Issue link: https://securitytechnologyexecutive.epubxp.com/i/618378
38 SECURITY TECHNOLOGY EXECUTIVE • November/December 2015 www.SecurityInfoWatch.com COOL AS MCCUMBER B y J o hn M c Cu m b er John McCumber is a security and risk professional, and author of "Assessing and Managing Security Risk in IT Systems: A Structured Methodology," from Auerbach Publications. If you have a comment or question for him, e-mail Cool_as_McCumber@ cygnusb2b.com. s a graduate school faculty member, I always had one hard and fast rule: no one was allowed to change their grade after the final was administered. I even had that specific rule cited on each and every syllabus I ever created. Now that may sound wholly logical, but you would be surprised how often it was challenged, and even the number of times it got me, as the instructor, into trouble. I have been dragged before department chairs, deans, and even a college president for not allowing students to shift their grades after the final. Most complainants were not those who simply failed the class, they were primarily adult students who received a B or C grade when they assumed an A was merited. I always used formal criteria for grading final examinations. In that way, I could calmly point out errors, mistakes and omissions to justify the grade given. That rarely mattered. Students would angrily rant about injustice while others would whine about family, work, and various life problems that affected their performance. I would do everything within my power to help students understand the material during the semester, but after final grades were posted, I wasn't going to teach the course again (without compensation) or assign and grade extra credit projects. The course was over. Sadly, this old-school philosophy of mine caused me much grief for many years. I learned that people take grades seriously, even when they don't really matter. Take the grades the government hands out to agen- cies and departments for their cybersecu- rity programs. A voluminous federal man- date requires agencies to submit reports on their program that are evaluated by a central agency. Then, an A through F school-type grade is assigned. These grades then form the basis for inter- and intra-agency wran- gling, arguing, and finger-pointing. There have also been several government and industry guidelines for a security pro- gram's maturity ratings. Most of these ini- tiatives outline between five and twelve ele- ments of a security program, and then pro- vide a numerical rating based on the matu- rity and efficacy of each aspect of the pro- gram. I have been involved with several such maturity reviews, and have been bemused with how incensed and defensive manag- ers and decision-makers become when con- fronted with a simple one to five rating. It's amazing how many people treat a security program maturity rating like a bad grade school report card. I have sat through countless meetings where these rating have been hotly debated among the raters and 'ratees'. Even when the rating is presented with the objective rating criteria, many security leaders want to argue how the numbers were assigned rather than understand how to use these maturity ratings to validate and improve their security posture. My guess is that it's how we've been conditioned to approach grading from earliest childhood. We need to find a better method to evaluate security, because we are cur- rently not making the grade. ■ Making the Grade EDITORIAL Group Publisher ....................................... Nancy Levenson-Brokamp 800.547.7377 ext. 2702 • nbrokamp@southcomm.com Editorial Director/Editor-in-Chief .....................................Steve Lasky 800.547.7377 ext. 2221 • slasky@southcomm.com CONTRIBUTING EDITORS David G. Aggleton, CPP Kevin Beaver, CISSP Ray Bernard, PSP, CHS-III Ray Coulombe Robert Lang, CPP John R. McCumber Robert Pearson, CPP George Campbell EDITORIAL ADVISORY BOARD Christopher B. Berry, CPP, VP Global Security & Safety, Henry Schein Inc. George Campbell, Emeritus Faculty Advisor, Security Executive Council Eric W. Cowperthwaite, CSO, Providence Health & Services Elizabeth Lancaster Carver, Member Services and Projects Manager, Security Executive Council Richard L. Duncan, CPP, Dir. Security, Hartsfield-Jackson Atlanta Int'l Airport John B. Leavey, Director of Corporate Security, AIG Karl Perman, Director of Security, North American Transmission Forum Art Director .....................................................................Bruce Zedler Production Manager ..................................................Jane Pothlanski 800-547-7377 ext. 6296 • jpothlanski@southcomm.com Audience Development Manager. ................................... Sue Hanson SUBSCRIPTIONS CUSTOMER SERVICE Toll-Free (877) 382-9187; Local (847) 559-7598; Fax (800) 543-5055 Email: Circ.SecTechExec@omeda.com SALES CONTACTS Midwest Sales Brian Lowy 800.547.7377 ext. 2724 brlowy@southcomm.com West Coast Sales Bobbie Ferraro 310.545.1811 bferraro@southcomm.com East Coast Sales Janice Welch 800.547.7377 ext. 6288 jwelch@southcomm.com Display Sales Kristy Dziukala 800.547.7377 ext. 1324 kdzlukala@southcomm.com LIST RENTAL Elizabeth Jackson 847-492-1350 x18 • ejackson@meritdirect.com SOUTHCOMM REPRINT SERVICES To purchase article reprints please contact Brett Petillo at Wright's Media 1-877-652-5295 x118 or e-mail bpetillo@wrightsmedia.com SECURITYINFOWATCH.COM Group Publisher ....................................... Nancy Levenson-Brokamp 800.547.7377 ext. 2702 • nbrokamp@southcomm.com Managing Editor ................................................................Joel Griffin 800.547.7377 ext. 2228 • jgriffin@southcomm.com SOUTHCOMM BUSINESS MEDIA CEO, Chris Ferrell CFO, Ed Tearman COO, Blair Johnson EVP Public Safety & Security, Scott Bieda VP Events- Public Safety & Security, Ed Nichols VP Production Operations, Curt Pordes VP Technology, Eric Kammerzelt Published by Southcomm Business Media, Inc. www.SecurityInfoWatch.com A PO Box 803, 1233 Janesville Ave., Fort Atkinson WI 53538 920-563-6388; 800-547-7377