FRAMINGHAM (10/10/2003) - At 10 a.m., the boss called the entire IT security team into a meeting room, but without the line manager. He said that the line manager had been sacked.
There had been no warning, just an empty desk when the team came in that morning. The situation got worse when the boss informed everyone that a new line manager had been selected and would be starting tomorrow. A manager they hadn't even met and hadn't been involved in hiring? This didn't look good.
That scenario wasn't presented to me, however. I am the new line manager. I've changed jobs and been dropped into a shocked and surprised security group. I'm now at a much larger global finance organization. It's a step up for me, so I am very happy, but I worried a little at first about how the team would react.
It was a shame to say goodbye to my old place, but I'd been there for many years and was starting to get stuck in a rut. So I've jumped for a new challenge.
Far From Perfect
I spent my first week getting to know everyone in the department, which has had six managers in the past few years. I don't know why there has been such high turnover, but poor morale and a lack of strategy might explain it.
I'd heard that things were far from perfect before I arrived, but I'm confident that I can make a difference.
I wonder if my predecessors said the same thing?
My getting-acquainted period ended abruptly on Day 2, when we had a virus outbreak. A virus that spread between computers on our network had affected some development systems. It was shocking to see the limited tools that my new staff had at their disposal. Nonetheless, they knew what they were doing and dealt with the incident effectively using what they had.
To find infected machines, they had to scan computers for the changes that the virus made and then disconnect those systems from the network. They had no way of detecting the virus' attempts to spread, so by the time they found each infected machine -- a 30-minute process -- the virus had often infected others.
Their efforts kept the virus from exploding onto hundreds of systems, but they could have cleaned it up faster if tools were available to detect and report infection attempts. I'll be working hard to get the staff those tools.
My most important task will be to lift the staff's sights from the next urgent interruption to a longer-term view so they can build an approach that defends against future threats.
That means I must free up their time by clearing away tasks the staff now does every day that add no value. For example, every time a staff member requests access to a blocked Web site, we must approve it. The requests are always urgent and interrupt whatever we're doing, but most are for the same kind of things. I'm trying to set up a process where those requests are routed to the IT support group and we just review the decisions once a month.
The biggest change for me is that I now manage a global security team. I have people in Europe, the U.S. and the Asia-Pacific region. I'll be racking up frequent flier miles and learning about cultural differences. And we'll fly everyone in for an annual meeting, where we hope to resolve the security team's most enticing debate: where in the world one can find the best curry.
It is shocking how global security teams can operate unstructured in huge companies. In our first videoconference team meetings (held very early to accommodate every time zone), I asked some very simple questions. What do we do? Why do we do it? What should we do next? What is the difference between us and the auditing department? I'd expected the staff to point me at a strategy document or at least to tell me their strategy, but none exists.
They also have no technical architecture target and no documentation of what they do now. If you don't know where you are now and you don't know where you want to be, the only way you end up making the right decisions is if you're very lucky. It also is very hard to convince regulators, auditors or senior management that you are doing the right things, or to explain why the next tool or service is required if it doesn't fit into an overall plan.
I suppose I should be grateful that I can deliver a few quick wins by putting these plans in place, but it's a little disturbing that we appear to be running without them. I'm carefully not asking too much about my predecessor's work, since I don't want to linger on the past. But I do wonder why a plan hadn't been thought out and documented.
I was also thrown off by the company culture. Everyone works hard, but they also know how to let their hair down. The boss took us out to a welcome lunch and had to rush back to the office before the bill arrived. He happily just gave me his credit card and told me to sign on his behalf when the bill came. I was a little nervous that I might be committing credit card fraud, but I certainly didn't want to question my boss. Fortunately, the restaurant gladly accepted my signature.
So far, I seem to be winning the respect of the team. I've been here three weeks and other groups have already remarked on the improvement in the group's morale. I must be doing some things right -- or at least doing them wrong in a different way from the last fellow. What do you think?
This week's journal is written by a real security manager, "Vince Tuesday," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
To find a complete archive of our Security Manager's Journals, go online to computerworld.com/secjournal.