If you are at all familiar with my blog, then you have fallen victim to my occasional rants demeaning inept CIO's. And you have probably correctly surmised that I speak from my own personal experience with an inept CIO (or two). Young as I pretend to be, I have learned one very valuable life lesson. If you're not happy at work, then you're not happy at home.
Needless to say given my obvious “dissatisfaction” (The Guinness Book of World Records has officially certified this as the understatement of the century.) with my JOB, my life at home was pretty much in the toilet as well. As my benevolent grandfather once told me, “boy, you gotta sh#@ or get off the pot”, or in security lingo, “phish or cut bait”. After 8 long years, 6 of which were fantastic, I finally decided to cut bait. Apparently 8 years as the CISO for one organization is relatively rare, but I managed to tough it out far longer than I should have.
It wasn't one thing that finally drove me over the edge. Oddly, it was several things all perpetrated by the same person. I know that several of you are in this same predicament and I'm here to say that the grass is actually greener in another security pasture. Our industry is growing even in this national economic downturn. Even today, I receive dozens of calls from headhunters looking for experienced security professionals. I suppose that makes it a seller's market of sorts.
For me, this was an easy decision. After “voiding” all of the security policies I had worked to have adopted, tossing me under the proverbial bus at every opportunity, removing what little authority I had managed to scrape together, I finally woke up when my computers were taken away. Don't ask why, because it makes about as much sense as a screen door on a submarine. I'm not sure why I didn't leave sooner, I suppose it was some measure of dedication that I felt to the program that I had painstakingly built. In any case, when I finally came to my senses, I couldn't get out of my position soon enough. I interviewed at Dartmouth, the University of Texas, and a few other schools, but finally decided that I wanted to try something new, outside of the chaos that is known as our higher education system.
I'm glad to say that I landed a position with a very talented group of people who impress daily me with their professionalism and wicked smarts. Oddly I have found scant traces of either within the majority of college and university security shops, which is probably a direct result of the pittance that higher ed. pays its non-faculty. Don't get me wrong, I don't hate higher ed., its just that after almost a decade of working in this industry, I see serious problems with how MOST schools address information security.
This entry is more personal than those I typically post, but in speaking with a number of my peers, job dissatisfaction is quite prevalent. Hopefully, sharing this story with you will help you decide if you should phish or cut bait...
One added note, my five year old daughter put my new job into perspective a couple of weeks ago when she sat in my lap and said, “Daddy, you sure are a lot nicer since you got your new job.”
You are definitely entitled to your opinion. I would like to agree with one point that you make in that I am/was an unsatisfied employee, hence the reference to "rants".
In my opinion there ARE a great number of higher ed. CIO's that don't place enough (if any) emphasis on information security. Also in my opinion and the opinion of the several of his peers, the CIO that I refer to is undoubtedly inept. The actions that you refer to were not only directed at me, but also at the vast majority of the IT staff and faculty as well.
In my case, as in the case of other CISO's I have spoken to, exodus is sometimes the best option. I respect your comment that I should accept some blame, and I suppose to some degree you are correct. Perhaps I could have sat down with him the 13th time, then a 14th, ... I for one am confident that I exhausted every avenue conceivable before making my move. My larger point is, should I really be working this hard to convince a CIO that security is essential? Shouldn't a CIO know this? Shouldn't he or she be committed to a top notch security program?
You stated that you had six fantastic years then things went down hill the next two years.
I remember a case involving a security officer in which you were required to carry out a computer investigation and present your report to GC and also in a deposition. This brings up the matter of honesty and integrity (not on your part, of course, nor the accused officer). You had to be between a rock and a hard place if the report did not match the findings of the defendant's expert's findings. So, what I am saying, I believe the rumblings - those that you know of and those you did not know of contributed to your down hill slide.
The officers who were aware of this situation moved on to find "greener grass." So, I am telling you, as you know by now, trouble can provoke one into moving on..it can be a good thing! I would have been looking for another job also.
The other employees now have jobs where they are treated with integrity and respect. Feels good doesn't it!
Oh...sometimes one may fail in certain areas in their job or make mistakes, but not be guilty of an accused violation or policy.
I couldn't help but think that all this was about was the ravings of a disgruntled employee...not really about the challenges of being a CISO in higher ed, but more about your personal difficulties in getting along with your boss. Then you had to take it to another level and begin throwing rocks at university CISO's, basically trying to make the case that they are somewhat incompetent. Unfortunately, that only displayed your ignorance of the challenges in higher ed information security programs, because the only successful approach is top-down, and you failed to make the point that higher ed executives often fail to become involved with these programs to influence their success or failure. Don't blame the practitioners. I'm not even sure you actually are one after reading this article! You don't seem to have the proper perspective. Anyway, if your old boss took away your computers, voided policies you developed, etc., obviously there was a lack of trust and faith in YOU and the greater question might be...why was that? I'm sure it didn't happen overnight. CISO careers as your one correct statement indicates, aren't known for longevity. You might have better served your audience if you thought about why and how things changed so radically at your past enterprise and what role you played, what role your leadership played..that might have been a useful discourse. Hopefully, you will have a little more foresight and thought at your current job or we may read another blog like this soon enough...
Hmm....maybe "couldn't help but think that all this was about was the ravings of a disgruntled employee..." because you are little too closely involved?"