This was recently posted to a mailing list I am on in response to someone inquiring about how to proceed with security in an environment that is not really open to security. I thought this was an amazingly well-written summary of what too many other IT and security people go through. I’m sure I’ll see plenty more of this in my career also, and it helps to recognize it early before spending futile years taking it personally when things don’t work out (I take my work personally). Reprinted with permission:
I was hired for Network Security by individuals it now seems really did not understand the concept. When I initially arrived, the attitude was that I would “secure” whatever project or action was taken. It took a while to get them to understand that I needed to be a proactive, included member of things from inception.
Not only do I report to a Network Ops manager, this person – who on one hand admits they have no security background – sets the agenda for how I go about addressing this area. There are constant conflicts, up to and including my recommendations and opinions sometimes not being heard because they are perceived as unnecessary, unrealistic, or obstructing progress. I am the only person dedicated to network security. That is not necessarily a huge issue. The larger issue is that the perception is that I alone should somehow be able to do everything, and I should be able to do everything by myself. The last major virus outbreak we experienced, after a couple of days it became obvious that I could not scan EVERY cpu by myself. However, I was turned down when I asked for help (Our helpdesk was allowed to low-priority my CPU scan tickets.) And in the end, management was thoroughly displeased with how the whole incident was handled (took too long, users were upset, etc). Meanwhile, I was a wreck from having worked about 40 hours in a three-day period. … An unwinable situation. The entire IT dept is nearly completely reactionary. We have no CIO, and our IT leader is not seen as an equal by the other top-level executives. Basically, whatever requests or whims other departments want, we wind up trying to accommodate. Even if the wishes are counter-productive, redundant or will adversely affect the network. IT does not seem to “talk” to the user community. It is almost like the goal is allow the users to do whatever they want, while IT does everything for them. Which would maybe be okay, except there is a culture of allowing the users to do darn near ANYTHING they want. I see a real lack of guidance coming from our IT department.
I am leaving this position. I have been unable to figure out how to simultaneously write policies (there are none), plan strategy, fight the day-to-day fires and perform proactive, pre-emptive research and analysis by myself within a reasonable timeframe to keep up with the ever growing needs of the environment. Things fall through the cracks, mistakes get made. Although some colleagues are beginning to understand that they, too, must become more security conscience in the way they approach networking, still security overall takes a back seat. No one wants to tell the big bosses “no”, that some of what they want is not feasible at the moment, or that some things will be delayed because we are trying to do them correctly now. Or tell them the real cost of implementing the latest whiz-bang technology without shoring up the holes that currently exist. — Definitely, no one wants to say that mistakes were made in the past, and now we have to correct them in order to get better and move on.
Francois [ed: the original poster], I feel for you. I, too, know that not all environments have to be like what you and I have (are) going through. The choice for me is to leave. I hope that you will be able to make your management understand that security is not one person’s job. Rather, it is a way of thinking and doing business. To paraphrase the poster, network security is not a destination – it is a journey.
I hope the poster finds a much better position to apply their obvious talents.