Working in a Vacuum

Lamont29 · ‎03-09-2019

Sometimes I post scenarios in the hopes that some individuals who may be experiencing what I have might chime in and share their own conundrum of a headache. Information security in my mind has always been about communication. Such questions sprinkled about security exams to test ones understanding of that concept was not at all surprising to me. So, I am often miffed when I see individuals in large enterprise organization who not only feel that working in a vacuum is a good thing, but they go out on a limb to protect their perceived ‘right’ to do so.

Yet, that kind of attitude puts the entire organization at risk. I have certainly found my niche in information security / information assurance, in that I have apparently dedicated my life to stamping out such brash behavior wherever and whenever I see it.

Lamont Robertson
M.S., M.A., CISSP, CISM, CISA, CRISC, CDPSE, MCSE

dcontesti · ‎03-09-2019

Lamont,

I share your annoyance here. I know of one instance where the ISO thought it appropriate that he have conversations with their peers and folks senior to them but ignored those folk whom they thought at a lower level. They felt totally within their right as they after all were the ISO.

Problem was that the folks that they perceived lower knew what was really happening in the environment and knew when things were not kosher, however this person continued to report to senior management that all was well in the land of security......Guess what, it wasn't. You can imagine the egg on their face when they suddenly realized they had been living in that vacuum and management learned the real story.

The moral is that they are no longer at that company and the new Virtual ISO talks to everyone 🙂

Just a little war story.

Diana

Lamont29 · ‎03-09-2019

Thank you for that input Diana. And again, the scenario that you just share there is worth its weight in gold. I have trumpet from the very beginning at whatever security job that I have entered: “Pet projects and working in silos are NEVER kosher as it pertains to information security!” If that one person falls ill or worse, we have all of this ground to cover, and until we do, we are left vulnerable.

Lamont Robertson
M.S., M.A., CISSP, CISM, CISA, CRISC, CDPSE, MCSE

rslade · ‎03-09-2019

routinier, n. A person who has only an elementary knowledge of his or her profession, and is therefore unlikely to produce anything innovative or out of the ordinary

OED

OED Word-of-the-Day on Twitter

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468

Lamont29 · ‎03-09-2019

I guess that's a great definition of such a person, except when I think of
a person who follows a daily battle rhythm would normally be a good thing.
In this case the routinier is practicing bad habits daily.

Lamont Robertson
M.S., M.A., CISSP, CISM, CISA, CRISC, CDPSE, MCSE

Shannon · ‎03-10-2019

From my experience as an ISO, I can say that people at a senior level may not be able to offer much more than a holistic view, while those at an intermediate level can often see just parts of an incomplete image.

Nonetheless, this position requires a 'complete image with a good resolution,' it's important to interact with everyone --- & I've often found that people at a lower level can provide very significant inputs.

Also communicating via formal channels won't suffice --- interacting with colleagues casually often leads to them 'revealing' things that they definitely wouldn't want to say in an email or be quoted on.

When you're expected to facilitate security info to top management, regulatory authorities and auditors, you can't afford to be in the dark, so working in a vacuum definitely isn't an option...

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz

mgorman · ‎04-14-2019

What I tend to see of people working in vacuums is that they really don't produce anything. They can write reports, run analyses, even architect or design solutions that look good, but if they aren't communicating with the rest of the business regularly, then the amount of actual positive work is minimal, or even negative, requiring more effort to fit their work into the business than it took for them to create the work in the first place.

Lamont29 · ‎04-14-2019

I get sick in my stomach when I see people operating that way – I really
do. However, those Individuals who I have experienced operating in that
style are those who are uneducated in the field. What happens is that they
“grandfather” into their jobs, and management assume that they are doing a
good job, because as you suggest, they can share out whatever information
that they choose to share out. The individuals tend to have a ‘stand-off’
attitude, anti-social or other oddity about them that normal workers don’t
want to be bother with from day to day. Left to their own vice, they will
continue to get away with it, unless the company decided to hire a middle
manager (like me) who they must report and give the ‘details’ to. This is
when the wheels fall off. I often find these people doing ‘hobbyist’ type
work. Maybe it’s something emerging, has been in the news or is becoming a
hot topic. These individuals throw around enough buzz words for management
to believe that they are doing something important, while in reality,
there’s no structure to what they are doing.

If whatever they are doing is not measurable (KPIs / ROIs), or it meets no
strategic business goals, nor is it directed by the organization’s
policies, then I’d say that that employee should be replaced with a
resource that will actually work in concert and move the needle for the
organization. Yes, management might see a ‘body’ there with a ‘title;’ but
the net effect is that all that individual’s good for is collecting a check
every pay period.

--
Lamont

Lamont Robertson
M.S., M.A., CISSP, CISM, CISA, CRISC, CDPSE, MCSE