During my career in infosec and my lifetime of professional cynicism, I’ve been on the receiving end of much abuse and managerial mis-management.
I’ve lost count the number of times someone has asked for an infosec opinion in a meeting and then promptly cut me off mid-sentence suggesting that it would probably be better if I said nothing at all.
Step outside of the corporate norm, the governance frameworks and the beurocracy and you’ll encounter a wall of low-intellect
middle managers whose sole job is to prevent their bosses from realising the absolute mess beneath them. As a result you’ll seldom hear a middle manager say, “Oh I’m sure it will be alright” or “I’ll make that decision for you now”
Its also frustrating to see how every major corporation operates in exactly the same way. Once inside they are virtually identical to one another. They talk about their cultures and values and how they treat their employees with more respect than anyone else and hence refer to them as ‘colleagues’. But believe me, if you work in infosec, it doesn’t matter if you work for any of the blue chips, they all have the same overall package. The same crappy vending machines, the same e-coli infested canteens. The same management drones. Work in one for more than 6 months and you’d start imagining how wonderful life would be stabbing your own eyes with knitting needles.
Of course there are certain good things about working in infosec for big companies. You get paid on time, and nice HR rules mean you can be an imbecile and never get fired and err… well I’m sure there’s more but I can’t think of anything else at the moment.
For these corporates, infosec is a bit like the Green agenda. Yes, I know I am comparing myself to a bunch of crazy bearded tree-huggers but hear me out. Big companies don’t really care much for the environment. They just want to be seen to be caring about the environment. Get a tick in the box and have those green peace weirdo’s not burn any of their buildings during May day protests.
Similarly, investing in good security look good to customers and shareholders. You have fancy websites with golden padlocks on them proving to your customers that you care for their well being. But that’s about as far as it goes. Because at the end of the day, they can’t see the bottom dollar or pound value.
But it’s the idiocracy that really gets me down. The constant coaxing you have to do to get anything done. “No” is the default setting whether you want to send an email to somebody or speak to a vendor about a new product. It’s like trying to negotiate with a donkey. Once, I urged a manager to use common sense and let me use a ‘lighter’ risk assessment process instead of the whole 30 page process, for a small company who simply provided us with stationary and didn’t even hold our data and it would make no difference. He said, “You don’t need common sense when you’ve got the policy”
That, I think, probably says it all.
Javvad Malik 
One thought on “Who needs common sense?”