For Now, We See in a Mirror, But Dimly

Sept. 9, 2022
John McCumber's monthly view on security

One great aspect of retirement is having ample time for both family and friends. Recently, I set up a video call with an old, dear colleague to share a coffee and war stories as we had done in the past. My move to Florida made a face-to-face meeting impractical, so we took advantage of technology to chat online. We had each brewed a fresh cup and appeared on the screen to resume a long friendship.

Frank (not his real name) is still a hard-working cybersecurity consultant – and a very good one at that. He set up his own consultancy about a decade ago to remove himself from the ugly politics and daily corporate in-fighting at the large, well-known Big Four accounting firms where he honed his impressive skillset. By overseeing a small cadre of seasoned professionals, he can focus on quality services without the attendant organizational shenanigans. The small team he hires, trains, and manages go on-site while he focuses on client management and quality deliverables.

Today, he grabbed his coffee cup at his desk and leaned back within the camera’s field of coverage and asked how I was doing.

“You know me,” I replied, “every day is a holiday and every meal a banquet.”

He laughed. “I wish I felt ready to retire,” he said, “but Susan and I bought that condo near Hilton Head a couple of years ago and I need to keep ahead of the bills. Besides, I haven’t been able to fully groom my replacement. You remember Jeanine. She’s going to do great things, but she needs a bit more time before I hand over the business.”

“Yeah – she’s a rockstar, alright. How are your engagements going?”

“You know this business,” he said, “everyone has a subset of the 30-or-so major cybersecurity issues and most of the work is sussing out which ones apply to them and to what degree. In fact, Jeanine called me last night after a long, frustrating day she was having at the client site trying to do just that. You remember what happens when one of the client’s security staff gets especially defensive and upset, don’t you?”

“Indeed, I do,” I chuckled. “Was it what you and I would have expected in such a case?”

“Oh, I’m sure it is,” he replied, “but we need to do our legwork and fight through the emotional issues to get to the technical and policy problems.”

“And you definitely know this is an especially problematic area, right?”

“I don’t even have to hear any more to know where this will lead; however, we have to do all the digging and homework while this division chief hovers over us, continually threatening to have us tossed off the engagement.”

“Does he have the power to do that?” I asked.

“No. We were hired by the Board, but that doesn’t take the sting out of his threatening vitriol. We all know where this goes when we finally get a look under his pet rock, don’t we?”

I laughed. “Yup – you found their security program’s Achilles’ Heel, and this guy basically told you just where to dig. It’s like putting a large, red X on a pirate map.”

“You know it, and I know it,” he said, “but poor Jeanine has to document everything while listening to the angry manager.”

“I’ll wager he’ll also show up at the corporate out-brief to challenge your findings,” I said.

“Oh, he definitely will, and he will likely take personal pot-shots at my long-suffering team, but we’ve been there before. After the CISO and the Board get a look at the findings in his area of responsibility, he may be far less vocal – if he still has a job.”

About the author: John McCumber is a security and risk professional, and the author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, e-mail [email protected].

About the Author

John McCumber

John McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, e-mail [email protected].