C’est magnifique, mais ce n’est pas la guerre ...
I was in a meeting the other day with a new employee who was a supervisor of another group. We were all talking about how difficult it was to find time to do the “soft management activities” with our team, and he opined that managers shouldn’t be busy with “work” (quotes his, not mine), and that managers should be getting the work done through their teams, not doing any of it themselves.
To which I bit back a hearty HAHAHAHAHAHAHAHAHAHAHA.
Boy, is he going to be in for a surprise in a year or two. The fact of the matter is, when you’re a manager, you end up doing more work, not less. Not only are you supposed to keep tabs on what your people are doing (at least the direct reports, which in my case is ten)—which means that you’re mentally keeping track of several jobs alongside your own—but you’re supposed to be managing up, down and sideways, while addressing issues that your people simply can’t.
For example: in the past couple of weeks I’ve covered various meetings for members of my team who couldn’t be there themselves; reviewed and rewritten various statements of work before they went to the contracts people; created a presentation for my boss to present to his bosses; interrogated vendors on their security setups; scored job applications, made interview decisions, picked interview panels, and scheduled interviews; performed tech support for high-level executives who had, shall we say, confidential issues; wrote two policy papers; reviewed and signed numerous business case documents; consulted the deputy general counsel on a politically charged phone call I received; sat in on external audit meetings; revised some budget plans; presented at the regular new employee orientation; and threw together an equivalent orientation preso for contractors that has to be given three times this coming week.
Notice that very little of this has anything to do with the “real work” that my team does, which includes running network security devices, managing our encryption products, reviewing code, performing scans and pentests, troubleshooting production issues (to prove it’s not “the firewall”), and staffing a hotline while performing user account administration for about 40,000 users. It also doesn’t include the personnel management things I do, like coaching them in this work, tracking work and leave schedules, and organizing training.
Nobody would trust me with a root shell these days; it’s been too damn long. But I’m called upon to make decisions on every level, from recommendations on policy at a statewide level to whether to set a particular firewall rule. I may not be able to run Nessus myself, but I have to know how it works in order to decide when and where it will be used, explain the reports to an auditor or a manager, and defend the group against allegations that we broke something on a server by scanning it. If something does happen in my area of responsibility, I’ll be the first one on call from anyone above my pay grade, not my team. And even though my management level is officially eligible for comp time, we very rarely accrue any; my boss expects us just to suck it up and get the work done without looking at the clock.
So it’s work, Jim, but not as we know it. I haven’t got a lot to contribute to the talk of most categories of security folk who do deep work: the researchers, the vendors, the analysts, the people who do the monitoring and the forensics. I can only converse in breadth with a very special subset of the security industry: the (C)ISOs—and you can recognize us by the arrows in our chests and our backs.
Charge of the Light Brigade. Painting by Richard Caton Woodville (1825-1855)
