Information Security Experience

Information Security


Role Description

My job description expanded with the added role of managing the division’s information security operations team. This was a global role responsible for 30,000 Unix/Linux systems across 51 sites. I retained my core job but was able to add the additional responsibilities since I had developed my local team into a strong, self-sufficient group that could manage themselves.


Background

In one fell swoop after an extended vacation to Nepal, my boss met with me and told me that I was now put in charge of managing our organization’s information security team. I knew nothing about information security and told him so. He encouraged me to figure it out… fast! The role was to implement security measures to our Unix/Linux environment by direction of our division’s information security team. I quickly assembled a team at our multiple sites and began organizing the work we needed to do. In order to succeed, I took several important steps to build the team.  They were:

  1. Create a team charter
  2. Develop ground rules and team norms to set expectations on how team members should work, interact, and perform.  It was both a top down and bottom up exercise.  I needed to set expectations as a leader, but the team needed to contribute and buy in to these rules.
  3. Create clear goals.  This required pressing the divisional team to do the same.
  4. Develop roles and responsibilities so that team members and their manager knew what was expected of them. Most did not know what they were supposed to do at all in this area since the work required was unfamiliar to them and the division was too far removed to engage with them effectively.

Figuring out what the goals were from the division was not easy. As we began communicating with them for direction, we found huge gaps in how we were supposed to conduct our work. Requirements were fragmented and instructions were non-existent. We were still held to deadlines, but the quality of work and assistance provided from the division was weak and nearly useless. I made several complaints and gave numerous suggestions over the course of a few months in order to improve the situation. Division sensed that I had a strong grasp of what needed to be done and how to do it, so they eventually appointed me in charge of the program. This was a big step in my career and my responsibility level skyrocketed instantly.


Scope

I was given 21 Unix administrators for my global team that were located in nearly every part of the world.  Those representatives were located at the sites below.  These administrators supported 51 sites in total.

North America:

  • Hillsboro, OR.
  • Dupont, WA.
  • Folsom, CA.
  • Santa Clara, CA.
  • Chandler, AZ.
  • Hudson, MA.

Asia:

  • Cavite, Philippines
  • Bangalore, India

Europe, Middle East

  • Copenhagen, Denmark
  • Haifa, Israel

Implementation

In order to move such a scattered group forward, I needed to establish effective communication and approachability with the team members as a group and as individuals.  I set up meetings with each one of them, got to know them and their daily challenges, and then began piecing the team together. I also met with their managers in order to get their buy in since I would need to take more of their employees’ time and focus. Without this, the administrators would inevitably get pulled into local issues that always crowded out global ones. This was not an easy task. Upper management was good at creating programs that required results, but did not create a system of accountability to make it happen. I had to do that on my own to get results.

Specifically, I did two things that aided this cause:

  1. Embedded my goals into the administrators’ quarterly objectives
  2. Presented status regularly to upper management about my program’s efforts

Both these steps helped me gain visibility and commitment from my many stakeholders. As a result, information security became a formal part of my team members’ jobs. Middle management gained scrutiny by our divisional director when I would report out in their staff meetings on my progress. If some regions failed to get work done, these middle managers were told to get committed and devote resources to the work. I leveraged another important piece of the puzzle, that of working with a staff manager as my sponsor. Without her, my job would have been much tougher when trying to deal with the middle managers who preferred to worry about their own priorities.

I did the same thing as I did for my regional team, i.e. creating a team charter, ground rules, goals, etc. and then set out to get the work done. Still, there were more challenges to overcome. Many of the administrators had little experience in information security themselves and were frequently unable to implement the measures recommended by the security architecture team. The architecture team was made up of extremely skilled security experts. They did not have any patience to help my people out and possessed no sense of how to enable people to perform their duties. I had to leverage them in a productive way and so I pushed to become an advisor on their team. Upon joining the team, I pushed for two important things, 1) Get my team trained properly, and 2) Get the uppity security experts to write documentation and teach my people. To get the training, I investigated the various resources available that an industry consortium provided. I managed to secure numerous training books from them and also flew in my team members to the U.S. to take an extensive training course. This brought us very far, but I still needed cooperation from the security experts. I met with them individually and made my case for how they could do some upfront investment in documentation and teaching that would create a more self-sufficient team. Their constant complaint was how inept my team was, so if they could take a few steps to fix this problem, then they could get past this irritant, and move on with their desired duties. Slowly but surely, they began their work to document how to do a long list of measures that I had collected into a master plan. Simultaneously, I would go to the divisional staff meeting and explain clearly the scope of work needed to be done and what I needed to get it done. Soon, I was getting support from above and a growing cooperation from below. I kept a tight measurement system going about what items we had completed in each region and each site. As I checked off more and more items, the security experts could see that we were making real progress and became more helpful in continuing the momentum.

I made an organizational change that also aided my work. Running meetings with a global team was extremely impractical due to time zone differences. Those far away were having the most difficulty achieving goals due to communication problems from the center. I split my team into two so that the meeting times were more agreeable to international team members and attendance and attention improved. I also appointed team leads for each of these groups who helped me keep discipline and communication going within the team. These two leads sat in time zones that could communicate better with my remote sites. I also gave them more training and an open door to contact the security experts. They relished their roles and improved drastically the functioning of our larger team. To supplement the attention needed for the remote sites, I stayed online my entire waking hours so that anyone could call me at home or at work for help.

We made tremendous headway, but we still had a number of measures that never quite got done. I needed to increase the awareness of these gaps to upper management, so I tried a new method. I wanted to put some peer pressure into the system so that the different regions could feel a sense of competition with their fellow regions. I created a program called Site Certification to do this. Since I had a comprehensive list of everything needed to be done at all 50 sites, I developed a “certificate of completion” for each of them. As each site completed their deliverables, they would receive an award in the divisional staff meeting. Each region owned numerous sites, so seeing other regions achieve certification could compel them to work hard to outdo their peers. The program was approved by division, but by this time, we had really gotten closer to achieving our goals. I had been regarded as an extremely successful program manager and was ultimately given a brand new mess to fix. Site certification didn’t proceed as formally as I hoped, but it lived in spirit. When I left the team, my leads kept it alive at a lower level for the months to come. They achieved all the goals eventually, so though it didn’t happen as I had planned, the work got done and the overall program was a huge success.


Key Learnings

Out of this experience, I gained several new skills and lessons. First, I learned how to lead a global, multi-cultural team effectively. I learned the best ways to communicate with people from far away and to understand how to motivate them and remove barriers for them. I also gained great experience in setting a direction, tracking progress carefully, and developing a very clear understanding for my team and stakeholders of the work that needed to be done. I also sharpened my skills in working with multiple levels of management, getting buy in, and putting goal pressure into the system. Additionally, I learned to work with very arrogant, prickly people, turn them around, and get them to cooperate and help. I also gave all my team members a sense of purpose, mission, and pride. I worked with very enthusiastic people and I think I created the environment that cultivated it. I also gained valuable experience in getting tasked with huge amounts of ambiguity. I didn’t know anything about the subject matter, I didn’t know how to motivate people across the world, and I didn’t know how to get such a large and vast body of work completed. I worked hard to learn these things, (granted, by getting a lot of bumps and bruises along the way) and got results. I think this was one of the best achievements in my career.


Performance Review for my Security Efforts

  • Dave became the leader of the EC Security Operations Team (SOT) and really focused on driving process with the SOT and keeping the team on track.  To bring structure to the team, Dave developed the team’s charter, job description, and set clear expectations.  Dave communicated with each member’s direct manager to gain their support and commitment for security activities.  He set up meeting structure to ensure full participation (East/West coast) and worked against quarterly objectives.  He also developed two members as team leads who are responsible for running weekly meetings and drive completion to action plans.  Dave grew the SOT from 12 people to 21 and increased the number of sites owned from 35 to 51.  Dave worked with the Security Architecture Team (SAT) to try to define process and process and procedures for requesting and working with the SOT members.  Dave played a key role in trying to manage the time the SAT is requesting from the SOT for new projects as well as keeping them on track with their regular security operational tasks.  EC improved Unix audit scores from 85% to 90%, moved sites to nearly 100% ssh and chpasswd usage, drove central logging to 36 sites, and conducted numerous audits.  The impact is that the EC organization has moved to an unprecedented high level of security compliance which significantly improves the protection of Intel IP.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s