We in computer security are the red-headed step children of IT. The result of our job is a zero sum gain. If we do our job right, nothing happens. Costs don’t go down, sales don’t go up. It’s hard to justify our benefit to the bottom line unless you’ve had a breach and realize the true costs of bad security. Just ask retailer, TJ Maxx if they understand the value of Infosec. They had a very public breach last year that caused the release of some 45 million customer credit cards. The costs have soared to over 100 million dollars and that doesn’t include the likely payout of a huge class action law suit. The company will be lucky to survive this debacle. Of course, costs are averaged over a whole industry just like insurance so it’s unlikely (but not improbable) that you would have endure these kinds of costs. Good Infosec is like good insurance or border security. We stand eternal guard against the unlikely but unthinkable.
Of course, as my partner noted in the previous blog, in regulated industries like banking, Infosec is a fact of life. It’s as central to your charter as keeping enough in reserves to cover your deposits. And most larger companies and e-business concerns take e-security seriously.
But mostly, like Rodney Dangerfield, we get no respect.
We are the rule makers and no one likes the rule makers. Our jobs is to be the jerk, be the SOB who won’t let you do your job the way you want to do it. And in this day and age, you can’t tell anyone not to do anything a certain way, even if its for their own good. Everyone wants to do their own thing.
Us Infosec types hark back to an age when the workplace had real rules. You dressed a certain way, you did your work a certain way, and individuality was not a trait that got you ahead. Of course we have lots of rules these days, but they are mostly related to stuff that just doesn’t matter. Like don’t make dirty jokes (least not in mixed company), don’t hoard your vacation (god forbid someone wants to save up for a month long vacation by not taking any for a year or so), don’t smoke and so forth. The workplace has become long on useless rules, short on meaningful rules which breeds disrespect of any rules for any reason. Women and men wear whatever they pull out of their dirty clothes hamper (or underwear drawer), slap on some shower shoes loosely disguised as sandals and come to work and surf Victoria’s Secret (perhaps for more work attire) or “Guns and Ammo” or whatever pops into their head that day.
We in Infosec have some rules for you. One of the few benefits of being an Infosec guy is that you get to enforce the rules all the way across the spectrum, no matter what their rank or title. We have to go after the boss just as hard as that rank and file guy. We have rules, and you best follow them. Or your application won’t run, your mail wont go through, or if you are peeking at the wrong stuff, you could end up in the unemployment line. So if you don’t want to follow the rules, just stay home. You can dress any way you want there.
These days, many security companies try to be the kinder, gentler Infosec guys in order to market to the rank and file, the unwashed masses as to why we should exist. . I say lets unabashedly do our job. I say how about just follow the rules. We don’t particularly like users and let’s just admit it. They mess up our nice neat firewalls with exceptions and rules and they figure out ways to get around our restrictions. We aren’t here to be your friend or your mother, we are here to protect the company and its info-assets. It’s a non-stop, thankless job but somebody has to do it or there is the chance that you won’t have a job tomorrow (i.e. TJ Maxx employees). Of course without users, we’d be out of a job.. so, on second thoughts, keep it up guys! Good work!