• United States



Network Jockeys and Security Visionaries. Life in the InfoSec Sideshow.

Aug 09, 20073 mins
Data and Information SecurityIdentity Management Solutions

Anyone looking at the job market can attest that openings for security engineers are a dime a dozen.  These are the guys that configure the firewalls, intrusion prevention systems, and all sorts of techno gadgets that protect us from the bad guys.  What you don’t see are masses of openings for security analysts or security officers. 

Is there really such a need for the techie engineer types?  My experience tells me that these guys are being used to handle security for the whole organization.  That is to say, Bob the security engineer is also being tasked with policy development, risk analysis, and selling security across the business.  Is this really a good idea?  Think about it a moment.  You know this guy.  He sits down the hall from you.  He’s the one with the Dungeons and Dragons figures on his desk, coffee stains on his shirt and crumbs in his beard.  Sure, he’s a nice guy, quirky, but nice. 

Now imagine putting Bob in front of your boss to propose organizational changes that will improve security across the company.  Bob starts spouting off about ARP poisoning, static routes, LDAP, and a cacophony of other acronyms.  If your boss ever recovers from the mind numbing “presentation”, rest assured that you will take a black eye for the fiasco.

Why then does business forgo the security visionary, those of us that can build a security program from the ground up?  Let’s face it we don’t make ourselves known.  In the mainstream at least, ours is a very new profession, whose growth is hastened largely by legislation.  Every time I tell someone that I am the Chief Information Security Officer, I know what the next question will be.  “So you’re a police officer.”  I get this so often, I have considered getting shirts printed that say, “No, I am not a police officer.”  I may even get it printed on my business cards.

I believe that because our profession is so new, that most businesses haven’t realized its value.  They solve security problems the way the solve network or technology problems by tossing money or hardware at the problem.  Money and technology are great, don’t get me wrong.  In fact, if anyone wants to send me either I’ll be happy to take it off of your hands.  Money and technology can solve a number of security problems, but if you don’t look at the whole security picture through the eyes of the security visionary, how can you know that you have solved the problem, or that there was even a problem to solve in the first place?  The security visionary looks at the whole business, not just the packets on the network.  The visionary determines what level of risk the business can bear, where those risks lie, how best to mitigate those risks to an acceptable level, and most of all builds security into the culture of the business.  I doubt that you’ll find that in any off-the-shelf network jockey turned firewall administrator.

Until business matures and sees the need for our services, I am afraid that my security brothers and sisters are destined to remain in the shadows.  But don’t be afraid, people think that we’re police officers, so no one will bother us.

Chad McDonald, CISSP, CISA, C|EH, PMP is a Senior Professional Services Consultant with Imperva. Chad has worked previously at National Student Clearinghouse, Centers for Disease Control and Prevention, Georgia Department of Audits and Accounts and is the former Chief Information Security Officer at Georgia College & State University. Chad has addressed numerous groups on topics such as business continuity planning, incident response, and information security awareness. Chad has spent the bulk of his career building, managing, and assessing information security for educational and research organizations. Chad has earned multiple professional security certifications. He is a member of the Information Systems Audit and Control Association as well as InfraGard, an FBI Task Force charged with protecting the nation's information infrastructure. Chad is active in the security community He worked with law enforcement agencies to assist in the prosecution of the first computer crime on record in Georgia and continues to assist local and state authorities with computer based investigations. Chad has investigated computer and computer-related crimes for local and state law enforcement agencies. Chad is an avid Mac user, since he was rescued from the dark side eight years ago. He currently conducts the vast majority of his work using a MacBook Pro and a MacBook. Chad looks forward to the day that he can stop referring to himself in the third person and actually pay someone to write his bio for him. The opinions and statements expressed here are those of Chad McDonald and in no way reflect opinions or statements of any employer or organization with which Chad is affiliated.