Good Security
True story.
I was working at Kroll in New York. Likely in my 1st or 2nd year. We were providing security consulting and design services to a huge multi-national.
I get a request for a meeting with one of their senior global security people. We meet and he asks me to write his security plan for next year. Of course, I didn’t ask him, “Shouldn’t you be doing it yourself?”. I didn’t know the guy well enough and was tired of corporate politics from my past experience.
I figured it would be good to at least collaborate a bit with my “client” so he could contribute, critique my work, and learn how to do it himself going forward. Send in the first draft and suggest we meet to discuss so I could explain the methodology. He just thanks me and says that it is exactly what he was looking for. No meeting needed.
A bit later I find out that he presented the plan to his boss — the head of global security. I also find out that my “client” took all the credit for writing the plan. Both he and his boss were happy.
My “client” had a fairly long tenure with the firm. Nobody knew this “senior security leader” wasn’t really competent. The reason nobody at the firm knew was that they didn’t understand what good security looked like and how to assess a security practitioner’s competence.
What’s interesting is that good security is actually easy to understand and identify.
Good security is:
- justifiable in relation to mission-critical assets, loss scenarios (operational, reputational, and financial), and probability of their occurrence;
- dependent on physical and technological solutions which are designed, integrated, and well-maintained for optimal user experience; and
- delivered by those with credibility across the 7 domains of competence: professional polish, psychology, design, operational controls, technological controls, physical controls, and incident management.
For your consideration.
Soar above mediocrity.
