Many CSOs might prefer that the issues raised by Facebook, Twitter and blogs just go away. Not United Collections Bureau CSO Erin Jacobs. She has embraced social networking to create her own forum for pushing the boundaries on the matters she holds dear: security, Mac OS X and gender issues in information security. Not your average CSO, Jacobs has cultivated an online presence using the handle SecBarbie (www.secsocial.com/blog).
CSO: Why did you start the SecBarbie blog? Erin Jacobs: When it started in '05, it was about security sociability. I'd blog for humor, lightheartedness, post about things that amused me. I never anticipated any sort of following or readership. It is a space where I discuss security industry-related challenges I experience in my workplace, or discuss vendors. It was just my blog, very self-serving. I really don't think of it as being on some high horse or a huge pedestal.
Often, I am using SecBarbie to just poke fun at myself.
Is it your mission to raise the profile of the security profession?
Actually, I am attempting to elevate and cultivate gender awareness in this industry. There are fewer women entering the computer profession today than in 1980. In 1980, there were not nearly as many career choices available to women as there are today. So to see that number go down is concerning.
Do you think there should be more women working as security professionals?
I'm not sure if that matters. But all people should have the same opportunity. Due to the way we are weighted, there won't be as many C-level women. For example, Apple has no women in C-level management. Is Apple not welcoming? Not the case. We simply are not keeping women engaged in regards to what is available. I think part of it is that we are doing a bad job of teaching information security to (female) teenagers.
As a security professional, does your own use of social media create any challenges for you?
Social media is giving us a ton more challenges than we ever expected. People are putting all this info out there. For safety purposes—whether it's for a teenager or an organization—it's all the same. What is out there—all of it—will stick, permanently. Where is the dividing line between what you do at work and on your own personal time, and where is the jurisdiction for that in an organization?
I have to apply those guidelines to my own use of social media. I am very careful about what I will disclose online. There is never any mention of my family. In fact, I actually don't have any family members on my Facebook page. This is a personal safety issue. If I'm putting myself out there, I feel there needs to be a line between public and private life. And I'm a tech geek; I would like to do a lot more with it than what I actually do.
How has your work in collection management shaped your approach to security management?
As part of my training in my first accounts receivable organization, I was told that I needed to understand every working part of the business to understand my role in it. So they made me train in every aspect of the business: The mail room, collections floor, posting, finance, IT staff, reception. I worked in every functioning role. It's humbling. And valuable. It raises awareness of what your role is in the organization—manager or director, IT or IT admin. Too often, we get caught in our silos and forget what the big picture is.
Can you name one of the biggest mistakes you've made during your security career and what you learned from it?
Earlier in my career, I had concentrated too much energy on regulatory compliance and audit control. Yes, it is a driving role for a CSO to ensure regulatory compliance and that the audit is passed and is running smoothly, but that is not the real and whole world of security. I had to learn to prioritize risk and communicate that need to my peers and ensure that those priorities are not dictated by audits. It's a mistake to become a checklist CSO, rather than being focused on the real role, which is to focus on the risk to the organization.
What principles are essential to security leadership?
A degree of humility is very important. You need to remember where you came from and what it is like to be in other positions, and be able to see the world through those eyes. You have to go to facilities, get out with people and stay engaged with them on a day-to-day basis. You have to understand what is going on.
You also have to be open-minded. It is important to remember that what might have been right in one moment may need to be revisited at another time. You have to evolve as a security professional. You can't have your head so high up in the clouds that you don't recognize when new things—like social media, for example—are evolving. We have to ensure that we stay on top of everything.