What Do You Say You Do Here?

Sept. 12, 2024

Most of us can probably say we’ve seen the meme of the guy from Office Space looking into a cubicle and quizzing an employee about their role and functions. It’s a funny scene we can all relate to in a corporate office environment. The sad reality, however, is that many employees may struggle with a credible response.

I recall working with a client on their cybersecurity program a few years ago. As part of my responsibilities, I had to gather data by interviewing corporate personnel about their roles and responsibilities regarding cybersecurity. Meetings were set up with an appropriate agenda so participants could prepare.

Over the next week, as I met with the managers, most showed up carrying a blank notepad and a pen. My first meeting was with Chad (not his real name). As the person who oversaw the company’s security operations, he was animated as he explained how their Security Operations Center gathered data, managed the network, and responded to incidents. He cited several anecdotes where his team had successfully stopped targeted cyber-attacks. He also explained how his mentoring helped to grow the teams’ skill sets and bring along future leaders. By now, we had spent nearly two hours in deep discussion.

I found myself furiously taking notes and making notations. I returned to the discarded furniture closet assigned to me that functioned as my on-site office. I started to type up my findings. As I scrolled through my pages of notes, I struggled to capture everything we had discussed. Over the next two days, I had to email Chad a list of questions about facts we had failed to cover in our session. This exercise was proving far too time-consuming for both of us.

I reviewed the agenda I had originally sent him and realized I hadn’t provided the ideal structure for our meeting. I set about revising it to be more comprehensive and explicit. I spent a few hours rewriting and expanding the agenda, then looked at the clock. I realized I had my next interview in just a few minutes and couldn’t send out the updated agenda for the next manager. I had to go with the original I had provided to Chad. Would my unforced error make for another difficult session?

I entered the conference room for my meeting with Sally (also not her real name), the Identity and Access Management systems manager. I was running an internal dialogue that reminded me to keep the discussion focused on obtaining the data I needed to construct my report. When she walked in, I was surprised to see her lashing up her laptop to the projection system in the room.

“I read your agenda,” she said, “and felt it best I provide you an overview of my areas of responsibility and how I track my team's performance.” I was gobsmacked. There was no blank notebook. There was no time wasted on introductions and flummery. She was ready to present, and I was ready to listen.

Sally then took me on a tour-de-force of her corporation’s entire IAM program from top to bottom. She began with an organizational chart and an overview of her top-level responsibilities and each division. After a half hour of detailed and insightful explanations, she continued her presentation with charts and spreadsheets with all the objective criteria and performance metrics she used to oversee this critical aspect of the cybersecurity program effectively.

She ended by asking if I had any questions. I didn’t. I asked if I could get a copy of her slides. “Of course,” she said, “feel free to follow up with me if you need anything else or more clarification.” Although I did find a small data point that required her explanation, her presentation was everything I needed to cover her areas of responsibility.

Of course, there is a lesson here: it’s a great idea always to have a comprehensive answer to the movie line “What do you say you do here.” You never know when the two Bobs will show up at your cubicle, lean over, and ask you this vital question. You may not have an entire slide deck of detail, but you should have a ready answer.

About the Author

John McCumber | Cybersecurity Consultant

 

John McCumber is a cybersecurity executive providing targeted guidance for industry and government initiatives. He also develops and delivers consultative support for CIOs/CISOs in cybersecurity, data management, privacy and analytics. He is a retired US Air Force officer and former Cryptologic Fellow of the National Security Agency. During his military career, John served in the Defense Information Systems Agency and on the Joint Staff at the Pentagon as an Information Warfare Officer during the Persian Gulf War. John is a former Professorial Lecturer in Information Security at The George Washington University in Washington, DC and is currently a technical editor and columnist for Security Technology Executive magazine and the author of the textbook Assessing and Managing Security Risk in IT Systems: a Structured Methodology. He is now semi-retired and living the good life with his wife near Ocala, Florida.