Awise person once said our work lives are simply our school-age experiences writ large.
I believe that to be true, so I find myself wondering how I ended up in the security profession. As school children, we are given opportunities to try our hand at a variety of adult pursuits — musical groups, school plays, science and language clubs, and even cleaning the blackboard erasers give kids the chance to challenge themselves and develop skills for the future.
When I was in grade school, there were two key extracurricular activities that let students experiment with a future security career: the crossing guard and the hall monitor. Of course, that was a long time ago. For all I know, grade schools today probably have a student designated as the Information Systems Security Officer for the computer lab. When I was in grade school, it was either a crossing guard position or the hall monitor gig.
I wasn’t tempted by either job. I settled for banging felt erasers for the nuns, as it allowed me a few minutes of fresh, outside air and a respite from the clammy tile-and-brick classroom walls that seemed to suffocate me. Plus, I knew that if I got one of those jobs, I would become an object of ridicule and abuse from my neighborhood peers. I learned it from watching a kid a couple years older than me named Billy.
Billy got both the crossing guard and hall monitor jobs, though not in the same semester. When he pulled on his DayGlo sash the first week of September, he must have felt the authority (and hopefully some responsibility) flow though him. He would bark orders to those of us lined up at the curb. He shouted at drivers in their Fords and Chevrolets. He waved his stop sign maniacally in order to punctuate his commands. If we tried to avoid his overweening presence, he would write us up for crossing down the block, and forced us to get a tongue lashing from either Monsignor Blecke or Father Lee — whoever was available. However, a mere block away from the school/church compound, Billy lived in fear.
But Billy was nothing if not power hungry, so he was willing to risk his health for another semester. When we returned to school after our Christmas holiday began, Billy showed up at a student desk placed at the intersection of two hallways. This time, his authority flowed from a cardboard placard placed on the desk identifying him as Hallway Monitor. He had a stack of green slips he could use as “tickets” to cite students such as me for running, shouting, rough-housing, or simply being in the hallway once classes had begun. He kept a carbon copy of the citations, and more meetings with scowling priests ensued.
But Billy paid dearly for his security education. He had to skulk around the alleyways and neighborhood hangouts, always looking over his shoulder. We didn’t forget the school punishments or the far more sobering discipline we received at home when our infractions became known to our parents. The kids would take it out on Billy if he was found away from school.
That was a life lesson for me. When I had the opportunity to try out a security career in grade school, I opted to learn the oboe instead. Believe it or not, I got far less abuse for that extracurricular activity than had I tried my hand at security.
When I found myself working in the security field many years later, I felt I had learned some important lessons from Billy. I learned not to flaunt any perceived authority, as that authority was transient, tied only to a specific set of duties, and subject to the designs of my superiors — in Billy’s case, the nuns. I learned my security goal was to protect organizational assets, and that meant I needed to not make this personal, nor make it about me and my demands. It is the parent organization’s policies I am enforcing. My job is to implement, evaluate, (perhaps enforce), track and report anomalies.
I act as a risk advisor for my employer or client. It is never my job to say no — it is my job to determine the security implications of their plans, and to present in a logical and empirical format the risks they will encounter. It is up to the owner/users/operators to determine if they want to accept, mitigate, or transfer that risk, and to what degree.
If you want a frustrating and unrewarding career in security, try being Mr. or Ms. “No.” The people you are charged with supporting will avoid you, they will try to end-run your policies, and they will label you a job-stopper. Try saying, “Sure you can do it that way. Here are the risks you will be taking on…” It is better than being beat up in the alley after work or getting a wedgie in the office bathroom.
John McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, e-mail [email protected].
