Fear Not the Assessor

Man! How the tables have turned. I’ve spent the majority of my information security career as a security assessor and consultant. That lavish lifestyle of living out of a suitcase, spending a week or two with a client, agonizing over the executive summary of a report, and then the delivery the final report. With clients, I’d perfected the art of love ‘em and leave ‘em, never staying long enough to see if anything had come from the fruits of my labor. That not knowing is what always left me unsatisfied with being a consultant which is why during my recent job hunt I chose a position that placed me on the other side of the table. It was time I gained the experience of not just telling organizations what they “should/need” to do, but having to actually get an organization to implement my security recommendations. I’ve traded my security consultant hat for a security architect loin cloth & seashell bra.

How was I to know that encrypting sensitive data at rest, prohibiting the use of shared IDs, and the separation of production from non-production environments could erupt into arguments and upper management escalations? I’m beginning to understand the difficulties InfoSec professionals in the trenches face when trying to secure the organization they are responsible for, while at the same time, needing to understand that concessions and compromises need to be made.  I’ve had to deal with trying to explain to a business unit why a solution that uses proprietary encryption to “secure” packet captures is not a good idea but then being told upper management is getting it anyway because of the tool’s capabilities. I’ve had to accept why telnet is still needed to log into network devices and that there is no budget this year to replace the offending devices. I’ve had to get used to no longer being the consultant on site that people bent over backwards for. Now I spend my time bent over while trying to dictate why “security is good”.

I’ve been at this new position for several months now and the experience has been eye opening.  I never really understood the challenges the security teams faced and often wondered, when doing an assessment, how the hell they didn’t have basic security controls in place.  I get it now! One doesn’t just receive a report from a security consultant and the findings/remediation suggestions get magically implemented.  That all the security team was missing was some direction and now that they have the report, the fog is lifted; onward and upward Tally-Ho! As a consultant, I’ve had clients say to me, “But we can’t enforce complexity for our passwords” and I’ve replied in the past, “I hear what you are saying, but you are going to have to figure it out.” Right, because getting rid of those legacy applications that are core to the business just so the password can have a “$” in it is going to happen.

What’s my point? (Wait. For.  It….) Actually I don’t have a point. I’m just acknowledging the disconnect between my experience as a consultant and now as an on staff security architect.  I by no means discount the experience I gained from being a consultant. I’ve gained experience in talking to groups and upper management. I’ve been exposed to various technologies, implementations, solutions and their use cases. But boy, I was not prepared for the myriad of obstacles that impede security teams.   With this new job, I’m going to miss the travel and new environments but this is an experience I need to gain if I ever plan on one day becoming an interim CSO.  Next…I’ll need to learn how to play corporate politics.