A Day in the Life of a Security Dreamer
Today was my morning to drive the kids to school. A quick
check of email in the home office is followed by a whirling and frenzied
forty-five minutes of flying orange juice, scrambling to finish the last bits
of homework, and a tantrum or two. The older kids make it to school on time and
I have a few minutes to skim the FT looking for anything that catches my eye before
the youngest gets dropped off.
What catches my eye this time is the number of times the
word “security” appears and its breadth of uses. I read how one is worried about the security
of the embassies, another concerned about security of investments, a third
discussing a recent virus outbreak and the software used to mitigate it.
It bothered me much the rest of the morning that I can’t
describe what I do simply and sufficiently in light of this plethora of
contexts. I mean, I’m a security professional.
The professional part is clear enough. But Security means different things to just about everyone – so I wonder
if it has any meaning at all.
One client sells a security technology product. The
expertise he most needs from me is my knowledge of how to differentiate the
product from many competitors. Another client wants to know which security
project will return the most value to her organization.
In these two cases, security wasn’t the point of them
engaging me. One wants to make her boss
happy, and the other wants to sell more product. My job was to help them both to get their
performance bonus at the end of the quarter. I thought I was supposed to be making the
Enough navel examination. Time for a conference call with a
client. Actually this is the eleventh
call to discuss the “scope” of a security integration project with a
pharmaceutical company. Their problem is
they are sure they want an improved security infrastructure that will save time,
money and effort in all sorts of business processes around the company. The trouble is, no one seems to own
security. The security director says it’s
a business process optimization project so it belongs to the head of operations. The COO says it is technology
infrastructure. The CTO counters with
legal risk mitigation. Legal says its an
HR and privacy project. As a result,
everyone wants it – no one wants to sign off.
Today’s call with several of those c-level folks is to
determine whether everyone can carry some of the cost burden, or if it has to
be escalated to the CEO. On one hand,
I’d be delighted to present the project to the CEO. I’m sure he would see the obvious value of
the project and mandate it immediately. On the other hand, he might ask me what I do for a living.
“Security professional,” I’ll say. Then I’ll be in trouble for sure. He’ll think
of guards and gates. I’ll dance and try to describe the world of operational
risk management and how security enables business. I’ll explain theories of
security value and give examples of how companies save money or launch new
initiatives with healthy security infrastructures. I’ll talk and talk. His eyes will glaze over, and they’ll end up
buying a few cameras instead.
During the conference call I was relieved that the CEO
wasn’t mentioned after all. The
participants started to work out budget options between their respective
The last time I witnessed a security director trying to
justify himself in front of the CEO, the poor chap nearly wet his pants. The security director, that is. The security professional, with years of
experience protecting people and property took the high road and described his
role as “risk management.”
risk management, he had said. It ended
as soon as it started. The CEO began
pressing with questions of actuarial data about computer security risks (for
which there is none anywhere in the world), and about market risk, and brand
risk, and even investment risk on security projects. The security director lost his footing in the
first minute and never recovered. He and
I spent the rest of the afternoon at a pub commiserating over the ambiguousness
of our profession.
We are not in the risk management business. The CEO taught us that. We are not in the security business, the
marketing director told us that. We are
not in the public safety business either, the internal auditors told us that.
But I digress. The
phone is ringing. It’s my wife. She says the left side mirror on the minivan
has suddenly gone “missing” and the auto repair shop needs a check. That’s when I realize that to my customer –
namely my wife and kids – security means my job security or financial
Now I get it. We
security professionals are in the business of creating opportunities by
securing the business, or the family, or the state, to function without