Undercover

The CSO's First Security Assessment

The first security assessment at my new employer wasnt supposed to be personal. It just ended up that way.

By Anonymous

Page 3

His Case (and Mine)

When I returned from the conference, armed with new information and zest for the job, I found a meeting request from the CIO for early Monday morning. The first thing the CIO asked was, "Are you committed to this company?"

As I sat there feeling stunned, he presented me with a case he was building for my termination. At least at the surface, it had nothing to do with the risk assessment. It centered on three things: He said that I had neglected to respond to a critical e-mail, missed an offsite vendor meeting and failed to return from the conference a day early for a last-minute meeting. He said I had until Friday to prove I was committed to the company, or we would be having a different type of conversation about my leaving the company.

I spent hours that week gathering evidence to prove him wrong. Meanwhile, my manager had gone missing—I didn't even hear from him until Thursday. As near as I can figure, once the CIO turned on me, my manager took his side, ever the yes-man.

To make my case, I printed out an e-mail I had sent in response to the e-mail the CIO mentioned. I found weather reports and airline information that showed that my earlier flight back had been canceled. I showed that I had arranged for a staff member to attend the vendor meeting in my absence.

I made two copies of everything—one for the CIO and one for me—and ventured into his office on Friday. We reviewed the data without fanfare, and the CIO did not apologize for the accusations. Clearly more was going on than he was saying, so I asked him what this was really about.

He was surprisingly up front. "Are you trying to get me fired?" he asked. Then he told me, in a roundabout way, that in the past there had been people who came into the company and tried to have him and other members of the senior management fired. He had taken my description of vulnerabilities in the company's IT systems as a personal attack. If ever there were evidence that it's a conflict of interest for the CSO to report to the CIO, I was facing it.

What was particularly odd about our conversation was the matter-of-fact fashion in which he addressed me. I tried to explain that I wasn't going after anyone in particular—I was just trying to do my job. I told him that while the CIO and CSO are supposed to have some professional tension, in no way was I trying to get him fired. I was only trying to let him, as an officer of the company, know where our weaknesses are. Furthermore, I wasn't suggesting that all the code had to be rewritten. There were other things we could do, such as purchase an application vulnerability scanner, train the coders on writing secure code and deploy application-layer deep-packet scanning tools.

$firstKeyword

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors