This economic recession has cost all of us. In my case, it cost me my jobtwice. I was laid off first in 2007 after six years as the top security manager at a company where I had built the security programme from scratch. I was laid off again just recently, after two years during which I first tried to build a new security programme, but then had to cut my already very small staff (ref. www.computerworld.com/s/article/334775/The_Economy_Takes_a_Toll_on_Security). Finally the security programme was shut down entirely.
Needless to say, I think that was a poor decision, and I don't say that because I lost my job. Just before the axe fell, I had been working on cost-cutting initiatives. I had hated cutting my staff, and I was determined to ensure that no more layoffs would be required. I figured that there had to be a better way to save money than ejecting large pieces of our corporate knowledge base.
After digging around, I found two very expensive services that the company was paying for while getting very little value in return. It looked to me as if we could eliminate those expensive and underperforming services, and then use our in-house staff and infrastructure to perform the same work at a lower cost and higher level of quality. But just as I was feeling good about the prospects of this proposal, I was called in to the CIO's office, where I found myself facing our HR director and a bunch of layoff forms. Clearly, the company had chosen to go down the well-worn path of cutting staff rather than reducing costs in other areas.
It was a devastating blow. But now I have a new position that I'm feeling pretty good about. My job-loss trauma was thankfully brief, and I can look back and realise that I'm probably better off not working for a company that made such terrible decisions.
I'm a security manager again, but in a different industry, and in a company with a different culture and work environment. This time, I don't have to start from scratch exactly; this company has many good security practices ingrained into its processes, mainly because the technical staff is young, smart and savvythey get security, and its importance. It looks like I won't have a very large staff once again, maybe two or three people, but the rest of the IT staff here is very aware of what constitutes good security practices, and that could make a huge difference. With everybody pulling in the same direction, I might not need a lot of full-time employees dedicated to security.
I'll be facing some new challenges here that I hadn't encountered in the previous eight years, but I've also learned some things from my experiences, so when familiar challenges present themselves, I'll react more effectively. For instance, I had to kick off my last security manager position with a focus on patching (ref. www.computerworld.com/s/article/327483/Patching_Program_Still_Under_Fire), as I tried to turn the steering wheel of a big company toward an effective programme of consistently applying security updates to operating systems in a timely fashion. I had mixed results, but I learned in the process that it doesn't pay to push too hard in the wrong places (ref. www.computerworld.com/s/article/326145/Making_Enemies_But_Needing_Allies). Instead, a collaborative approach with the IT administrators and a focus on getting management to provide the right resources and priorities can be more effective. That is a lesson that should be applicable in many situations, even though in my new company, patching is recognised as being important. It's being done, though not consistently and not comprehensively. I will need to raise the visibility and priority of the efforts so we can make improvements, but I don't have to try to get everyone to understand why it's needed. What a relief.
Sign up for MIS Asia eNewsletters.