To Phish or Cut Bait – The CISO’s Dilemma

    If you are at all familiar with my blog, then you have fallen victim to my occasional rants demeaning inept CIO’s. And you have probably correctly surmised that I speak from my own personal experience with an inept CIO (or two). Young as I pretend to be, I have learned one very valuable life lesson. If you’re not happy at work, then you’re not happy at home.

    Needless to say given my obvious “dissatisfaction” (The Guinness Book of World Records has officially certified this as the understatement of the century.) with my JOB, my life at home was pretty much in the toilet as well. As my benevolent grandfather once told me, “boy, you gotta sh#@ or get off the pot”, or in security lingo, “phish or cut bait”. After 8 long years, 6 of which were fantastic, I finally decided to cut bait. Apparently 8 years as the CISO for one organization is relatively rare, but I managed to tough it out far longer than I should have.

    It wasn’t one thing that finally drove me over the edge. Oddly, it was several things all perpetrated by the same person. I know that several of you are in this same predicament and I’m here to say that the grass is actually greener in another security pasture. Our industry is growing even in this national economic downturn. Even today, I receive dozens of calls from headhunters looking for experienced security professionals. I suppose that makes it a seller’s market of sorts.

    For me, this was an easy decision. After “voiding” all of the security policies I had worked to have adopted, tossing me under the proverbial bus at every opportunity, removing what little authority I had managed to scrape together, I finally woke up when my computers were taken away. Don’t ask why, because it makes about as much sense as a screen door on a submarine. I’m not sure why I didn’t leave sooner, I suppose it was some measure of dedication that I felt to the program that I had painstakingly built. In any case, when I finally came to my senses, I couldn’t get out of my position soon enough. I interviewed at Dartmouth, the University of Texas, and a few other schools, but finally decided that I wanted to try something new, outside of the chaos that is known as our higher education system.

    I’m glad to say that I landed a position with a very talented group of people who impress daily me with their professionalism and wicked smarts. Oddly I have found scant traces of either within the majority of college and university security shops, which is probably a direct result of the pittance that higher ed. pays its non-faculty. Don’t get me wrong, I don’t hate higher ed., its just that after almost a decade of working in this industry, I see serious problems with how MOST schools address information security.

    This entry is more personal than those I typically post, but in speaking with a number of my peers, job dissatisfaction is quite prevalent. Hopefully, sharing this story with you will help you decide if you should phish or cut bait…

    One added note, my five year old daughter put my new job into perspective a couple of weeks ago when she sat in my lap and said, “Daddy, you sure are a lot nicer since you got your new job.”