I started writing this post a few weeks ago, but am only now getting back to it. After getting a good outline going, I simply couldn't bring myself to write it. Part of my resistance, I think, comes in the pain of self-realization. At the same time, I'm sometimes loathe to share these personal revelations as I'm never sure how people will take them. My hope is that you'll read this and think "lessons learned" and not "what a dope." Anyway...
For a little background, I took a job as Security Director in January 2009 with a small tech firm in Phoenix called Highwinds. They did a couple different things, split along the lines of USENET services and a CDN. The company had grown through acquisition, and as such had all the legacy software+system issues you might imagine. There were a variety of other issues, such as internal politics and power struggles, and certainly no shortage of security concerns, especially given a need to make forward progress on PCI DSS compliance.
About 8 months after starting the job, including a move from NoVA to Phoenix a couple months into things (a move that, to this day, I'm kicking myself over - always listen to your gut!!), my position was terminated and I was cut adrift in one of the worst markets in the country. The termination came right on the heels of my speaking at a small conference in Montana (for which I had been approved to travel!), and really served to knock the wind out of me hard. I had just started to feel like I was settling in the role and starting to understand how I needed to proceed and was more than a little angry over the sudden change of status.
The bottom line, though, is that I failed at the job. No, I didn't fail because I didn't know what to do, but because I failed to effectively communicate. It's ironic, I suppose, that someone as verbal as I am could fail at fundamental communication, but that is in fact what happened. In a nutshell:
-- The prioritized approach I had developed was right.
-- The staffing issues I had identified were right.
-- However, I did not effectively communicate this plan to the C-level team (too abstract).
-- Ergo, failure.
It's amazing how important clear communication is, especially when trying to share a serious message that requires explicit action and fundamental changes. And yet, when given a chance to brief the C-level team, I completely dropped the ball, using a very short slide deck that simply created more questions and confusion without actually setting forth and sort of plan of action. No wonder the CEO walked out of the meeting, turned to the GC and asked "is it me or has he done nothing in 6 months?" Nothing could have been further from the truth, and yet this was the message I somehow relayed through my presentation! Ack!
The important lesson to learn here is that it's imperative to clearly communicate a plan of action. It is not adequate to simply share a vision and leave it up to people outside the industry to fill in the blanks. Maybe some execs are ok with a more abstract approach, but this team certainly was not ok with such an approach, and I completely failed in my duty to reassure them of the choice that they'd made in hiring me.
Not Completely My Fault
Now, all of this said, I can't take full credit for my failures. Well, I guess I could, but to do so would be uncharitable to myself and ignore the hard work, blood, sweat, and tears that went into this fatal scenario that was, I think, doomed from the outset. How so? Well...
* Inadequate Support: Plain and simple, I was never fundamentally supported in the position. I knew this before the move to Phoenix at a very fundamental level, but had hoped that being on-site would help resolve some of these concerns. As it turned out, I got put in a nice office 6 floors away from the entire ops team and was subsequently shut-out. It was very clear that I wasn't wanted there, and had really only been hired to say "yes, we have a security person," but without any intention to change things. Case-in-point, I tried to help accelerate a SSO project, which was assigned to one of the sysadmins, who subsequently ignored it until he finally snapped and yelled at me, announcing that he had no intention of doing the work assigned. He quit a couple weeks later, and the project never made any progress.
* Politics: I came onboard in the midst of a protracted and increasingly volatile political battle. By all rights, I should never have been moved to AZ, but rather should have been moved to corp. HQ in Winter Park, FL. The Phoenix office was home to ops, but it was pretty much all acquired talent who had been running their own businesses, and who were being allowed to still operate with a high degree of independence. Unfortunately, this led to lots of decisions being made at a point too close to ops that didn't necessarily reflect a useful overall strategy for the company. Phoenix functioned like a subsidiary within the company, which created all sorts of challenges. IT, which was based at corp HQ, wasn't even providing support for the Phoenix office even though a significant number of people were based there. Dysfunctional hardly begins to describe what that environment was like.
* An Overwhelming Amount of Work: I was amazed at how little security had been implemented. My tasking was primarily PCI compliance, and I had a tough time getting my brain around it. It took me a couple months simply to map out all the gaps that required remediation. In the end, I was able to initiate a project to address the majority of concerns in the cardholder environment (no idea if that project was ever completed). However, it was very daunting task, and one that took my a long time to get my brain wrapped around. It was one of the situations where there were literally several top priorities issues that needed to be addressed. And, given the lack of support, there was simply no place for me to start or any way to get anything meaningful done.
* Wrong Person For the Job (sort of): In many ways, I was the wrong person for the job. Or, more correctly, I needed one other person - a solid, hands-on technical security resource, to help make headway. It quickly became clear that I couldn't lead the security charge AND implement all the necessary changes. Moreover, as I needed to be the "bad guy" in many cases, delivering bad news, it would have been very useful to have someone technical who could endear themselves with the ops team and actually made some progress. Alas, it wasn't going to happen.
Suffice to say, I now find the experience instructive, even though it represents a spectacular failure in my career. I'm confident that I could tackle a comparable position in the future and a) avoid a bad environment, while b) getting stuff done.