When Security Doesn’t Matter

More than a decade ago, when I was a wet-behind-the-ears security newbie, I had grand notions that I could save the world.  The hacker was romanticized on the movie screen and I was going to be that guy that could catch them all.  If you have ever built an information security program, you can imagine that reality soon set in.  Here I sit years later, with a well-established career, and I have come to realize that I have been hit with a big dose of reality once again.

Security doesn’t matter… at least not to everyone.  Don’t get me wrong, I’ve fought this battle before.  You know which one I mean.  It’s the, “we have a firewall”, “just buy a security device”, “nothing will ever happen here” battle.  We’ve all been there and have the battle scars to prove it. 

But what happens when the non-believer is the CIO?  Believe it or not, it happens!  I mean come on, how can a Chief Information Officer not grasp the significance of Information Security.  It’s like a monkey not grasping a banana?  It’s well, unnatural.  So what do you do when you find yourself in this position?  The way I see it, you can get going or get out.  You can get going “selling” security to the CIO (Use lots of pictures… wink – wink.)  or you can get out on the job hunt.

If you decide to fasten your seat belt for the bumpy ride down the CIO trail you really need to try to pinpoint why security isn’t prioritized.  Does the CIO have an IT background?  Does she understand the role of the information security function?  Has her attention been grabbed by a co-worker who is of the same mind? 

Convincing a CIO to give you a seat at the big table can be tricky, but if you have built your security foundation well and have the support of your peers and some level of management, you have a shot at igniting the masses and forcing the CIO to take notice.  Take it from me, this takes a lot of time, patience, and single-malt scotch!

Some folks might not find it worth the work to fight the battle again and again, particularly with your boss.  For me, the choice is simple.  Working in higher education at a relatively small campus I am fortunate to be able to interact with the students, faculty, and staff whose identities and dollars I work to protect. 

****This is the portion of the blog where you should hear dramatic, yet heartfelt music playing in the background****

I have a genuine concern for these folks and am simply dumbfounded when others don’t see how they put these kids’ futures at risk.  When I rant to people about this I say that it’s like putting your child in the car without a car seat.  Sure you can do it.   It’s easy.  You don’t have to spend your hard earned money on a car seat.  Your child may not even realize the difference.  But what happens WHEN your car is in an accident?  It really is not that different with information security.  A student’s identity gets stolen, their credit gets ruined and they fight for years to restore their good name.  I’ve seen it happen and there are no quick fixes.

So those of us that are brave ( visualize a flag flapping gently in the background)  come to work every day, toss on our armor, grab our swords and battle it out with the security infidels. 

CISO’s really need an epic poem or song praising us, maybe I’ll work on that…  after the aforementioned single-malt scotch.