducing costs in other areas.

It was a devastating blow. But now I have a new position that I'm feeling pretty good about. My job-loss trauma was thankfully brief, and I can look back and realize that I'm probably better off not working for a company that made such terrible decisions.

I'm a security manager again, but in a different industry, and in a company with a different culture and work environment. This time, I don't have to start from scratch exactly; this company has many good security practices ingrained into its processes, mainly because the technical staff is young, smart and savvy -- they get security, and its importance. It looks like I won't have a very large staff once again, maybe two or three people, but the rest of the IT staff here is very aware of what constitutes good security practices, and that could make a huge difference. With everybody pulling in the same direction, I might not need a lot of full-time employees dedicated to security.

I'll be facing some new challenges here that I hadn't encountered in the previous eight years, but I've also learned some things from my experiences, so when familiar challenges present themselves, I'll react more effectively. For instance, I had to kick off my last security manager position with a focus on patching, as I tried to turn the steering wheel of a big company toward an effective program of consistently applying security updates to operating systems in a timely fashion. I had mixed results, but I learned in the process that it doesn't pay to push too hard in the wrong places. Instead, a collaborative approach with the IT administrators and a focus on getting management to provide the right resources and priorities can be more effective. That is a lesson that should be applicable in many situations, even though in my new company, patching is recognized as being important. It's being done, though not consistently and not comprehensively. I will need to raise the visibility and priority of the efforts so we can make improvements, but I don't have to try to get everyone to understand why it's needed. What a relief.

It's also good that our IT administrators have a pretty good hardening standard for their Windows and Unix systems, and they seem to be applying it uniformly. Account management is being done fairly diligently, although it could use some improvements, especially in the area of terminations and deprovisioning. Administrative access could use some fine-tuning as well; currently, everyone's an administrator, and there are many shared passwords in use. I'll definitely want to address that.

Overall, I would rate this environment 7 out of 10 in terms of general security practices. My first priority will be to start making small, incremental improvements in the current practices to make things better and introduce more maturity and consistency into the environment. This is a new challenge for me, one that I hope will be fun and exciting as well as successful.

This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at jf.rice@engineer.com.

Join in

To join in the discussions about security, go to computerworld.com/blogs/security.

Related:

Copyright © 2009 IDG Communications, Inc.

  
Shop Tech Products at Amazon