• United States



To Phish or Cut Bait – The CISO’s Dilemma

May 22, 20083 mins

    If you are at all familiar with my blog, then you have fallen victim to my occasional rants demeaning inept CIO’s. And you have probably correctly surmised that I speak from my own personal experience with an inept CIO (or two). Young as I pretend to be, I have learned one very valuable life lesson. If you’re not happy at work, then you’re not happy at home.

    Needless to say given my obvious “dissatisfaction” (The Guinness Book of World Records has officially certified this as the understatement of the century.) with my JOB, my life at home was pretty much in the toilet as well. As my benevolent grandfather once told me, “boy, you gotta sh#@ or get off the pot”, or in security lingo, “phish or cut bait”. After 8 long years, 6 of which were fantastic, I finally decided to cut bait. Apparently 8 years as the CISO for one organization is relatively rare, but I managed to tough it out far longer than I should have.

    It wasn’t one thing that finally drove me over the edge. Oddly, it was several things all perpetrated by the same person. I know that several of you are in this same predicament and I’m here to say that the grass is actually greener in another security pasture. Our industry is growing even in this national economic downturn. Even today, I receive dozens of calls from headhunters looking for experienced security professionals. I suppose that makes it a seller’s market of sorts.

    For me, this was an easy decision. After “voiding” all of the security policies I had worked to have adopted, tossing me under the proverbial bus at every opportunity, removing what little authority I had managed to scrape together, I finally woke up when my computers were taken away. Don’t ask why, because it makes about as much sense as a screen door on a submarine. I’m not sure why I didn’t leave sooner, I suppose it was some measure of dedication that I felt to the program that I had painstakingly built. In any case, when I finally came to my senses, I couldn’t get out of my position soon enough. I interviewed at Dartmouth, the University of Texas, and a few other schools, but finally decided that I wanted to try something new, outside of the chaos that is known as our higher education system.

    I’m glad to say that I landed a position with a very talented group of people who impress daily me with their professionalism and wicked smarts. Oddly I have found scant traces of either within the majority of college and university security shops, which is probably a direct result of the pittance that higher ed. pays its non-faculty. Don’t get me wrong, I don’t hate higher ed., its just that after almost a decade of working in this industry, I see serious problems with how MOST schools address information security.

    This entry is more personal than those I typically post, but in speaking with a number of my peers, job dissatisfaction is quite prevalent. Hopefully, sharing this story with you will help you decide if you should phish or cut bait…

    One added note, my five year old daughter put my new job into perspective a couple of weeks ago when she sat in my lap and said, “Daddy, you sure are a lot nicer since you got your new job.”

Chad McDonald, CISSP, CISA, C|EH, PMP is a Senior Professional Services Consultant with Imperva. Chad has worked previously at National Student Clearinghouse, Centers for Disease Control and Prevention, Georgia Department of Audits and Accounts and is the former Chief Information Security Officer at Georgia College & State University. Chad has addressed numerous groups on topics such as business continuity planning, incident response, and information security awareness. Chad has spent the bulk of his career building, managing, and assessing information security for educational and research organizations. Chad has earned multiple professional security certifications. He is a member of the Information Systems Audit and Control Association as well as InfraGard, an FBI Task Force charged with protecting the nation's information infrastructure. Chad is active in the security community He worked with law enforcement agencies to assist in the prosecution of the first computer crime on record in Georgia and continues to assist local and state authorities with computer based investigations. Chad has investigated computer and computer-related crimes for local and state law enforcement agencies. Chad is an avid Mac user, since he was rescued from the dark side eight years ago. He currently conducts the vast majority of his work using a MacBook Pro and a MacBook. Chad looks forward to the day that he can stop referring to himself in the third person and actually pay someone to write his bio for him. The opinions and statements expressed here are those of Chad McDonald and in no way reflect opinions or statements of any employer or organization with which Chad is affiliated.