Although I know the term is generally applied to politicians, I am increasingly convinced that one of the biggest challenges faced by many enterprises today are the number of “lame duck” managers filling key functions within organisations.
And before anyone gets offended, I am not saying that everyone is a “lame duck” only that there are a number out there.
One of the definitions I found for “lame ducks” is that “lame ducks are also in the peculiar position of not facing the consequences of their actions.” And I think that there are too many IT Security officers who quite frankly seem to fall into this category.
Two recent examples that I have come across bear testimony to this. In one case a security officer revealed that his organisation had concluded that they had written off a seven figure sum in lost business during the previous twelve months due to system downtime related to firewall configuration errors.
In this case the security officer has chosen to disregard these statistics because he simply does not accept them although he has no ability to prove that the organisation did not lose the business. In other words he is not prepared to take any action because he feels the conclusion is not correct.
In the second case a security officer is aware that his service provider is in breach of their contract related to reporting changes to his company’s firewalls, and he has no idea whether or not the service provider is opening services in breach of his company’s security policy.
The latter case was particularly disturbing since the person in question was unwilling to insist that the service provider report changes since he knew they didn’t have the tools to do this, even although they were contractually obliged to do so, as he was afraid of upsetting them! Additionally his justification for not knowing if services were available that shouldn’t have been was that he was not totally responsible for the firewalls – It was the service provider’s job!