Issue link: https://securitytechnologyexecutive.epubxp.com/i/870734
66 SECURIT Y TECHNOLOGY E XECUTIVE • September/October 2017 • www. SecurityInfoWatch.com COOL AS McCUMBER By John Mccumber John McCumber is a securit y and risk professional, and author of "Assessing and Managing Securit y Risk in IT Systems: A Struct ured Methodology," from A uerbach Publications. If you have a comment or question for him, e-mail Cool _ as _ McCumber@ cygnusb2b.com. On Leaving the Profession M y old friend Earl called me a couple months ago and invited me for a coffee at his regular purveyor of caffeine. When I showed up, I could see he had already been there for some time judging by the coffee stains on the table and the crumpled napkins and breakfast sandwich wrapper. "Hope I'm not too late," I quipped. "No, you're on time, "he replied. "I was awake anyway, so I came earlier. Did you see where Dave passed away last week?" "Yeah, I did. It's sad. His wife is devastated. I sent her a note and made a donation to the charity he always supported," I said. We sat in silence for a few minutes, lost in thought. Finally, Earl quietly said, "I think it's time for me to get out." " What do you mean get out? " I asked. " I assumed you love your job," "I do," he said, "but it's looking like it's time to turn this gig over to the new generation." Obviously, Earl was in a pensive mood, and we again slipped into silence. When he began to speak again, his heart poured forth its contents. All of it had obviously been weighing heavily on him. He recited the litany of industry leaders who had recently died or had been hos- pitalized. He said he really liked the information secu- rity business, but he didn't want to be carted off a Delta flight feet first while commuting to another client site. As we continued with this melancholy dialogue, we came to the end of the list of our departed colleagues, and then reminisced about the changes we had wit- nessed. While technology has changed rapidly, there are a remarkable number of constants. First and foremost was that functionality always trumps security. I recalled how I was involved in a certification effort for Windows NT 3.51. Before our group could finish the lengthy and detailed security review, government agencies were lash- ing up networks everywhere to interconnect systems first locally, then globally. Our team was disbanded and sent out into the field to see what we could do to bolt-on security after-the-fact. Earl lamented he was still typing up observations he had been making for two decades. He noted how most organizations still didn't maintain accurate data clas- sification guides or use data discovery tools to locate and identify their sensitive information resources. Although leading edge activities in information secu- rity have moved to 24x7 security operations centers and dynamic threat intelligence, victims of malfeasant cyber actors are getting bit by unpatched systems, legacy components, default passwords, phishing , and social engineering: none of it really high-tech. Basic computing hygiene would prevent a large number of embarrassing incidents and expensive clean-up activities. We followed this line of thought for another half hour. During the course of our meeting, we were able to recall humorous anecdotes from our early careers and share bittersweet recollections of those who are no longer here with us. It was cathartic. "You know," Earl said, "I see all kinds of articles, blogs, and posts about how one can break into the information security business. There is usually a lot of good advice out there. But one subject I have yet to see addressed: how do you know when it's time to walk away, and how do you do it?" Do you just quit and update your Linke- dIn profile to say you're retired?" I shrugged. I was at a loss for a reply. This morning I again thought of Earl, so I checked on his LinkedIn profile. It listed his most recent job as "Retired". His profile picture had changed to a smiling older man with a graying beard and a Hawaiian shirt. Godspeed, Earl. Request information: www.SecurityInfoWatch.com/10300750 WE CONNECT WHY JOIN SECURITY PROFESSIONALS The security industry's largest database for consultants, A&E;'s, manufacturers and integrators. Consultants and Engineers Enhance your visibility, search products, find integrators, and access valuable design resources. Integrators, Owners and End-Users Find projects and consultants in your area, and gain insight into the capabiliঞes of firms and individuals. Manufacturers Promote and feature your soluঞons, search the extensive database, and reach security consultants. www.securityspecifiers.com