Chronicle contributed by Candy Alexander
When I look back on my professional growth, the mentors I’ve had, and the advice I’ve received over the years, there are two pieces of advice that have come back to me time and time again.
One of those came to me when I was leaving my first job as a CISO for another great opportunity. It was a bittersweet moment, for it was one of those situations where I loved where I worked and the people I worked for, but geographically it was a challenge.
The new opportunity was closer to home and was similar to my first CISO role, in that I would be establishing the security role and function within the organization. I was really excited to be able to design and develop another security program from scratch, using all the right methodologies and principles.
Like most departures, I had great farewell conversations with each of the people I worked closely with, one of those being the CIO. I had expressed to him how excited I was to be able to start the program and he kindly reminded me:
“Just because they don’t have a formal security program in place, doesn’t mean that someone there doesn’t think it is their job. Just be careful how you approach things.”
Hmm. That was interesting. I guess I never thought of that. It was one of those statements that when I heard it, I paused and filed it into my memory. And true to his words, that is exactly what happened.
Perhaps it is because so much of information security is based on pure logic and common sense, it seems that so many people in business believe that they can perform the function. Which they probably can, but not quite like a trained (or certified) professional can.
It is amazing to me how many people believe that the role/function of security can be performed by those in IT or program management. Sure, they probably can, but at what cost? You see, those of us who have been trained in Information Security understand that there are mechanics of the role that incorporate IT and program management tasks – but with a twist.
As any trained Cyber/Information Security professional will tell you, it is so important to apply the fundamental concepts when working the mechanics, to include a risk approach using a governance model or to properly apply the CIA (Confidentiality, Integrity, and Availability) model.
Cybersecurity professionals understand who owns the data versus who is supporting it. They understand the necessity of having the right conversations with either business or IT in order to come to an agreement as to what is critical to the organization and the appropriate level of protection to be applied.
In mulling over the many instances of running into this situation, I see that it ties back into a second life lesson that I have learned:
You can’t do everything, and nor should you, especially when it is something really important.
If there is someone who is a trained professional at your disposal, let them handle it. After all, have you ever seen someone receive a haircut from an untrained professional? Can just anyone cut hair? Sure. Should they? Probably not.
As we grow as professionals, whether in IT, Program Management or Info/Cyber Security, it is important to recognize what we were trained for, and stick to that. Leave the rest to the other professionals.
About Candy Alexander
Candy Alexander, CISSP CISM, is an Independent Cybersecurity Consultant with nearly 30 years in the security industry working for companies such as Digital Equipment, Compaq Computer Corporation, and Symantec. She has held several positions as CISO (Chief Information Security Officer) for which she developed and managed Corporate Security Programs. She is now working as a Virtual CISO and Cyber Security consultant.