Friday 1 June 2007

The Lonley Life of Security Management

Interested in a Career in Information Security? As well as having a good foundation of Information Security knowledge, courage of your convictions, a basic common sense and a ton of enthusiasm, there's one other aspect to consider before making the career plunge.

The role of an Information Security Manager / Officer, especially in a small to medium sized company where you are a one man security department, can be a lonely role. Sure one aspect is do have involvement with every department and person within the organisation, but let me explain why:

1. It's great to think you'll always get management backing, and if you end up working for a decently security focused (or concerned) organisation, in general you will, it’s very important you have this backing if you are to be successful in security management. However there will be always some managers that will disagree with your security stance, risk evaluations and recommendations, sometimes they don't like to be told what to do or it's going to cost them some of their budget. So you'll probably have lock horns and get management to your way of thinking, or at the very least get them to accept ownership of the risk if they don't. On some occasions it can get very political, but without decent senior management backing you just aren't going to get very far in the role. So you can expect your popularity with management not to be to clever, even when they are on board, you are causing them hurt and budget costs. Remember in general business managers are risk takers by nature and most don't really ever value information security until there's an actual incident, which is a sign it's too late. Most of the security management role is fairly invisible to management, trying to ensure incidents don't occur in the first place.

2. Nobody likes change, especially when it adds to people's work load. So as you go about tweaking and introducing those all important security policies and practices, even if you fully explain it all to the users and they accept the need, you'll won't be over popular, it's a human nature thing.

3. As a Security professional concerned for an organisation, there will be times as you walk through the offices or conduct audits, you'll pickup on user related security issues, like leaving PC desktops unlocked and print outs of confidential documents left on unattended desks etc, and you will have to "slap wrists", to ensure users continue to conform with the companies policies. You can't afford to be over nice otherwise the security policies won't be worth the paper they are written on. Remember you are reliant of users to enforce most of your security, they are the weakest area. When dealing with end users, I always try to be positive as possible, adding humour and explaining the risks, however there will be times when you have to deal with serious security breaches, which can lead to HR disciplinary action etc. So you just have to accept that most users will look upon you like you look upon car parking ticket warden.

I suppose all managers need to be "thick skinned", and most Security Managers understand this aspect, but if you are coming from a techie "fun loving team" background into Information Security management, as most are, it's something to think about.

No comments: