I work for a growing company that is still figuring out a lot of business processes, so my role as security manager continues to evolve.
When I started here, we didn't have a very big IT department. Everybody did a little bit of everything, and there wasn't a lot of specialization or departmental hierarchy. So when it came to rolling out security technologies and processes, I was the one who did the work. I established a lot of the early elements of my security program personally, such as security policies, security awareness training, the patching process, antivirus, network intrusion detection and firewall lockdown. This was a lot of fun, especially since I had been working for larger companies in the recent past, where everything was highly specialized and opportunities for hands-on work were slim.
About a year ago, our IT organisation started to add levels of management. We had managers, senior managers, directors and up. In this new world, the idea of the security team building and installing technologies wasn't as palatable. Some of our leadership, including our server, network and desktop managers, wanted security to take more of a governance role. Instead of rolling out technologies, I would specify requirements and let them figure out how to comply with them. That's a common model for a security organisation, and I was open to trying it out.
The problem is that the work hasn't been getting done nearly as efficiently in the new model. For the past few quarters, I've been specifying security requirements for really important things like malware control, data protection, file sharing and collaboration, and encryption. But the IT teams who agreed to do the implementations haven't delivered. My projects are stalled, or creeping along with minimal progress. I often get asked, "What did you want me to do again?" I feel like I keep repeating myself, and the answer is simple -- just roll out these security products! I've already done all the analysis, product selection, negotiation and purchasing. I need them to perform the deployment.
So this week, I sat down with the other managers for a discussion about this. I want to take back control of my projects, so I can be sure they get done. This idea isn't going over very well. The server, network and desktop managers all say the same thing -- we've been really busy, but we'll get to your stuff soon. They agree that security is really important. But I'm not convinced anything is going to change. So I'm taking back a couple of my most important projects to ensure they will get done. I'll give the other teams another quarter to show that they can move things forward, but at this point I'm thinking nobody is going to treat my priorities as highly as I do.
After all, if you want something done, you have to do it yourself.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. He can be contacted at firstname.lastname@example.org.