My buddy Fred is a great security professional. Back in the early 1980s, he started out his career in law enforcement. He then started attending night school for his BS in information technology. After graduation, he was able to quickly transition into the IT security field by combining the training and insights he received in law enforcement with the IT skills he had acquired in college. Here was the happy confluence of two divergent skill sets forming the nexus of a new career at the dawn of the Internet Age. There was no specialized IT security program at the time, and Fred found his niche leveraging all his experience.
Fred is now a seasoned and well-respected colleague. I often seek him out for his sage advice and insights from years of experience. Often, we run into each other at conferences or events of mutual interest. Last month was one of those happy coincidences. As we talked over coffee, I asked about a public sector security chief we both knew who was having some serious problems. These problems didn't stem from attacks on his networks, purloined laptops or insiders trying to steal data. "Chuck's" issues arose from coworkers and others in his agency. He was being taken to the agency woodshed for his perceived overzealous enforcement of organizational security policies.
Fred chuckled recalling our mutual acquaintance. "He was always a law-and-order type of guy," Fred said laconically.
"Sure, but Chuck has a very similar background to yours," I said. "He's a former LEO. Does that influence how vigorously someone pursues their duties? Does that make you and Chuck different than a security person with solely an IT background?"
"It's not about vigor, or how much stock you put in the organization's security policies," Fred said. "Chuck's problem is that he doesn't make good use of surrogates and intermediaries."
"Surrogates?" I asked surprised by his response. "Which surrogates? And what intermediaries?"
Fred laughed, "Have you ever tried debating with the police while they are writing you a ticket? Has a state trooper ever mentioned that you should simply tell it to the judge? He's invoking his surrogate in his enforcement duties."
That's how I learned about the important function of surrogates and intermediaries for not only cops, but all security practitioners as well. I found I had been employing surrogates, but hadn't thought of using that specific terminology.
Surrogates play a vital role when you are responsible for security. Surrogates and intermediaries take many forms in our profession. Specifically, surrogates are those entities that substitute for your enforcement responsibilities. Intermediaries are those authority functions that actually manage policy violators, and separate you from the actual dirty business of dealing with miscreants, scofflaws, or the lazy and inept. It certainly makes your life much easier.
In most organizations, you can employ the Human Resources department or management team to function as your enforcement surrogate. When you pinpoint a violation to a specific individual, you can report your findings through the appropriate management chain. Perhaps it is a simple matter of informing the individual of his or her errors, or it may require a security team to escort someone out of the building. In either case, the security practitioner's role is limited to fact finding and reporting. Your surrogate takes care of everything from there.
You play the role of a policeman who records the facts of a crime. In the case of civilian law enforcement, the district attorney and legal system take over after the facts are gathered. The police may need to provide more evidence or even testify in court, but the job ends there. The police then return to their "to protect and to serve" gig.
"Chuck's problem," continued Fred, "is that he likes to play more of a role than that of a cyber-policeman. He gets involved in personnel matters, and makes demands such as how management should handle violations. I even saw him go to bat to get several people fired. By refusing to invoke his surrogates, Fred fights too many unnecessary battles, and makes too many enemies within his organization. It's also not good for his stress levels."
Using surrogates makes for good security practice. It provides a neutral no-man's-land between you and thorny personnel issues. In fact, you can even use surrogates in your personal life to make many issues more tolerable. Instead of fighting directly with a neighbor over a fence, for instance, use your homeowner's association to act as an intermediary to adjudicate the problem. If you don't have one, consider using the city manager's office, or even the local legal system.
Surrogates and intermediaries can go a long way to make you a more effective security practitioner, and can provide you peace of mind at home as well. Help eliminate stress from your job, and don't fight unnecessary battles. Let someone else take on that role.
I heard from Fred last week. He told me Chuck called him asking about potential job openings in other organizations.
John McCumber is a security and risk professional, and is the author of "Assessing and Managing Security Risk in IT Systems: A Structured Methodology," from Auerbach Publications. If you have a comment or question for him, please e-mail John at: Cool_as_McCumber@cygnusb2b.com.