One of the reasons I am getting out of security management…
on September 5th, 2006 at 11:16 pm…is crap like this. I am honestly tired of having to worry about keeping up with the latest security flaw and making sure my IPS has the latest filters and trying to make sure my network admin is keeping the patches up to date and yada yada yada. It just gets old.
A while back, I published a list of all the things I do on a daily / weekly / monthly basis as a security manager. When I look back at that list, I am seeing about nine tenths of it as reactionary chores. And I am tired of being in such a state of constant reaction, even when I do everything I can to be proactive. It just gets old.Â
I realize this may sound discouraging. Believe me when I say I don’t want to give up the fight.  I just want to help some other people fight the fight instead of being on the front lines every day.Â
When I first thought about it, it kinda felt like the front line troops were going to lose a man to battle fatigue. But to clarify by carrying the military analogy a little further, think of me as a REMF (ask your military buddies – they know what that stands for). Basically, REMF’s are the people who sit in the back away from the front lines. They drive fuel trucks, they fix broken vehicles, they cook food, deliver MRE’s, deliver ammunition, etc. They are support. They don’t always get a lot of respect. But without the support the REMF provides, the grunt, the M1A1 tank crewman, the Apache pilot, and the howitzer gunner can’t fight the fight. So you gotta love the REMF, even if he is not looking at bullets every day.
It may sound like I am trying to convince myself that I am making a good move, and to some degree I probably am. I know this is the move I am supposed to make. I feel that deeply. I just want people to know that I am not giving up. I am just moving to the back lines. Is there some fatigue? You betcha. But I am not going to be the guy who Patton slaps. I’m gonna be the guy driving the ammunition to the front line so you can shoot at the bad guys.
Of course, if the guy who brings the ammunition had to convince the tank commander every time that his ammunition was better than that other guys ammunition, and that his ammunition fit better in the gun tube and would make pretty lights when he shot it down range, then our military would be in a bad way. OK, so maybe the analogy doesn’t play all the way through, but work with me here, OK?
Vet
Karn,
Thanks for reading. I have researched outsourcing as a possibility, and I proposed several solutions in my tenure here. The issue with my current employer is that it is hard for a SMB to justify a full-time security manager along with outsourcing costs. Basically, they question why they have a security manager in the first place. They just don’t understand the full amount of work that is involved in keeping a network secure. And even if they did, it does not guarantee that they would do anything to alleviate the burden. Hey, I’m salary. They pay me the same no matter if I work 40 hours a week or 60.
By the way, now that I am leaving, outsourcing is on its way in here big time. That just proves my above point.
Michael
Michael,
I just found your blog today, and have added it to my reading list (and my list of links on my blog). I went back and read your list of daily functions. No wonder you are frustrated! In reading the list, it occured to me that most of the items you listed have now become fully outsourced products, or managed services offerings.
It seems that someone of your technical talent, experience, and industry knowledge should be doing something other than updating IPS signatures and delivering blocked emails! The truth is that us network geeks are getting pushed out of the building. If I can turn on secure networking services, complete with IPS, Virus, Spam filtering, etc. and the company I outsource this to will provide me an SLA that guarantees the service parameters I’m looking for, why would I bother with a full-time person (or more) to do these things.
There is a company here in Los Angeles advertising on the big radio stations that offers SMBs that very option. They drop thin client machines on every desktop, and just turn on services, Word, Excel, Quickbooks, whatever is needed. There are no servers, no gateways, no VPNs, no IPS, to anti-virus mess, no patching to worry about. Just show up and use your tools. Maybe one day we will just buy our computers in a blister pack at WalMart, and get all of our services from (gasp!) AT&T.
Nice blog, keep up the fight!
Karn
http://security-gurus.blogspot.com
OF COURSE, you are making the right move SINCE you are moving from being a Security Manager
(aka “All the responsibility and none of the power”) to a noble vendor role!!!
Welcome to the darkside, baby!
Been there, done that, bought the T-Shirt!
Hoff
Michael – don’t be discouraged. You fought a better battle than most I have seen. Take your new job for a while and grow with it. There may still come a time when you are back on the “front lines”, but maybe this time leading the troops and plotting the strategy. Good Luck with the new gig and keep your chin up, you are still fighting the good fight