I ain’t in Kansas anymore…

June 14, 2013


Man! How the tables have turned. I’ve spent the majority of my information security career as a security assessor and consultant. That lavish lifestyle of living out of a suitcase, spending a week or two with a client, agonizing over the executive summary of a report, and then the delivery the final report. With clients, I’d perfected the art of love ‘em and leave ‘em, never staying long enough to see if anything had come from the fruits of my labor. That not knowing is what always left me unsatisfied with being a consultant which is why during my recent job hunt I chose a position that placed me on the other side of the table. It was time I gained the experience of not just telling organizations what they “should/need” to do, but having to actually get an organization to implement my security recommendations. I’ve traded my security consultant hat for a security architect loin cloth & seashell bra.


How was I to know that encrypting sensitive data at rest, prohibiting the use of shared IDs, and the separation of production from non-production environments could erupt into arguments and upper management escalations? I’m beginning to understand the difficulties InfoSec professionals in the trenches face when trying to secure the organization they are responsible for, while at the same time, needing to understand that concessions and compromises need to be made.  I’ve had to deal with trying to explain to a business unit why a solution that uses proprietary encryption to “secure” packet captures is not a good idea but then being told upper management is getting it anyway because of the tool’s capabilities. I’ve had to accept why telnet is still needed to log into network devices and that there is no budget this year to replace the offending devices. I’ve had to get used to no longer being the consultant on site that people bent over backwards for. Now I spend my time bent over while trying to dictate why “security is good”.

I’ve been at this new position for several months now and the experience has been eye opening.  I never really understood the challenges the security teams faced and often wondered, when doing an assessment, how the hell they didn’t have basic security controls in place.  I get it now! One doesn’t just receive a report from a security consultant and the findings/remediation suggestions get magically implemented.  That all the security team was missing was some direction and now that they have the report, the fog is lifted; onward and upward Tally-Ho! As a consultant, I’ve had clients say to me, “But we can’t enforce complexity for our passwords” and I’ve replied in the past, “I hear what you are saying, but you are going to have to figure it out.” Right, because getting rid of those legacy applications that are core to the business just so the password can have a “$” in it is going to happen.

What’s my point? (Wait. For.  It….) Actually I don’t have a point. I’m just acknowledging the disconnect between my experience as a consultant and now as an on staff security architect.  I by no means discount the experience I gained from being a consultant. I’ve gained experience in talking to groups and upper management. I’ve been exposed to various technologies, implementations, solutions and their use cases. But boy, I was not prepared for the myriad of obstacles that impede security teams.   With this new job, I’m going to miss the travel and new environments but this is an experience I need to gain if I ever plan on one day becoming an interim CSO.  Next…I’ll need to learn how to play corporate politics. :-/

3 Responses to “I ain’t in Kansas anymore…”

  1. ds said

    Poor guy. Sounds like you don’t have you CISO supporting you. You are fighting “buy in” battles that s/he should have fought on your behalf.

    • diami03 said

      Never said CISO didn’t fight on my behalf. Sometimes the “business” decides to accept the risk and that’s that, even against CISO’s advice. Learning to understand why, that it happens, and how to potentially work around this risk is on the learning agenda.

    • Jay said

      I’m in a similar position to the author and this is the sort of thing I might have said before I ended up in the real world 🙂

      Even with all the support in the world you can’t expect to get your way with everything in a large organization straight away, you are one priority amongst many and to think otherwise shows a lack of understanding as to how things work.

      Dealing with consultants these days I even sometimes get to see a self important me from 10 years back across the desk thinking everything and everyone should orbit around my little specialism and dance to my tune.

      I firmly believe a security consultant/auditor/tenpester needs to be blooded in this sort of role to become a well rounded sort, and maybe eat doughnuts at the desk to be really rounded too since you don’t move about as much…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: