Cool as McCumber

Oct. 27, 2008
The Potomac Pas de Deux

I managed to get my slowly deflating tire fixed in time to be only a few minutes late for my meeting outside the DC Beltway in the pastoral countryside of Loudon County, Va. I guess I had picked up a nail, and I was lucky to find a garage open early. I knew I would need to upset the shop manager’s planned morning schedule, but a heartfelt plea backed up with a handsome cash tip for the mechanic helped move my repair to the top of the priority list. I was able to slide into the conference room just as the door was about to close.

I was attending this august gathering of academics, government executives and consultants as an “industry expert.” I’m flattered someone within the government had assigned me this label, and wanted to look the part. I wore my “interview suit,” complete with white shirt, conservative tie and my highly polished cap-toe English dress shoes. I felt spiffy, and was eager to play my part with helping the government establish direction for this fledgling security program.

As I dropped into my seat and looked around, I began to wonder if I had made the right wardrobe decision that morning. My attire reflected perfectly the government executives hosting the event, but the academics and other “experts” were a different story. A couple guys from out west looked like they were dressed right from a Lands End catalog, one fellow from Texas had on the requisite boots and ten-gallon hat, while several looked like they had fallen down the laundry chute at home and came out wearing whatever had stuck to their bodies. I felt a bit awkward; I guess I wasn’t playing my “expert” part well.

It was to become an intriguing and intensive two days. After we spent the first day analyzing the new program’s goals and recommending strategy and policy options, the group felt it had made some real progress. Just before we adjourned for Happy Hour that day, one expert suggested we agree on the proper lexicon for our terminology to ensure we all understood and used the language of security properly in the documents. It was a sound proposal, and everyone nodded.

At this point I proposed a standard, codified set of definitions I had used for the past several years. I suggested in the interest of expediency we just pick this set and refer to it until we found a need to clarify or modify any of the terms. Simple, right? It was at this point, I was informed we would start Day 2 with a briefing from the office assigned with developing the lexicon for this particular effort. I sat in silent amazement. There was a government office assigned to develop a lexicon in parallel with our efforts of establishing the program direction? I made the mistake of blurting out, “Isn’t that like trying to paint a moving train?” In response, I received sneers from a couple guys dressed like me. Guess what job they had?
I bought a round of drinks at Happy Hour to try to make up for my impertinent remark at the end of Day 1.

Day 2 began with one of the sneerers delivering a 15-slide presentation on the process his group had established for developing a lexicon. He proudly reported it was an aggressive schedule and would produce the appropriately ratified terms to be used within 14 months. He cited more than 20 different member organizations on the lexicon working group and also stated it was to be overseen by the agency’s official lexicographer. Quizzical looks appeared around the room – especially from me and the laundry-chute guys.

Now I fully understood yesterday’s sneers. I would have been better served to just walk up and poke this guy in the eye rather than make a remark about just picking a simple set of standard definitions. The lexicon development was a huge project in itself, and innumerable meeting hours had already been expended. How was I to know that this agency had its own lexicographer? How much does that gig pay?

I found myself musing about how many more PowerPoint slides would be created to manage and report on this 14-month process when one could simply portray all the necessary terms in the lexicon in about half a dozen. I consider myself cynical, jaded and deeply experienced in government machinations; however, even I was stunned to learn that developing a security-related lexicon was going to require more than a year’s effort and entail a documented process, dozens of meetings, status reports and require the services of an official government lexicographer. At least they weren’t going to wait for the results of this group’s activities to start on the major focus of the security initiative.

I don’t know if this group will invite me back as an “expert.” I may have poisoned that well. But at least I’ll know how to dress if they do — I’m jumping down the laundry chute.

John McCumber is a security and risk professional, and is the author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, please e-mail John at:[email protected].