Information security and the flaming sword of justice

There have been times in my career where I found it almost necessary for me to breathe into a paper bag after hearing some asinine positions on what security should be. I have encountered what I like to refer as the “flaming sword of justice” far too often over the years. There are security practitioners who have a rather fractured view of our place in the corporate food chain.

There was a huge push by security folks years ago, less so now, that wanted to have the ability to fire people for the most trivial infractions. This attempt to grasp for what they perceived as power was a disturbing trend that I saw play out several times in particular.

The infamous Twitter DDoS was one that I can’t help but to roll my eyes about even now. I have never been an advocate of draconian security practices and I have actively argued against them repeatedly. I ran afoul of an internal information security member at a company where I was working in the network security team. This person did not care for me and was tenting their fingers with glee as they confronted my management with a print out of web traffic.

This information security person was of an opinion that they had me dead to rights. They were looking for my head on a stick. My management was far more bemused than I was at the situation. What they had was multiple requests to Twitter from my laptop. I had left my Twitter client open and it was *gasp* refreshing the page. Can you imagine? How could have I been so thoughtless to permit such an attack on my watch? All sarcasm aside, this was a text book example as to why the old school flaming sword of justice infosec people should have never had the ability to fire people. There needed to be some level of institutional sobriety.

In another organization that I worked for I was dealing with a CISO that was of a similar mind to the previous example. The common refrain was “fire them” for the slightest error. This extended to staff that the CISO didn’t like. On one occasion I was instructed to fire a staffer that the CISO didn’t like. This was a person who had done a bang up job and was a high performer. I already had one foot out the door and I thought that I would make good on the threat in my own way.

I made sure that this person was no longer in their job when I left the organization before I exited. I promoted them with a fat raise. Knowing full well that the CISO did not read documents that were signed I pushed it through. Everything was said and done before I left and to see the hate bleeding from the CISO’s eyes once the realization sunk in was a triumph that I savor every day.

When I remember an information security staffer that lobbied hard for the ability to fire people, I’m warmed at the memory of the CIO saying flat out no. This attempt to gain this sort of leverage seems to stem from the minds of small minded people. There are controls in place to deal with people who violate policy. Having people with a power over people’s careers that aren’t necessarily well adjusted is an avoidable problem.

While an information security team should not have the ability to fire people, they should be an input into the process. Knowing that they are there to help facilitate the organization while keeping in secure is the real mission. To act as the secret police is a broken logic of small minded people. Thankfully, these types of despots appear to be becoming relegated to the mists of time.