The great balancing act.
I was thinking about Lieutenant Worf this morning.
Poor old Worf. He inherited his security job from a colleague who was killed by a slimeball (an actual one, not a metaphorical one). You never really got to see him doing anything security-like except practicing how to kill people. Now, I’m not saying that having a batleth mounted on my wall wouldn’t help in motivating some more compliance in people who visit my office; the handcuffs I’ve already got attached to my desk drawer do cause a few amusing double-takes. But that’s the very smallest portion of my job. And it was probably only a small part of Worf’s, too.
Come to think of it, IT security doesn’t really get good treatment in any kind of media. Especially Hollywood—you’ve either got bad guys and the macho security guys who do battle with them, or in the very rare case you have lovable, quirky, anarchistic hackers. (I do collect the latter, but not for the purposes of taking on The Man.) In any case, nothing I read about describes my actual job all that well. (Mike Rothman’s The Pragmatic CSO comes close, except that I don’t do the hokey AA meeting crap.)
My job is a balancing act, pure and simple. It’s a balancing act of risk, reward, enforcement, and manipulation. My job is to get my organization to follow its own rules. Secondarily, it’s to help my organization make good decisions in how to follow its own rules, when the way isn’t clear. I’ve already said that a lot of security is working out the exceptions to rules, and that’s where the risk assessment part comes in on a daily basis.
But unless you’re in the military or a similar environment, where you have any hope of issuing Commands to Be Followed, the rest of the job is a balancing act between being persuasive to people who don’t necessarily have to do what you say, and at the same time being firm enough to be able to push things through when it’s called for. That requires a heckuva lot of intuition and knowledge of psychology. My lovely and talented webmaster has said that I speak softly and carry an enormous stick; I suppose that’s true. But I’ve almost never had to lay hands on that stick, and if I did, I would consider myself to have failed in my primary mission, which is to convince people in my organization to Do the Right Thing.
Sometimes I cheat and wear them down by persistence; I’ll cop to that. But more often I just go to the right decision-maker and say, “Here’s what I understand our policy to be. If that’s the case, what do you want to do here?” The decision-maker is the one to do the enforcing. When enforcement fails, I sometimes get called to gather the evidence for the disciplinary action, but that’s the extent of my role, no matter how much it might be whispered otherwise among people who generally aren’t in the room when this stuff goes down.
It’s all tightrope work. How to meet the legal requirement of informing people that you can and might be monitoring them at any time, for any reason, without rubbing their noses in it so that they feel like they’re living in a police state. How to reassure them that you don’t monitor without several levels of authorization and a lot of justification, without leading them to think that they have a legal expectation of privacy. How to explain to them that they just did something really stupid without making them defiant enough to want to do it again. How to pass the Responsibility Hand Grenade across the board room table, and get the other side to accept it. How to grant an exception to policy while making sure the door doesn’t get opened even wider next time. How and where to deploy resources and money to get the maximum value. How to pick which fires to put out, every hour of every day.
With the exception of the occasional virus infestation, which I treat more like a cockroach sighting than an Epic Battle ("dammit, who left food out on the counter again??"), I don’t have any Bad Guys to fight. There aren’t any Bad Guys. There are just us, the enemy within, and I spend much more of my time acting like Jiminy Cricket than Jack Bauer.
It’s probably just as well. His underwear would never fit me.
Posted by shrdlu on Sunday, April 08, 2007(0) Comments • Permalink •
