Last night as my evening was winding down I was thinking of new blog topics and it occurred to me that I haven’t evangelized about my work lately. It’s been a while since I’ve been excited about the actual work of my career that my work topics of late have been about travel and the wacky water saving measures here in San Jose.
I also wonder if you know exactly what I do. Sometimes I feel like Chandler Bing from Friends in that no one has an idea of what I do. I’m an Information Security Risk Manager. A Secur-a-What?
I’m going to break it down. All companies have data. They have information about sales figures, inventory, their customers, their employees, accounting information, bills they owe, who owes them, they have databases that contain the history of transactions, they have performance data of their super special systems (in a utility it is the flow of energy, in a bank it is the volume of transactions, at an internet company it is the number of times someone buys from them, or clicks on a link.) For the most part everything a company does is somehow translated or reported on computer systems.
All this data lives on servers and is transferred around the companies via email, computer systems and yes even sometimes in paper form (although not so much anymore.) Heck, no one even has files at their desk anymore. We have little drawers that hold our half bags of M&M’s and the pens we’ve collected from conferences, but folders of paper… not so much.
Information Security programs are in place at most if not all companies to ensure that this data is managed correctly. (data management is a different profession and I think it is all about where to store it, how it will be named and other important things that I can’t be bothered to understand.) Information Security focuses on limiting access to only the right people, the right systems and making sure that when the data needs to move from the database to the front end application that it is secure.
There are multiple ‘domains’ in the field of information security. There are people who focus on access – the right people getting access to the right stuff, and people who focus on Architecture – making sure the physical computer equipment is connected correctly. Other domains include Investigations, Encryption, Disaster Recovery, System Security and Management.
My exact work focuses on a hybrid of system security and management. I work on developing the policies (rules) around how a server will be configured to best keep unwanted people out. In the real world, I would be the one telling car companies that they have to put locks on the doors. Locks may make it harder to get into the car, but people are always happy to find that no one else has been in their car while they were out.
So, I help make the rules. Most technology people think the policy makers are rule happy and there are plenty of people who do what I do who don’t have an understanding that while locks are a great idea, locks don’t make sense on a go-cart. Sometimes the rules shouldn’t apply or are too restrictive to facilitate business.
The other half of my job is helping people who find themselves in a situation where they are faced with a rule they can’t follow. I have the task of investigating what it is they really can’t do, figuring out if it is really true that they can’t (maybe they just don’t want to) and then working out a way for them to either do what they need to by layering on other rules (i.e. no lock on the go-cart, but it is stored in a locked garage when not in use) or helping them defend the lack of rule application. For example if the lock on the car costs a million dollars but the car is only worth five dollars it doesn’t make any sense to lock it up. Conversely, I also help them understand why they may not be able to pass up following a rule. Maybe the lock costs a million and the car is only worth $5, but the car carries all the information about the entire customer base and the cost of losing that information is worth the entire value of the company. Yes, it may take time and money to lock the car, but you can’t accept the risk of bringing down the company.
Gosh, that’s a lot of car metaphor for one morning.
I do a lot of talking and investigating. I am not a technologist, I understand the technology landscape, but I freely admit that most people in IT know more about how these systems work than I ever will. Each rule exception that I get involved in is a learning opportunity. I don’t pretend to be the expert in any area, I bring the right people to the table and after a while I can speak on a topic with an authoritative tone.
I have to dabble in all the security domains in order to support the policy and exceptions world that I work in. This is great because I can sit and have beer with all the folks and know what the heck they are talking about but I can’t claim to be an expert in any area. (I’d be a great manager, I can talk about it, but I can’t actually DO it.)
So… does that help? Or did I lose you at Secur-a-what?