Although I know the term is generally applied to politicians, I am increasingly convinced that one of the biggest challenges faced by many enterprises today are the number of “lame duck” managers filling key functions within organisations.
And before anyone gets offended, I am not saying that everyone is a “lame duck” only that there are a number out there.
One of the definitions I found for “lame ducks” is that “lame ducks are also in the peculiar position of not facing the consequences of their actions.” And I think that there are too many IT Security officers who quite frankly seem to fall into this category.
Two recent examples that I have come across bear testimony to this. In one case a security officer revealed that his organisation had concluded that they had written off a seven figure sum in lost business during the previous twelve months due to system downtime related to firewall configuration errors.
In this case the security officer has chosen to disregard these statistics because he simply does not accept them although he has no ability to prove that the organisation did not lose the business. In other words he is not prepared to take any action because he feels the conclusion is not correct.
In the second case a security officer is aware that his service provider is in breach of their contract related to reporting changes to his company’s firewalls, and he has no idea whether or not the service provider is opening services in breach of his company’s security policy.
The latter case was particularly disturbing since the person in question was unwilling to insist that the service provider report changes since he knew they didn’t have the tools to do this, even although they were contractually obliged to do so, as he was afraid of upsetting them! Additionally his justification for not knowing if services were available that shouldn’t have been was that he was not totally responsible for the firewalls – It was the service provider’s job!
The challenge we all face in these difficult times is having the courage and conviction to carry on doing our work to the best of our ability.
A Security Officer has a duty and a responsibility to his organisation to ensure that all reasonable effort is made to ensure that the IT infrastructure and the precious and sensitive information are protected according to the Information Security Policy. Additionally they have the responsibility to ensure that risk is mitigated so that it will not impact the business.
An important task for a Security officer is to manage risk and deal with it before it becomes a problem. Risk is not a problem, but failure to deal with risk is a problem and when it becomes a problem it is too late.
So the loss of revenue due to a risk that was identified but not dealt with is a problem, or the network breach that results in data loss due to the risk not being dealt with is a problem. The fear of many Security officers however is that if they go asking for funding in today’s climate they risk not having a job. In other words keep your mouth shut and hope it doesn’t happen!
Off course crying wolf every five minutes is also not the solution and simply jumping on every technology bandwagon that comes along is not the sign of an effective security officer. Managing risk must have clear objectives.
NASA have developed what they refer to as a Continuous Risk Management Process for IT where they define Risk Management as a process that involves “identifying, analysing, planning, tracking, controlling, documenting, and communicating risks effectively.”
This is an approach that each security officer should consider adopting. It is much more effective than “identify and hope it doesn’t happen” because as NASA also put it they are trying to avoid “the combination of the probability that a project or other enterprise will experience an undesired event with unacceptable consequences, impact, or severity.
Or as Murphy puts it “Anything that can go wrong will go wrong.” And by the way the literal meaning of the “lame duck” is “a duck which is unable to keep up with its flock, making it a target for predators.” And a “lame duck” security officer can make your organisation a sitting duck!
Calum Macleod, is regional manager, Tufin Technologies