CSO

It was an early autumn day in 1997. I had just moved to Lansing two months earlier to become the Director of IT for the Michigan Department of Management & Budget (DMB). We were busy revising our overly complex Y2K remediation strategies, but something else was bothering me. It was the computer security, or the lack thereof.

We were seated on the second floor of the Lewis Cass building, and I could see the State Capitol from my office window. The funny thing was that all of a sudden everyone was talking about the latest big "security incident," which basically meant another purse was missing. It was the second of the month.

Now don't get me wrong, a missing purse is a serious problem, but "¦ let me back up and put this in perspective. You see, our building had practically no security. No guards, no screensavers, no one wore their badges, few used passwords, it was a virtual security free for all. People could walk into work areas uncontested, and they often did. They'd come off the streets and use the bathrooms. Occasionally, things went missing, such as purses at lunch breaks. Missing purses were discussed like we now discuss a feared flu pandemic.

Although I loved my new role, I initially felt like a fish out of water when it came to anything related to security. You see, I had spent the previous thirteen plus years working as either an NSA employee near DC or as an NSA contractor in Northern England. Despite some lapses you may have read about, security was always tight, very tight. Guards that meant business, mandatory badges, bag searches, German Shepherds guarding barb-wired fences, serious guns, you get the picture. We even had posters in stairways reminding us that "someone is watching you."

If you've ever worked at NSA, you know that security is a part of everything that's done. No matter that my job was focusing on networks or testing new products for interoperability, everyone did security. They built security into the culture from day one. I was learning about encryption and the history of breaking codes back in 1985, before it was popular. In a nutshell, everything was as you would expect it to be at NSA.

Since you're probably already thinking of the question, yes, I knew I was giving up my clearance when I left the intelligence community. Regardless, I didn't understand that security was more than NSA's middle name - until it was gone. What wasn't as obvious then, and I learned the hard way from 1997 through 2000, was that security needs to be valued as part of the enterprise culture, if you want it to be truly effective in the long run.

Don't misunderstand. The Michigan DMB staff was more than competent. In fact, I quickly learned that my new team excelled in many areas of IT and other business functions. Their Y2K preparations were way ahead of anything I had seen before in the US or UK defense world up to that point in time. In addition, most of them had an excellent work ethic.

Generally speaking, most companies, government agencies, and even non-profits will always do a few things well - if they want to survive. For example, we just returned from Orlando, where I learned that Disney World considers all their employees to be "cast members," whether you're leading in a musical or running a ride or whatever. This brilliant cultural concept reinforces the fact that everyone is being watched at the theme parks and has an important role in customer satisfaction.

During my first year in Michigan, security just never came up as a priority. I met with customers, management counterparts at other agencies, the young, the old, and just about everyone who would talk with me, but I couldn't find anyone who "got it." A few hints and even a little prodding didn't even get them to mention the "s" word.