Mr Andy IT Guy has posted a great article about his recent unsatisfying experiences as a security guy and subsequent positive move onward!
I can’t say I fully agree when he says that security needs to be separate from IT and so on about the political structure of an organization. However, I don’t know exactly what the right answer should be, and suspect that it differs depending on the corporate/mgmt culture. I believe in an audit (test, QA, etc) function that does checks. I believe in a group that has the same access to the business and infrastructure as the IT teams (monitoring, investigative, SOC/NOC, etc), but only doing security tasks (and not waiting for IT to get a span port right for the security tools to work). I believe in baking security knowledge and practice into the IT roles themselves. Sadly, all of that often lives in an ideal world. Ideally, I believe there are many seurity professionals of such a high degree of integrity that if you made them roughly gods in the company, they would properly secure the shit out of it without all the political BS.
And, too often, I think some organizations just have no desire whatsoever to do security. They just don’t want to do the shit and they don’t want to do the shit right. Sadly, that also will be a reality and hopefully we don’t have too many truly gifted, hard-working, positive security geeks tied up in such organizations for too long. (Maybe this is why ‘security consultants’ are such a rising deal. Organizations don’t want security, but they want some quick answers…)
I really love the mention at the end that often we security geeks get worn down. This is true. We get worn down. We get negative. We need to vent. We sometimes think the tasks are impossible. We even get frustrated and angry and share our passioned war stories over beers and strippers (I’m listening to too much ExoticLiability!). That’s why this industry and culture we have is so cool! Because we’re not all negative at the same time, and understand that sometimes we have to vent and sometimes we have to support the venting from our peers. But hey, hopefully with hard work and an alignment of the corporate stars, we can effect some positive security change when we have the opportunities to do so. The long-term goal is education, and whether we see it reflected or not, we do slowly improve the education of those around us (even if it causes *them* to take up beer binging, too).
Loner, Good comments. I do want to clarify on the place of security within the organization. I fully agree that it needs to be baked in so that it happens in IT (infrastructure, apps, etc). In my case I was the security program. There was not a team and by me reporting under just one of the three areas of IT it limited me at times. By moving under Compliance, Change Mgmt, and QA it gave me the position I needed. Since all of those areas have some oversight over the other areas it was a good fit. Ideally there would be security people in all three areas that would report up to a CSO who then would report up to the CIO.