• United States



When Security Doesn’t Matter

Sep 06, 20074 mins
Data and Information SecurityIdentity Management Solutions

More than a decade ago, when I was a wet-behind-the-ears security newbie, I had grand notions that I could save the world.  The hacker was romanticized on the movie screen and I was going to be that guy that could catch them all.  If you have ever built an information security program, you can imagine that reality soon set in.  Here I sit years later, with a well-established career, and I have come to realize that I have been hit with a big dose of reality once again.

Security doesn’t matter… at least not to everyone.  Don’t get me wrong, I’ve fought this battle before.  You know which one I mean.  It’s the, “we have a firewall”, “just buy a security device”, “nothing will ever happen here” battle.  We’ve all been there and have the battle scars to prove it. 

But what happens when the non-believer is the CIO?  Believe it or not, it happens!  I mean come on, how can a Chief Information Officer not grasp the significance of Information Security.  It’s like a monkey not grasping a banana?  It’s well, unnatural.  So what do you do when you find yourself in this position?  The way I see it, you can get going or get out.  You can get going “selling” security to the CIO (Use lots of pictures… wink – wink.)  or you can get out on the job hunt.

If you decide to fasten your seat belt for the bumpy ride down the CIO trail you really need to try to pinpoint why security isn’t prioritized.  Does the CIO have an IT background?  Does she understand the role of the information security function?  Has her attention been grabbed by a co-worker who is of the same mind? 

Convincing a CIO to give you a seat at the big table can be tricky, but if you have built your security foundation well and have the support of your peers and some level of management, you have a shot at igniting the masses and forcing the CIO to take notice.  Take it from me, this takes a lot of time, patience, and single-malt scotch!

Some folks might not find it worth the work to fight the battle again and again, particularly with your boss.  For me, the choice is simple.  Working in higher education at a relatively small campus I am fortunate to be able to interact with the students, faculty, and staff whose identities and dollars I work to protect. 

****This is the portion of the blog where you should hear dramatic, yet heartfelt music playing in the background****

I have a genuine concern for these folks and am simply dumbfounded when others don’t see how they put these kids’ futures at risk.  When I rant to people about this I say that it’s like putting your child in the car without a car seat.  Sure you can do it.   It’s easy.  You don’t have to spend your hard earned money on a car seat.  Your child may not even realize the difference.  But what happens WHEN your car is in an accident?  It really is not that different with information security.  A student’s identity gets stolen, their credit gets ruined and they fight for years to restore their good name.  I’ve seen it happen and there are no quick fixes.

So those of us that are brave ( visualize a flag flapping gently in the background)  come to work every day, toss on our armor, grab our swords and battle it out with the security infidels. 

CISO’s really need an epic poem or song praising us, maybe I’ll work on that…  after the aforementioned single-malt scotch.

Chad McDonald, CISSP, CISA, C|EH, PMP is a Senior Professional Services Consultant with Imperva. Chad has worked previously at National Student Clearinghouse, Centers for Disease Control and Prevention, Georgia Department of Audits and Accounts and is the former Chief Information Security Officer at Georgia College & State University. Chad has addressed numerous groups on topics such as business continuity planning, incident response, and information security awareness. Chad has spent the bulk of his career building, managing, and assessing information security for educational and research organizations. Chad has earned multiple professional security certifications. He is a member of the Information Systems Audit and Control Association as well as InfraGard, an FBI Task Force charged with protecting the nation's information infrastructure. Chad is active in the security community He worked with law enforcement agencies to assist in the prosecution of the first computer crime on record in Georgia and continues to assist local and state authorities with computer based investigations. Chad has investigated computer and computer-related crimes for local and state law enforcement agencies. Chad is an avid Mac user, since he was rescued from the dark side eight years ago. He currently conducts the vast majority of his work using a MacBook Pro and a MacBook. Chad looks forward to the day that he can stop referring to himself in the third person and actually pay someone to write his bio for him. The opinions and statements expressed here are those of Chad McDonald and in no way reflect opinions or statements of any employer or organization with which Chad is affiliated.