Retirement means I have been able to resume the pursuit of the most annoying personal sport ever: golf. What makes golf so annoying? Your opponent. If you play tennis or pickleball, the person on the other side of the net may be inexperienced or just having a bad day. In that case, you may come out the big winner irrespective of your personal skills. But in golf, your opponent is the golf course, and it’s always perfect and unyielding. Your biggest obstacle to success is you.
My wife and I had taken up the sport a couple of decades ago, but our respective careers and my back surgeries put golf on pause for many years. We have now moved to a community where nearly everyone golfs. A lot. We have dozens of executive courses we can play for free. We even own our own golf cart. So, I dusted off the set of Titleist forged blades I had bought over 20 years ago and started swinging. The results were disastrous.
I decided I needed to take a lesson or two. My instructor advised me to first shed the rusty clubs in my bag and get properly fitted. Now, armed with a new set of clubs more attuned to my age and skill level, I set out to improve my game. The instructor asked what my goal for golf would be. I quickly responded, “I want the guys I play with to be comfortable enough to trash-talk me. I can tell they like to tease and needle their golf partners, but I play so poorly, they bite their tongues instead, knowing to do so makes them guilty of verbal abuse.” He laughed and responded, “I know exactly what you are asking, and we can reach that enviable goal.”
So, now I am getting better and feel more comfortable playing with various foursomes. I have also learned that golf is very much like security consulting. As an outsider, you can look at someone else’s game and can often quickly see what they are doing wrong - even if you aren’t the world-renowned thought leader and expert you claim on your LinkedIn profile.
When I am golfing, even with far superior golfers, I can still see how a rushed swing or poor stance results in an errant ball flight. I am certainly not good enough to give anyone advice, yet I watch closely as they approach the ball and go through their personal ritual of preparing to strike it. Some take a couple of practice swings. Others put the club face near the ball and bob the club head up and down until they feel they can make solid contact. When they fail to do so, the reasons are often obvious, even to a casual observer like me.
So, it is with our profession. I have always advocated for security leaders to be cast in an advisory role: either as a paid consultant or in another position outside the personnel machinations of the organization in question. The primary reason is that vantage points make it easier to see what needs fixing.
Even if you are appointed a Chief Information Security Officer, you are likely not considered a C-suite executive in spite of the lofty title. You’re the Chief Security Person. You are also the Chief Security Scapegoat. You are still subject to the pressures of the front office and likely under the thumb of a powerful IT leader. You all report to the HR department. You are often tied to the budget of another department like IT. You are just another cog in the corporate wheel subject to the spinning and bumps thereof.
It’s far easier to make critical insights and espouse uncomfortable truths as an outsider. A good security program requires an unblinking eye on the people, policies, procedures, and technology of an organization. Standing back in the tee box and watching your golf partner as a disinterested third party clears your vision and makes your observations that much more effective. Trying to correct your own swing is far more difficult.
John McCumber is a seasoned cybersecurity executive with over 25 years of progressive experience in information assurance and cybersecurity operations, acquisition, management, and product development. Expertise in corporate security policy development and implementation of security in information technology design. Recent experience working with Congress on cybersecurity legislation and professional advocacy. He is a long-time columnist with Security Technology Executive magazine and a contributing writer at Ordinary Times. John is a retired US Air Force officer and former Cryptologic Fellow of the National Security Agency. During his military career, John also served in the Defense Information Systems Agency and on the Joint Staff as an Information Warfare Officer during the Persian Gulf War.
