How to avoid headaches when joining a new company as Chief Information Security Officer.
After spending the past twelve years working with compliance and security in the gaming industry, there were plenty of things to reflect on before I recently joined a startup. Most people try to use the experience from previous positions and copy/paste what worked before with some changes/improvements when joining a new venture. I am no different. The difference this time around was that I had the time beforehand to evaluate and also influence the company’s attitude towards compliance and security. So apart from all the “usual things” to consider when joining a new company, I was able to eliminate some of my biggest headaches from previous positions beforehand.
Headache #1: What’s the company’s attitude towards compliance and security in general? Are the founders of the opinion that compliance and security is a business requirement and a way of protecting its assets or is it just an expensive and evil add-on? If business don’t see the value and necessity of having compliance and security integrated into every process, decision, choice of technology etc. it will be a very hard, frustrating and no fun experience. You could argue that this is a challenge, something to learn from, a chance to sharpen your arguments, but I say it’s a waste of time. Every week there are news of yet another company being hacked, another leak of customer data, another breach of compliance etc. If you are a business leader and you aren’t aware, I really can’t convince you that compliance and security matters.
Headache #2: What’s the company’s attitude towards BYOD (Bring Your Own Device), remote working, flexible hours etc.? Sure, locking everything down to an office, strict office hours, standard equipment (laptop, phone etc.) is one way of approaching all the compliance and security requirements. But it’s also an all stick – no carrot way of doing it. Some people don’t mind being locked down having a strict framework like this to work within, but most creative people today simply don’t accept it.
In my case, #1 and #2 are important factors towards life-work harmony.
To eliminate #1, you have to ask your future employer what their stand on security and compliance is. This is of course tricky since they will all say that it’s important. But you can figure out if they walk the talk by asking carefully crafted questions.
To eliminate #2, you can influence changes to policies and technical solutions. Don’t surrender just because something is written in a policy. Policies can be changed, and technology changes all the time.
So how do we meet today’s complex compliance and security requirements at John Doe? If you were to ask vendors, they would claim to have a solution for all your needs with product/service xyz. But they really don’t. It’s not about which product or service you pick it’s about which approach the company takes. As an example, at John Doe, it’s a business requirement to only choose products and services which support SSO (Single Sign On). You might say that this is a no-brainer, but if you look inside most companies you will find plenty of services in use which either don’t support SSO or where SSO was never implemented due to time or cost constraints. The time many companies spend managing organisational changes (onboarding/offboarding/changes) without the simple principle of requiring SSO for everything is madness. Not to mention the frustration it imposes to admins and end users.
Another example from John Doe is how we deal with BYOD and security requirements. We check the compliance of any device before granting access to any information resource (the VPN client takes care of this). The incentive (carrot) for getting to your code, server or resource xyz is big, much bigger than the punishment (stick) you will get if your device does not fulfil the requirements. It’s not a silver bullet but it allows for BYOD and it eliminates most of the hassle of making sure that all clients have the latest patches applied, encrypted drives, firewall activated etc. Yes, it does require your co-workers to be able to keep the device updated all times, to know how to activate a password protected screen saver etc. But it’s 2019, I’m pretty sure my dog knows how to do this. This approach also makes an auditor happy which is a rare thing. Find another attempt to make an auditor happy here.
This is the kind of odds and ends I’m reflecting on now when I find myself in a good place being able to decide stuff that matters at work.