Security Technology Executive

MAY-JUN 2016

Issue link: https://securitytechnologyexecutive.epubxp.com/i/690996

Contents of this Issue

Navigation

Page 57 of 91

58 SECURITY TECHNOLOGY EXECUTIVE • May/June 2016 www.SecurityInfoWatch.com COOL AS MCCUMBER B y J o hn M c Cu m b er John McCumber is a security and risk pro- fessional, and author of "Assessing and Managing Security Risk in IT Systems: A Structured Methodol- ogy," from Auerbach Publications. If you have a comment or question for him, e-mail Cool_as_McCumber@ cygnusb2b.com. M any years ago, my budding career as a consultant was deep- ly influenced by a lighthearted book by Gerald Weinberg: The Secrets of Consulting. Mr. Weinberg was consulting in the rapidly-expanding field of information technology of the 1970s. His humorous advice still instructs me today. In his opening chapter, he outlines three basic rules of consulting: • No matter what the client tells you, there's a problem; that's why you're there • No matter what the client tells you, it's not a technology problem, but a people problem, • Remember you are being paid by the hour, not the solution. I don't think a week goes by where I don't reflect on these key funda- mentals. They are only the opening salvo in a small book packed with sage advice, but they are always front of mind when I begin a new engagement. During our recent engagement opening meeting, I chuckled to myself as the CIO for the organization welcomed me and my team by saying there weren't really any problems in security, they just wanted a check-up with some pointers for improving their program. He went on to list the numer- ous investments they had recently made in security technology and how they were going provide a dramatic improvement in their security posture. Soon after, we began our on-site work. After two weeks of digging and debating, we bade farewell and left to write up our findings. We discussed how sur- prised we were to learn the infrastructure shop couldn't provide any current network diagrams nor plans for proposed upgrades and changes. When we asked for a recent inventory of organi- zational IT assets, they simply shrugged and said none existed. On it went. Configuration manage- ment? Limited. Change control processes? A d hoc. When we presented our draft findings, we had a follow-on meeting with the CIO. He explained he had been asking for network diagrams and inventories for over two years. Let that sink in: he has been waiting for TWO YEARS for answers to his requests. Suddenly, the sweep and majesty of Weinberg's wisdom blossomed right in front of me. All the recommendations we could make would not provide any demonstrable benefit for this client if they couldn't resolve the people prob- lems that negatively impacted their basic informa- tion technology hygiene. When we were initially told there wasn't a prob- lem, we would ultimately find not only was there was a problem, but a very large one. In addition, it wasn't specifically a technical problem, but a complete disconnect between the CIO and his managers: a serious personnel issue. In the end, we knew we weren't going to be able to patch these foundational problems with security recommen- dations. Fortunately, we were being paid by the hour. As security professionals, whether consulting or working within an organization, it's our responsibility to dig deep to uncover the underly- ing factors that can impact our risk management program. It's so often a people problem, and in the end, we are being paid by the hour, and the solution isn't always our choice. We are the advisors. ■ What's the Problem? EDITORIAL Group Publisher ....................................... Nancy Levenson-Brokamp 800.547.7377 ext. 2702 • nbrokamp@southcomm.com Editorial Director/Editor-in-Chief .....................................Steve Lasky 800.547.7377 ext. 2221 • slasky@southcomm.com CONTRIBUTING EDITORS David G. Aggleton, CPP Kevin Beaver, CISSP Ray Bernard, PSP, CHS-III Ray Coulombe Robert Lang, CPP John R. McCumber Robert Pearson, CPP George Campbell EDITORIAL ADVISORY BOARD Christopher B. Berry, CPP, VP Global Security & Safety, Henry Schein Inc. George Campbell, Emeritus Faculty Advisor, Security Executive Council Eric W. Cowperthwaite, CSO, Providence Health & Services Elizabeth Lancaster Carver, Member Services and Projects Manager, Security Executive Council Richard L. Duncan, CPP, Dir. Security, Hartsfield-Jackson Atlanta Int'l Airport John B. Leavey, Director of Corporate Security, AIG Karl Perman, Director of Security, North American Transmission Forum Art Director .....................................................................Bruce Zedler Production Manager ..................................................Jane Pothlanski 800-547-7377 ext. 6296 • jpothlanski@southcomm.com Audience Development Manager. ................................... Sue Hanson SUBSCRIPTIONS CUSTOMER SERVICE Toll-Free (877) 382-9187; Local (847) 559-7598; Fax (800) 543-5055 Email: Circ.SecTechExec@omeda.com SALES CONTACTS Midwest Sales Brian Lowy 800.547.7377 ext. 2724 brlowy@southcomm.com West Coast Sales Bobbie Ferraro 310.545.1811 bferraro@southcomm.com East Coast Sales Janice Welch 800.547.7377 ext. 6288 jwelch@southcomm.com Display Sales Kristy Dziukala 800.547.7377 ext. 1324 kdzlukala@southcomm.com LIST RENTAL Elizabeth Jackson 847-492-1350 x18 • ejackson@meritdirect.com SOUTHCOMM REPRINT SERVICES To purchase article reprints please contact Brett Petillo at Wright's Media 1-877-652-5295 x118 or e-mail bpetillo@wrightsmedia.com SECURITYINFOWATCH.COM Group Publisher ....................................... Nancy Levenson-Brokamp 800.547.7377 ext. 2702 • nbrokamp@southcomm.com Managing Editor ................................................................Joel Griffin 800.547.7377 ext. 2228 • jgriffin@southcomm.com SOUTHCOMM BUSINESS MEDIA CEO, Chris Ferrell CFO, Ed Tearman COO, Blair Johnson EVP Public Safety & Security, Scott Bieda VP Events- Public Safety & Security, Ed Nichols VP Production Operations, Curt Pordes VP Technology, Eric Kammerzelt Published by Southcomm Business Media, Inc. www.SecurityInfoWatch.com PO Box 803, 1233 Janesville Ave., Fort Atkinson WI 53538 920-563-6388; 800-547-7377

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - MAY-JUN 2016