computerwoche.de

Archiv

Security Manager's Journal: Ideal job

06.03.2006
Even though I had promised myself I was going to settle down and be happy in my current job, I interviewed for a security manager position at a large medical center. It was closer to home and offered better pay, and the gung-ho recruiter made it sound like there might be interesting projects to work on.

I met with the CIO, the directors of IT and software development, and the director of internal audit, in that order. They all asked what my ideal job would look like. This perennial job-interview question always makes me laugh to myself, since my ideal is no job at all. I am honest to a fault, but there are some things you can't say in an interview, so I have learned how to phrase the truth so that I don't look like a complete idiot. I said that having enjoyed a few years of independent technical security assessment consulting, I would go back into that line of work full time if the business climate was right. Meanwhile, I am looking for a career opportunity that will allow me to contribute in a meaningful way. Blah, blah, blah.

No Hollywood Ending

The unvarnished truth is that I want to write a book that would become the basis for a hit movie series, and then travel the world and write stories about exotic places. The only technology I would hang on to would be a wireless laptop and cell phone. I don't want to ever look at another firewall configuration as long as I live.

But if I wasn't exactly transparent about what I want to be when I grow up, they weren't too sure about the position they were trying to fill. They all had different answers when I asked what they envisioned the new person in this position doing. That's not too unusual, but it was only the beginning of the confusion. The job description on the medical center's Web site suggested that this security manager would report to the CIO, but I found out it was being moved under internal audit. In fact, the position had changed dramatically in the past week or so, and the CIO was becoming acting chief security officer (CSO).

Now, I have strong experience in technical security, but it's a very different world from internal audit. Internal auditors talk about risk management, while security techies talk about specific device configurations. They are talking about the same things, but in different languages and from different perspectives. I know how to bridge the gap between the two, and I understand how open ports on the firewall, for example, can become a huge risk for a company and have material impact. But that doesn't mean I speak the language of auditors.