Three Ways to Keep the Dream Alive

Career getting too predictable? We profile three security execs who found ways to keep their jobs exciting and their careers moving forward.

The inimitable Boz Scaggs sang "Once a story's told/it can't help but grow old," and though the '70s pop icon was crooning about love, the same could be said for your career. Even the greatest jobs, over time, can turn into a grind.

A sizable part of this issue of CSO has been devoted to dream jobs&mdashwhere and how to find them, and ways to keep them. This story is a logical endgame: how to reinvent yourself once time has dulled the luster of a dream job. In essence, what do you do to maintain a dream career?

Mind you, we're not talking about people whose dream jobs, through some catastrophic security event, become nightmares, but rather people whose jobs just become, well, unrewarding. Boring, or different from what they started as, or worse, mind-numbingly the same as when they started.

Building a security department from the ground up, for example, may be a dream job. But once that's done, it can leave a person with the feeling you get after finishing a great book, a feeling of "Now what?" Or perhaps the opportunity to work in a specific industry or with a specific team is what made a job enticing to start. Then, the company was acquired, or management changed. The dream is over. Likewise, this growing pile of regulations that security officers face can turn a dream job into a monotonous management millstone&mdashCSO as audit jockey.

"You could find a long-term home, I suppose," says Ken Stephens, a self-described "mover" who recently left GE Healthcare to become CISO of Fair Isaac. "But there's also a certain amount of swimming forward you have to do. You have to keep going, otherwise you get stuck and stagnant and then you're not nearly as productive."

Dreams aren't always forever, so you have to make new ones. Here we address those of you who find yourselves in roles that have outlived their excitement, who sometimes stare out the window in a Walter Mitty state, imagining other security-related jobs that would make getting up for work joyful again.

We found three security professionals who have used three distinct strategies to keep their careers dreamy. These are their stories.

The Revenue Generator

Scott Hamrick, CISO, GE Healthcare

Career path: CISO, then a client leader for GE Consumer and Industrial

Dream aspects of his job: developing products, boosting revenue

In 2001, Scott Hamrick was CISO of GE Industrial Systems, one of the six subsidiary states that make up GE Nation, and he was frustrated. "It started out fun, but it got so tiresome," he says. The role was "ops focused," he says, and "the only time we talked about the bottom line was when we were figuring out how not to take stuff out of it."

Hamrick was disillusioned enough that in 2003 he took the job of client leader at the GE consumer and industrial systems division, a move that allowed him to interact with users. But soon after, Hamrick received a most intriguing call from another of GE's states, GE Healthcare.

Healthcare wanted Hamrick, 37, to be their new CISO. Having abandoned a similar job out of frustration, Hamrick was reluctant. But then Healthcare put something on the table that intrigued him. "They told me they wanted me to spend time with product engineers," he says.

GE, it turns out, had decided it was time to turn technology away from cost-center activities and refocus it on revenue-generating opportunities. The medical technology GE Healthcare makes&mdashheart monitors, ultrasound, DNA and genomic diagnostic equipment&mdashneeds security just like e-mail servers do, and sometimes it needs more security due to FDA rules. Hamrick saw the chance to have a big impact on the business, "but I told them it was important they let me define how the role would interact with product engineers and sales." They agreed. He said he'd spend about 50 percent of his time on the revenue-generating part of the job. They said, in so many words, Go nuts.

"Now I get to spend half my time increasing the bottom line," Hamrick says, still with a bit of wonder. "I mean, think of the reach I can have now. I can help us build better products. Better products are easier to sell. Easier to use. It definitely energized me."

Hamrick's job was a dream again.

His first task upon taking the job was to reorganize information security and the CISO position to focus on product development as much as operations, and he started with a broad stroke. "The first thing we did was divest our operational security resources and move them into the network [IT] teams," he says. The operational security team of more than 2 dozen reports into the IT department and has a dotted-line relationship to Hamrick. The strategic team is much smaller&mdashfour people&mdashand reports directly to Hamrick.

This is how the team works: The strategic team comes up with a plan to ameliorate a security issue&mdashlast year, for example, the group devised a method to distribute vulnerability patches. With the operations group handling the internal security tasks, Hamrick's free to work with sales staff and product managers on product security and development. He develops risk-based strategies for adding security to products, and he even gets to work with customers who have specific security issues or concerns. This is the part of the job Hamrick loves.

He's also energized by other challenges this position creates. For example, he says, "My challenge is influence. I have to encourage the operational team to work with me and for me, even though they don't directly report to me." He does this by cultivating relationships&mdashsomething new for him&mdashwith the top managers for security operations. Those relationships so far have panned out, he says. "A few slipped through cracks, but I'll give myself a pass. We did a lot of transitioning last year."

As for the half of the job that's focused internally, on operations, Hamrick says, "anything you do on the ops side you have the ability to apply to the product side." So, for example, he took the processes he designed for internal antivirus, patch and software distribution and applied them to GE Healthcare's products, which run on 25 variations of the Windows and Linux operating systems. "You have to tweak the process to adhere to FDA regulations," he says&mdashregulations that force you to validate software changes before distributing them. "And you have to think logically," he adds. "A heart monitor can't have a 20MB agent running on it with lots of overhead, but the process is much the same."

The result: "We went from a six-month patch distribution cycle to seven days," Hamrick says. Happy engineers. Happy salespeople. Happy customers. GE Corporate has asked Hamrick for a presentation about his customer-focused successes.

He believes he has a dream job and hopes other companies start to treat the CISO position as a bottom-line contributor.

"I've come to realize that I possess information that no one else in the business has," Hamrick says. "It's more than being a subject matter expert; I have a monopoly on these ideas, and if I don't provide them, no one else can. It's up to me how much I will or can provide."

The Omnivore

Thomas B. Baines, MA, MPA, JD

Titles: attorney, licensed private investigator, certified forensic consultant, ASIS security professionalCareer path: special ops/intelligence officer, program manager in National Lab, attorney, investigator, consultant

Dream aspects of his jobs: applying varied disciplines to security

Each Friday during the 1990s, as senior program manager at Argonne National Lab in Chicago, Thomas B. Baines would sit at a cafeteria lunch table with the old-timers. "Chemists, physicists, guys who'd been there since God invented atoms," Baines says. They'd talk shop, and Baines would listen. If he got lost, Baines would ask them to explain what they meant, and they would. It was like a minor-league ballplayer getting to hang out with Ted Williams, Joe DiMaggio, Sandy Koufax and Satchel Paige every Friday. Over the years, Baines says, he got a graduate-level education in theoretical and applied physics that you couldn't buy.

But what could this have to do with security? Nothing, specifically, Baines says. What does it have to do with his security career, one in which he's never been unhappy? Everything.

Baines's security career is peripatetic. He's never been a CSO, exactly, but he's always worked at the highest levels of security, first as a special operations and intelligence officer in the military. He earned degrees in law, economics and political science. After that, he was senior program manager for Initiatives in Security and Infrastructure Protection at the National Lab. Then he started a security law practice that focused on many corporate security issues, notably human resources issues around hiring in classified settings (such as a National Lab).

Along the way Baines also got his PI license and was certified in forensic consulting. And while practicing law, he's also consulted for a company that trains personnel across the gamut of security functions, from corporate security to armed escort, hostage containment, crowd control, even electronic crimes. He does investigations and analysis for cargo/transportation clients as well as several federal agencies.

For Baines, 68, every job has been something of a dream. And he attributes his happiness, in part, to efforts he made to educate himself beyond security. Efforts like his Friday lunches with physicists. "Each time I took on a new security challenge," he says, "it was somehow dependent upon what I learned and picked up someplace else."

Increasingly, Baines believes, security professionals set off on a career that is narrow and disengaged from other disciplines. Even within general MBA programs, he sees a kind of market efficiency at work whereby all problems have templated solutions, and it's a matter of memorizing those templates that puts one on a career track. But, he says, that works against the prospects for long-term job satisfaction in security.

"If you lock yourself into saying I am a security officer, and that's what I need to know about, you're going to cut yourself off from a lot of opportunities," says Baines.

Worse, you probably won't excel without some broader education. For example, right now, Baines says, "what's got me turned on is comparative religion. All of the stuff going on, the conflicts between the West and the Middle East, between Israel and Palestinians, it's about the cultural context of religion." What's that got to do with security? "Say your company operates in that world. You better be able to react not just from assumption about what it's like there, but from real knowledge. You better know what's going on. I first learned this in special ops and intel."

Baines says he does value a technical security education, but he believes more professionals would have fulfilling careers if they put that technical training in a broader context. Happiness in a job, he says, comes from being numerate, literate and articulate. Not about security, specifically, but about the world in which security exists.

Put plainly, Baines says, "My great-grandmother used to say, Get as many strings on your bow as you can.'"

Project Maven

Jennie Clinton, senior manager, business continuity management, T-Mobile

Career Path: security posts in five industries, business continuity recovery leader at AT&T Wireless

Dream aspects of her job: Freedom to build a department from the ground up

Jennie Clinton's career strategy follows a simple philosophy: "I'd rather be a clock maker than a clock-watcher."

That is, Clinton likes the process of building more than the process of managing. For her, keeping the trains running on time isn't nearly as interesting as having a major project to tackle. So imagine how happy she was when, about a year ago, T-Mobile offered her the opportunity to build a business continuity group from scratch. "This is the kind of thing that gets me excited to come to work," says Clinton, who is T-Mobile's senior manager of business continuity management. "For me, building something gives you that immediate sense of making a difference. It's much more rewarding."

At T-Mobile, Clinton is part of a broader security reorganization (see "Reinvention in Progress,"), but she has been given broad sway over business continuity. While she doesn't regret the choice to come to T-Mobile, she says the "dreaminess" of the job was tested early and often. Her first year was one of the worst hurricane seasons in history. "I had only been here a few months, and I was coming from an organization with 30 people. Here we were two. So we're trying to implement a smooth system while also having to deal with hurricane after hurricane. By Hurricane Wilma, the passion wasn't always there."

Hurricane season ended and, eventually, a renewed vigor on Clinton's part followed. Her organization has grown to four full-timers and three contractors and she's again relishing her project focus.

Before T-Mobile, Clinton won industry recognition for building AT&T Wireless's business continuity and disaster recovery functions. To keep that job fresh for the eight years she worked there, Clinton kept conjuring up new projects to take on.

1 2 Page 1
Page 1 of 2
22 cybersecurity myths organizations need to stop believing in 2022