An Information Security Place

My friend Martin McKeay posted a few days back about email privacy. Another friend, the great Alan Shimel, responded with some thoughts of his own. In light of these posts, I found interesting the following story from another friend (not a blogging buddy).

Here’s the story: My friend works at a rather large national sales-type company. He has worked there for about the last 10 years. Recently, the company cut quite a few staff in an effort to get rid of some bloat they had accumulated over the years. My friend was passed over by the cuts. He actually got a promotion out of it because he was placed in charge of a territory that was previously run by 5 sales managers and several account managers (so either they did have substantial bloat, or they are trying to kill my friend instead of firing him).

After my friend received his promotion and started to take over the operation of his new territory, his boss informed him that the IT department had been instructed to forward all emails of the previous managers to his inbox. This was done for obvious reasons, and my friend got ready for the deluge of emails. What surprised him was that he started recieving the emails of an additional 5 sales people that were now his employees, and he knew that neither he nor his boss had requested this to be done.

After scratching his head for a few minutes, my friend decided to check with his boss to see what was going on. You can probably see where this is going, but basically, they found that one of the previous managers that got the axe was spying on his sales people. According to my friend (and I believe him), this guy was a micro-manager from hell, and he would not let his sales people make any decisions without his explicit approval. He basically beat his employees into submission and made them little more than robots doing his will. But he was smart enough to keep this from his boss.

He made sure that his boss knew nothing about the emails being forwarded to him by going directly to a single IT person and asking to have this done. I have no clue about the company’s change management process (it is obviously pretty weak), but I guess this IT guy was either bribed or just charmed into doing this without ever letting anyone else know about it. And the IT guy could not really be held accountable after they discovered what had happened because he had taken an early retirement option that had been offered when the company was cutting back (they ended up letting 48 IT people go by either layoffs of early retirement).

So what are some lessons here? First, change management is important. This could not happen (or would be less likely) if the company had a strong change management process that made requests go through the system, and those requests were checked by more than just one individual. Second, system reviews are important. Even if something like this slips by, having a regular review of systems from someone outside this particular responsibility area would have likely turned up something fishy. Third, your privacy is never guaranteed, especially in email and in an employment situation. Though this was done incorrectly, and these employees (according to my friend) did not know they were being monitored, it is still within the rights of the company to check up on the employee’s corporate email.

Vet

Mitchell Ashely wrote a piece on conflict of interest yesterday. It was specifically concerning analysts because of the firestorm of posts about some analysts recently jumping ship and going to manufacturers.

Mitchell’s post got me to thinking about some things specific to me (because I am my number one fan, and because the analyst sopa opera just doesn’t interest me too much). What I mean is my recent job change and how it effected my blogging.

If anyone is new and doesn’t know to what I am referring, you can read about it here. But in short, I recently moved from the security management world to the consulting / reseller world. This was quite a change, and I learned soon after the change that I would have to steer clear of some subjects on my CW blog because of, you guessed it, possible conflicts of interest. What I mean is, if Accuvant (my employeer) partners with a certain vendor, then it would be a conflict of interest if I wrote something negative about a competitor of that vendor. So CW said, basically, no posting about specific vendors at all.

Initially, I bristeld at these restrictions and considered dropping away from Computerworld. It bothered me because I felt like I was being told that I could not speak my mind (similar to what Mike Rothman went through recently at Network World - I am not apple-to-apple comparing what Mike went through to what I was looking at, since Mike was speaking his mind on his own blog, and Network World let him go for it, which is bogus). Basically, did I want some organization telling me what I could and could not say?

Then, I got to thinking about the issue a little more closely, and I realized a few things. One, this is their sandbox (I got that analogy from Rothman), so I had to play by their rules. Second, they are a business that has to protect their objectivity (though some people will argue whether any of these technology media outlets are objective)., Third, and this mattered the most to me, I could still post my personal views on my personal blog. I know this didn’t protect Mike, but so far I have had no issues with my editors at CW, and I think that will stick.

So the conflict of interest issue was settled in my mind because I still have a free voice at my personal blog. If CW was to ever let me go for something I posted there or on my personal blog, then c’est la vie. I can go on.

Vet

A while back, when I was in the operations side of security, I wrote a series about how to be a good security admin / manager.  It was fairly successful and got some good play out there in the blogosphere, so I figured that I would write something akin to those posts in a blatant attempt to drive more traffic to my site. 

Oh yeah, and I, ummm, want to make a difference in the security industry, or something… whatever.

So, how to be a good SE.  First, let’s define the term “SE”.  In many to most cases, that term means System Engineer.  In my case, it means Security Engineer.  Both perform the same function, however.  At least they do in what I am referring to here, and that is in their pre-sales role.

A pre-sales SE is often perceived as the salesperson’s lapdog, to be ordered around and told where to go and when to be there.  This may be the perception, but it is almost always not the case.  The real truth is that the SE is the one who follows the salesperson around and makes sure the salesperson is telling the customer the truth.  For example: “No, Bob, this product cannot call down lightening and destroy hackers attempting to break in to the website.” 

If you can’t tell, I have been reading “The Dilbert Principle”.

But in all seriousness, the reality is that the SE’s number one job is to protect the customer from making mistakes and buying the wrong product for their needs.  That is also the salesperson’s job.  And though I can say with all seriousness and honesty that all of the salespeople I have met at Accuvant truly are honest and try to protect their customers, this is not always the case out there.  A salesperson has a quota, and they have pressure to meet that quota, and they don’t always have their customer’s best interests in mind.  So the SE has to be that buffer.  And when an SE meets with customers, he is EXPECTED to be that buffer that the technical people at the customer need.

In case you didn’t get that, I’ll type it again.  The SE is EXPECTED to be the buffer.  That means that the SE is expected to be honest in his appraisal of the situation.  He is looked at as the guy who works for a living, just like the technical people in the trenches.  He is supposed to be the guy who knows what the technical people are going through day after day, dealing with users, management, etc.  Even if the SE has never held a true operations type job, he still will be perceived as such.  That perception is what garners trust in the SE, and that trust CANNOT be broken.

What many people may not know is that pre-sales SE’s typically get bonused on sales (they don’t get the same compensation as salespeople, but they do not have as much at stake either).  And just like salespeople, SE’s with VAR’s (like me) are often approached by manufacturers with incentives to push their product (these are often very good - money, electronics, etc.).  This is called a spiff.  These two things together can cause serious temptation for the SE to not make the customer’s needs the number one concern.

But if you are and SE, or are considering a move to this type of position, you MUST be able to resist this type of temptation.  Notice that I am not saying it is wrong to accept these types of rewards (most of the time, you cannot take an SE job without the bonus, and I would personally think you are a little crazy if you didn’t take it - and taking a spiff is not wrong if you made an honest sale and kept the customer’s need on the forefront).  But you must be able to look long term.  The desire for an immediate reward must be superseded by the customer’s needs. 

And when the SE does resist the immediate gratification, he will almost always see a long-term return that comes from a relationship with the customer because that customer knows he can trust the SE.  It is often the case that once a relationship is established with a customer, the SE is the person who is contacted most.  That is because the SE has direct knowledge and contacts with people who can solve the customer’s problems.  So creating that bond of trust will lead to dividends for the SE’s employeer, and the SE as well.

So all that in a nutshell is this: create REAL trust with the customer by keeping his / her needs first.  You may have to wait a little longer for your reward, but it will be a greater reward after all is said and done. And just so you know, I do not mean only monetary reward.  The reward of being trusted and held in high esteem is also a reward, and it can be more valuable than any earthly possession.

Vet