« Evolving OWASP: Reflections on the 2011 Summit | Main | Forget SmartGrid, Micro-Generation Is the Future »

Why I Failed As Highwinds SecDir

I started writing this post a few weeks ago, but am only now getting back to it. After getting a good outline going, I simply couldn't bring myself to write it. Part of my resistance, I think, comes in the pain of self-realization. At the same time, I'm sometimes loathe to share these personal revelations as I'm never sure how people will take them. My hope is that you'll read this and think "lessons learned" and not "what a dope." Anyway...

For a little background, I took a job as Security Director in January 2009 with a small tech firm in Phoenix called Highwinds. They did a couple different things, split along the lines of USENET services and a CDN. The company had grown through acquisition, and as such had all the legacy software+system issues you might imagine. There were a variety of other issues, such as internal politics and power struggles, and certainly no shortage of security concerns, especially given a need to make forward progress on PCI DSS compliance.

About 8 months after starting the job, including a move from NoVA to Phoenix a couple months into things (a move that, to this day, I'm kicking myself over - always listen to your gut!!), my position was terminated and I was cut adrift in one of the worst markets in the country. The termination came right on the heels of my speaking at a small conference in Montana (for which I had been approved to travel!), and really served to knock the wind out of me hard. I had just started to feel like I was settling in the role and starting to understand how I needed to proceed and was more than a little angry over the sudden change of status.

The bottom line, though, is that I failed at the job. No, I didn't fail because I didn't know what to do, but because I failed to effectively communicate. It's ironic, I suppose, that someone as verbal as I am could fail at fundamental communication, but that is in fact what happened. In a nutshell:
   -- The prioritized approach I had developed was right.
   -- The staffing issues I had identified were right.
   -- However, I did not effectively communicate this plan to the C-level team (too abstract).
   -- Ergo, failure.

It's amazing how important clear communication is, especially when trying to share a serious message that requires explicit action and fundamental changes. And yet, when given a chance to brief the C-level team, I completely dropped the ball, using a very short slide deck that simply created more questions and confusion without actually setting forth and sort of plan of action. No wonder the CEO walked out of the meeting, turned to the GC and asked "is it me or has he done nothing in 6 months?" Nothing could have been further from the truth, and yet this was the message I somehow relayed through my presentation! Ack!

The important lesson to learn here is that it's imperative to clearly communicate a plan of action. It is not adequate to simply share a vision and leave it up to people outside the industry to fill in the blanks. Maybe some execs are ok with a more abstract approach, but this team certainly was not ok with such an approach, and I completely failed in my duty to reassure them of the choice that they'd made in hiring me.

Not Completely My Fault

Now, all of this said, I can't take full credit for my failures. Well, I guess I could, but to do so would be uncharitable to myself and ignore the hard work, blood, sweat, and tears that went into this fatal scenario that was, I think, doomed from the outset. How so? Well...
   * Inadequate Support: Plain and simple, I was never fundamentally supported in the position. I knew this before the move to Phoenix at a very fundamental level, but had hoped that being on-site would help resolve some of these concerns. As it turned out, I got put in a nice office 6 floors away from the entire ops team and was subsequently shut-out. It was very clear that I wasn't wanted there, and had really only been hired to say "yes, we have a security person," but without any intention to change things. Case-in-point, I tried to help accelerate a SSO project, which was assigned to one of the sysadmins, who subsequently ignored it until he finally snapped and yelled at me, announcing that he had no intention of doing the work assigned. He quit a couple weeks later, and the project never made any progress.

   * Politics: I came onboard in the midst of a protracted and increasingly volatile political battle. By all rights, I should never have been moved to AZ, but rather should have been moved to corp. HQ in Winter Park, FL. The Phoenix office was home to ops, but it was pretty much all acquired talent who had been running their own businesses, and who were being allowed to still operate with a high degree of independence. Unfortunately, this led to lots of decisions being made at a point too close to ops that didn't necessarily reflect a useful overall strategy for the company. Phoenix functioned like a subsidiary within the company, which created all sorts of challenges. IT, which was based at corp HQ, wasn't even providing support for the Phoenix office even though a significant number of people were based there. Dysfunctional hardly begins to describe what that environment was like.

   * An Overwhelming Amount of Work: I was amazed at how little security had been implemented. My tasking was primarily PCI compliance, and I had a tough time getting my brain around it. It took me a couple months simply to map out all the gaps that required remediation. In the end, I was able to initiate a project to address the majority of concerns in the cardholder environment (no idea if that project was ever completed). However, it was very daunting task, and one that took my a long time to get my brain wrapped around. It was one of the situations where there were literally several top priorities issues that needed to be addressed. And, given the lack of support, there was simply no place for me to start or any way to get anything meaningful done.

   * Wrong Person For the Job (sort of): In many ways, I was the wrong person for the job. Or, more correctly, I needed one other person - a solid, hands-on technical security resource, to help make headway. It quickly became clear that I couldn't lead the security charge AND implement all the necessary changes. Moreover, as I needed to be the "bad guy" in many cases, delivering bad news, it would have been very useful to have someone technical who could endear themselves with the ops team and actually made some progress. Alas, it wasn't going to happen.

Suffice to say, I now find the experience instructive, even though it represents a spectacular failure in my career. I'm confident that I could tackle a comparable position in the future and a) avoid a bad environment, while b) getting stuff done.

TrackBack

TrackBack URL for this entry:
http://www.secureconsulting.net/MT/mt-tb.cgi/1094

Comments (6)

Reflecting on our failures is hard. Kudos for not only going there, but also sharing.
If we don't ever fail, we're not pushing ourselves hard enough!

Great post. Thank you for sharing. If appropriate, I'd appreciate seeing an outline of the failed c-level presentation vs. the one you'd write if you had to do it over (sanitized of course).
I'm just being greedy to learn. Thanks!

dan:

meh...

Maybe not "what a dope", but it seems a bit self-indulgent and "bridge burny".

I get, "Management at Highwinds doesn't care about security", "Highwinds is plagued by political BS", "Security at Highwinds sucks"...

Not really things I would say about a current or previous employer - this is a small, very mobile, world...

It seems self-indulgent in that, if this post is for you - buy a diary. But this seems more like you want to publicly "get back" at Highwinds somehow for their part in your failure.

Trying to filter through the whole story - it sounds like you should look for a mentor with lots of management experience before you venture into the "security director" space again. The problems you faced are exceedingly common (almost cliche) and there are methods and practices to work through them.

Good Luck!

Thanks for the lesson-learned Ben. I've been a victim of my own lack of communication more than once.

Jason

Damn Ben...that was incredibly heartfelt and honest. No wonder we hit it off, man. We're brothers with different mothers.

We've traveled similar roads, disregarded our guts, moved closer to equilibrium and now find ourselves both better for it.

Sometimes getting your ass kicked is the best medicine, right? Although, I, probably like you, am fairly tired of wiping blood off my face ;-)

One thing I can say for me and suspect it's true for you as well...we're scrappers m'boy. Bad economy or not, companies need scrappers and doers who are honest -- with themselves and with the powers that be.

Doesn't always make us popular...but it makes us vital for companies and people that aspire for something beyond "Just OK."
Proud of you man...keep kicking ass. BTW, landed on my feet @attensa thanks for being in my corner after my "gut punch" moment.
Cheers<
@MarkAEvertz

philA:

If you want a mentor, drop me a line.

What you posted is fairly common to protect the Fortune 500.

Post a comment

About

This page contains a single entry from the blog posted on February 11, 2011 9:47 AM.

The previous post in this blog was Evolving OWASP: Reflections on the 2011 Summit .

The next post in this blog is Forget SmartGrid, Micro-Generation Is the Future .

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.