Sometimes I post scenarios in the hopes that some individuals who may be experiencing what I have might chime in and share their own conundrum of a headache. Information security in my mind has always been about communication. Such questions sprinkled about security exams to test ones understanding of that concept was not at all surprising to me. So, I am often miffed when I see individuals in large enterprise organization who not only feel that working in a vacuum is a good thing, but they go out on a limb to protect their perceived ‘right’ to do so.
Yet, that kind of attitude puts the entire organization at risk. I have certainly found my niche in information security / information assurance, in that I have apparently dedicated my life to stamping out such brash behavior wherever and whenever I see it.
I share your annoyance here. I know of one instance where the ISO thought it appropriate that he have conversations with their peers and folks senior to them but ignored those folk whom they thought at a lower level. They felt totally within their right as they after all were the ISO.
Problem was that the folks that they perceived lower knew what was really happening in the environment and knew when things were not kosher, however this person continued to report to senior management that all was well in the land of security......Guess what, it wasn't. You can imagine the egg on their face when they suddenly realized they had been living in that vacuum and management learned the real story.
The moral is that they are no longer at that company and the new Virtual ISO talks to everyone
Just a little war story.
Thank you for that input Diana. And again, the scenario that you just share there is worth its weight in gold. I have trumpet from the very beginning at whatever security job that I have entered: “Pet projects and working in silos are NEVER kosher as it pertains to information security!” If that one person falls ill or worse, we have all of this ground to cover, and until we do, we are left vulnerable.
routinier, n. A person who has only an elementary knowledge of his or her profession, and is therefore unlikely to produce anything innovative or out of the ordinary
From my experience as an ISO, I can say that people at a senior level may not be able to offer much more than a holistic view, while those at an intermediate level can often see just parts of an incomplete image.
Nonetheless, this position requires a 'complete image with a good resolution,' it's important to interact with everyone --- & I've often found that people at a lower level can provide very significant inputs.
Also communicating via formal channels won't suffice --- interacting with colleagues casually often leads to them 'revealing' things that they definitely wouldn't want to say in an email or be quoted on.
When you're expected to facilitate security info to top management, regulatory authorities and auditors, you can't afford to be in the dark, so working in a vacuum definitely isn't an option...
What I tend to see of people working in vacuums is that they really don't produce anything. They can write reports, run analyses, even architect or design solutions that look good, but if they aren't communicating with the rest of the business regularly, then the amount of actual positive work is minimal, or even negative, requiring more effort to fit their work into the business than it took for them to create the work in the first place.