Prije pola godine jedan od vodećih svjetskih Äasopisa za tematiku integralne sigurnosti (CSO) naruÄio je od mene nekoliko Älanaka. Nažalost, kako neprofesionalnost nije oÄito boljka samo hrvatskih prostora nego i nekih nama zapadnih, do konkretnesuradnje i objave nikada nije doÅ¡lo, iako je inicijalno suradnja predstavljena kao gotova stvar. Stoga koristim prigodu objaviti prvi od dva napisana Älanaka koji se na ležeran naÄin bavi tematikom pozicije korporativnog menadžera za sigurnost – CSO (Chief Security Officer).
Članak je napisan na engleskom jeziku, što većini zainteresiranih ipak ne bi trebalo predstavljati problem.
CSO’s first day
“Finally, you did it. After months of talking to headhunters and their associates, after being interviewed over the phone and personally, after credentials and background checks and grueling negotiations, they decided to hire you. You are still not sure what was the breaking point that made them decide between all those candidates that have applied for the position and choose you – all of them are well educated, have technical and legal background, information security certifications, some of them worked for oil&energy companies covering physical security function for years in not exactly very hospitable parts of the planet. Some of them worked for the military, they were security contractors and spent some serious action time working for the special forces… or at least this is what your internal sources tell you.
So, the day has come and you are ready to start your first working day. Anxiety driven, you find your barely negotiated parking space in a crowded section dedicated to the leading hierarchy of the company, you manage to convince the lady at the reception that you are the New Guy that will be reporting directly to the Board of directors. She tells you that your new office is at the ninth floor, just one floor under CEO’s panorama office and relays to you the message that your notebook, palmtop and email access RSA token will be delivered before lunch time (with regret note for the delay signed by the assets manager personally). You enter your new office, slightly smaller than anticipated and with shared secretary – a small disappointment.
What now, you think? What is the first thing I should do?
With head full of abbreviations, certifications, knowledge gathered in the past ten years working in IT department, General services department, HR department, numerous afternoons and nights spent working on MBA case studies and mentoring sessions, you are ready to charge head-on right into… disaster!
Stop for a second. Do nothing.
Exactly, as simple as that. DO NOTHING!
Do not try to change the company on the first day. Do not try to find out why disaster recovery plan was updated in 1993 and recovery of Novell networks is still mentioned inside. Do not try to confront people currently in charge of business continuity plan that was last tested nine years ago. Do not ask around who is the responsible of the secretary that just left unsuccessful copy of expense report of the Procurement manager next to the copy machine, not caring about the shredder’s existence.
This company has been here for years and the extrapolated experience shows that most likely it could be here after you too. If you try to plunge straight into the problems of the organization that was set up… well… not exactly in optimal way, you risk being excluded from the processes, put aside on their margins and very soon the rumors will start that somebody greased a few palms to get you hired „for the job that would be done anyway by those in charge of it“.
Of course that you are a highly professional person and you might be right, but you cannot change old ways overnight. Let’s face it, most organizations are not that good when it comes to integral security. The concepts used are often used haphazardly, randomly, as they were approved by the Board, or depending on their inclination to approve funds. If you think that you are the person that can change this just by being hired, you might be on the way… out!
Instead of charging into action and releasing the explosion of all that accumulated knowledge and previous experience, try to be a good secret agent. Find out as much as possible about the organization. Identify internal sponsors: who are people of high rank and authority that might adequately recognize your efforts down the road? Try to understand more about people and what makes them tick. Try to gather as much data as possible about the snapshot of current security situation, creating internal check-lists, but not sharing them with other people. Especially avoid canteen-lunch-time-talk and sharing your sincere opinion with the first friendly person that comes along. Newcomers are newcomers, and it will take some time before people accept you and stop considering you to be somebody that will reveal the holes in their daily areas of responsibility.
Especially be aware about the (wrong)doings of the Procurement and Legal departments. They should cooperate in order to ensure the contract security, but in reality, they are often lacking in this area.
Your best friend while evaluating the current integral security framework might be the CEO’s personal assistant. Usually, this is the place where you can find more useful information than you can find using access to your data warehouse report extraction system. Somehow, the information manage to find their way to those people, regardless of importance, distance and time. They almost defy the laws of physics. However, they can be your best friends, if you approach them wisely.
We are all being pushed daily to produce results, and not just any results, but detailed, quick and tangible results, so much that we sometimes forget the importance of thorough analysis and clear situation overview. Your line of work, regardless of the fact do you have a dedicated department that takes care of integral security under your supervision, or you are a single shooter who has to coordinate other heads of departments to achieve the goals, heavily depends on your relations to the Board of Directors, but also all employees across the organizational matrix. Do not waste precious time at the beginning of your employment by making enemies. This is the time when you can strategically strengthen your position by creating important business connections and acquaintances that can later serve as a good social network to really understand underlying processes and how to channel them in order to improve organization’s security situation. If from the very beginning you start to point out to deficiencies and start naming names and faults, the existing system could have enough internal strength to squeeze you out and marginalize you. In that case, there will be no achieved goals of integral security and no more dedicated parking space.
And this is the last thing that you would like, isn’t it?”