For those of you that don’t yet know, I work as an information security administrator. In fact, I’m the only one for my entire company, which means anything security-related (computer security or physical security) gets routed my way. The work is just about like the work at any job…it has parts that are very exciting and interesting, and it has parts that are very boring and mundane. Sometimes I’m like Grissom or Caine from the CSI TV series, only in the computer world; I get to hunt around for evidence to use to prosecute the bad guys. Granted, their work is much more critical than mine (within their fictional world), but what I do is very important for my company. Other days, though, I’m doing essentially the digital version of what your local office janitor does. Still, there are some things about working in infosec that really are unique among careers; enough that there are many people in the world, many of whom I’ll be teaching again in a couple of months, who would love nothing more to be where I am and doing what I’m doing.
Security people live in a very unique and detached world. I’m essentially the cop for my entire corporate environment, and there are good and bad points to that. First, people can like me, and people can even talk to me, but I’m not sure if they ever really trust me. Building a good level of trust with my peers and users is critical. They have to feel comfortable coming to me and telling me something they noticed that is out of the ordinary or that is acting in a way it shouldn’t be. They have to feel comfortable coming to me if they have to blow the whistle on something someone else inside the company is doing. If they don’t feel they can come to me, and have their situations handled quickly and discreetly, I’m not doing my job properly. But at the same time, the level of trust I build can only go so far for both sides. Trust in security situations is much more tenuous, because ultimately, I don’t have the luxury of truly trusting anyone. Likewise, my users know that they can come to me, but they also know that if they do something wrong, and I see it, I have to bust them out for it. I’ve had to talk to people about things I’ve seen them doing that they should have been doing.
Unfortunately, just like the real-world police, I also have to regularly see people at their worst. I have to preside over employee terminations. Most of the time these go OK, but sometimes they don’t, and as Sgt. Joe Friday used to say, “That’s where I come in.” I’ve even had to supervise people who had just been told they had been laid off or fired, watch them to make sure they didn’t do anything stupid (like steal something or erase a computer hard drive), then escort them out. A few of these situations didn’t go as well as I would have liked.
I’ve also had to do things that most people might consider ethically challenging, like monitor all e-mail communications into and out of my company. I don’t do this regularly; there are some things I would prefer not to know. Let me present the scenario properly: a few years ago, I was working as the security admin for a company that was in the midst of merger talks. It was a small startup, and it was failing, as many were at the time. The merger meant that rather than everyone losing their jobs, only a few people would lose their jobs (and actually, I knew I was going to be one of those few people). However, there were people inside the company at high levels who wanted to sink the merger “to rescue the company” so that they could retain possession of their ideas and what they considered “their” intellectual property. Monitoring all communications into and out of the company was the only way to ensure as fully as possible that the merger could go forward without unnecessary interference. At another company, I had to monitor all web traffic so that we could watch for people who surf porn at work. In situations such as those, I’m protected, but some might consider the right to privacy of the users I oversee as trumping my legal responsibilities. There are times when it can get very sticky.
In doing security work, even information security work, means I’m not dealing with systems, but rather with people, working with them and working against them. Technology is not everything I do; it is an asset I protect or a tool I use to accomplish that protection, but it is not the end-all-be-all of what I do. When I’m prosecuting a contact (and ‘prosecuting’ in this case is used in its additional meaning of ‘chasing or pursuing to the very end’, not the legal kind of prosecuting), I have to know a lot of things and know how to apply them, like how computer systems work, what kinds of records a user leaves behind and where to find those records, what tools and technologies exist to help in my work. Most importantly, I have to think like the contact thinks and anticipate what he or she might have done, wanted to do, and why they wanted to do it. In that way, it is truly a hunt; my intellect against theirs, my skills against theirs, my knowledge and experience against theirs. THAT is the greatest thrill of my work, outwitting the other person and nailing them. That’s the CSI part, the closure, the thrill of knowing that you own them, that you have them cold.
As time goes on, I’ll touch more on what I love about security work. Thanks for reading.
No comments:
Post a Comment