Many people don’t comprehend just how broad the information security field really is. In this story, Business Technology’s resident U.S. ‘blogger Keil Hubert illustrates why a good security head needs to understand old-school concepts like facilities management.
A headhunter called me up last week and asked if I’d be interested in being submitted for a security director role with a local financial services company. ‘Sure’ I said, and forwarded the headhunter the latest build of my CV. A few hours later, the fellow rang me back and asked if I’d be willing to ‘tweak’ my CV a bit in order to optimize my pitch. ‘Sure’ I said, ‘what would you like to see?’ The headhunter referred me to this paragraph that I’d listed for my last IT role under the subheading of Information Security:
‘IT Security Operations: Senior IT leader responsible for all defensive Information Operations technology, personnel, policies, and activities, including Computer and Network Operations, Emissions Security, Physical Security, Facilities Security, Operations Security, Public Affairs, User Education, Incident Response, & employee misconduct investigations.’
‘You need to delete all of that extra stuff that has nothing to do with security operations,’ he said.
‘Really?’ I asked. ‘And what, specifically, in that list isn’t related to security operations?’
‘Er … all of it?’ He stammered.
Knowing exactly what I was about to hear, I asked the fellow to specify which elements weren’t part of a balanced and pragmatic information security program. ‘Physical Security, Facilities Security,’ the fellow stammered. ‘I don’t understand why you’d even list something like that.’
‘No,’ I agreed. ‘And I understand why you don’t understand. You’ve never actually worked in security operations in the wild, have you?’ 
There followed a long and disdainful pause while the junior HR procurer tried to nimbly evade having to admit that he’d just taken the tech headhunter job a few months before, and had never worked a day anywhere in the IT sector in his life. ‘Facilities are … er … that’s not security,’he insisted.
I didn’t mean to come across as the classic Tech Curmudgeon™ but this young pup was twenty years my junior, had just graduated university the year before, had no meaningful work experience, and had the audacity to lecture me about what my career involves and doesn’t involve. I politely advised the fellow to go purchase a copy of Johnny Long’s classic book No Tech Hacking from Amazon and get back with me once he got his head wrapped around its lessons. 
It’s all too easy for people to get confused about what the IT profession is all about. There’s a bloody good reason that we still call the field ‘Information Technology,’ and not just ‘Technology.’ The ‘I’ part is what matters: What information? Where? Used by whom? For what? Lose sight of those factors, and you risk getting foolishly enraptured with your shiny toys and blinking lights.
I understand the syndrome; I can’t claim to be immune to it, either. I adore a shiny engineering solution, like a wide-eyed kid watching a 1960s super-science adventure tale. VDI, EIM, Black ICE, you name it, I’m stoked by it. I grew up reading early cyberpunk, and never lost my ardour for the unlimited potential of the furiously blinking lights in a dark and sinister data centre. It’sgreat fun, but it’s not the be-all and end-all of Information Security. Information Security (as a proper noun and career discipline) starts and ends with the information and how real people use it.
As a telling example… Twenty-one years ago this week, I was stationed as a medical operation officer at Fort Hood about a hundred miles south of where I’m typing this. I was half-way through my first assignment as a platoon leader, and had already made a name for myself as the 61st Medical Battalion’s resident ‘computer guy.’ My platoon sergeant, SFC Bob, and I were on overnight watch duty at the 1st Medical Group HQ. Our job was to answer the phone (in case of an alert), listen for messages on the radios, and run around the base making random security sweeps of all of the buildings, warehouses, and motor pools that made up the 1,400 soldier 1stMed. Gp. Good times.
A little after nine in the evening that particular night, SFC Bob called me over his CUCV’s radio and reported that he’d found himself in a quandary: he was at our battalion headquarters building. The building was locked up tight, but all the lights were on and one of the giant windows in the S-1 (personnel) shop was wide open. The place was empty, everyone had gone home, but someone had seriously screwed up the end of day physical security checks.
To make matters worse, our battalion headquarters building was located right next door to the transient barracks for visiting out-of-town troops who would come to Fort Hood for summertime manoeuvres. There were a dozen or so tired enlisted troopers hanging out on their barracks’ smoking deck, enjoying a case of beer and watching the sun set. Meanwhile, about five metres away, a rectangle of light was making itself known… via an open window big enough for two grown men to climb through without complaint.
Sitting immediately within reach of said window was a brand-new, shiny, powered-on-and-working, 80286 desktop PC with a colour CRT. It was the only PC in the personnel section… the one that had all 335 soldiers’ personnel records stored on it, all our payroll information, and our home addresses.
I understood the problem immediately. Don’t misunderstand me; soldiers don’t steal; that’d be uncouth. Rather, they scrounge. The Army is alwaysunder-stocked with critical tools (like computers, circa 1993). The general culture held it as a badge of honour that anyone that could ‘acquire’ critical equipment was a hero, so long as the original owner of said equipment never found out where it had gotten off to in the middle of the night. That’s why we locked all of our motor pools and chained the steering wheels down on the trucks at night. Forget to, and your truck might be miles away come dawn, with a brand new unit registration code spray painted on the bumper.
The situation wasn’t difficult to piece together: some clerk had doubtlessly been working late in the HQ, probably finishing a report, and the combination of the waste heat from the PC and the totally inadequate window box aircon unit had been overwhelming. He or she had opened their window to let in a breeze while they finished their work. Once the job was done, they grabbed their hat and legged it just like they did every other duty day, not realizing that no one else was in the building to secure their workspace behind them.
Meanwhile, next door, a bunch of very enterprising young grunts were inevitably going to notice the open window and the $4,000 PC that their unit couldn’t afford, and probably a boot-full of unsecured office supplies. They wouldn’t be stealing, really; just redistributing critical war-fighting materiel to a unit that would take much better care of it…
So, yes: we had a problem. Aside from the monetary value of the loss (which the errant clerk would be charged the full amount for), the odds were very good that the careless clerk hadn’t been backing up the PC’s little 10 MB internal hard drive. We only had one box of 5.25” floppy disks to share throughout the entire battalion in those days. If that PC ‘walked,’ we’d lose alot of critical (and highly sensitive) information. The loss of that data would likely paralyze our HQ for weeks, too.
While SFC Bob loitered outside the HQ’s open window, swatting mosquitos and enjoying a leisurely smoke, I spent the next two hours calling up my battalion’s officers, from the commander himself down the roster. The commander couldn’t be bothered driving out to base that late at night to secure his building. Neither could his executive officer (2-in-C), or his personnel officer, or his logistics officer, or the personnel sergeant, or her assistant, and so on. After two hours of getting the run-around from my own people, I decided to take control of the problem. I ordered SFC Bob to climb into the building, to secure the window, shut off all the lights, to kick the interior security door off of its hinges, and to secure the outer doors with the Group’s security keys.
Kick the … oh, right. That was the heart of the problem: these weren’t modern buildings where you can simply push an emergency exit bar and then have a door auto-lock behind you. These were World War II era wooden barracks that should have been demolished a decade prior. I’d paid attention during my visits to the HQ building, and I remembered that the building’s front door was the only one with a conventional lock core. The personnel section’s door was kept secure with a hasp and a padlock, and couldn’t be opened from inside the floor. Likewise, the windows could only be secured from inside the room, but SFC Bob couldn’t stay locked in the facility all night. The only way to re-secure the building was to either have both keys (outer door core, and inner door padlock) … or to destroy the inner door and trust the outer door to keep things locked up until morning.
As the officer responsible for securing several million dollars worth of government property, I assessed the vulnerability (the open window), the threat (too-clever transient squaddies who were already half pickled … and very bored), and the risk (if we did nothing, we’d lose our battalion’s only HR and payroll PC). I also understood the threat environment (the building design, doors, locks, keys, etc.) and failed business process (the building’s owners refusing to come back to base) and decided to take decisive action to mitigate the threat quickly, before we had a ‘reportable incident.’
I don’t think that I’d ever before heard SFC Bob sob for joy like he did when I gave him permission to kick that door down. We were chums for life after that.
The next day, at about the same time that SFC Bob and I were being de-briefed by our day-shift relief, the battalion staff got into work and had themselves a right-royal freak-out. Calls started pouring in. Threats were made – some were darned near super-villain soliloquy grade. The BC planned to have our guts for garters, he said. When I finally got a word in edgewise, sleep-deprived little lieutenant Hubert acidly pointed out that not one member of his battalion commander’s staff could have been bothered to secure their own building … and that the Group Commander would like a word. At which point I handed the handset to the Big Colonel and made myself scarce.
I admit that this is an isolated anecdote, pertaining to a single threatened computer. It isn’t exactly a harrowing tale of fending off a global DDOS attack from a million zombie PCs from the command chair of the enterprise SOC. That’s okay, I think, While those sorts of exaggerated, made-for-Hollywood SOC stories are awesome to watch, they’re not really all that realistic. Real security is accomplished one boring, pedestrian step at a time. Putting away papers. Locking doors. Remembering to take your kit with you when you leave the train, bus, or pub.
Furthermore, those cinematic ‘global cyber horror stories’ don’t really hit a reader or viewer where he or she lives. That’s why I prefer the Texas tradition, where we try to make our stories personal and relatable. I think that this anecdote (which is 100% true) illustrates my original point well: To run an effective Information Security programme, you need to understand a hell of a lot more than just computers, networks, and software.
I submit that a seasoned security pro must also have a solid lock on human behaviour (e.g., opportunist squaddies), facilities (e.g., structures, portals, windows, cooling, and ownership)physical security (e.g., pilferable kit, door locks, and access controls), public relations (e.g., how the battalion’s image would tank if they lost their most important PC), user education(e.g., the clerk’s crappy data backup habits), and employee misconduct (e.g., said clerk legging it without securing the facility). All of those factors came into play on that one, simple, isolated incident at the end of early summer of 1993. Had SFC Bob and/or I failed to understand any one of those elements at the time, we probably would have made a bad decision, and that shiny new personnel PC would have been nicked and gone.
Whether you’re trying to safeguard your home network or secure your multinational conglomerate, the principles remain the same: you’re not protecting the kit, you’re protecting the information and its ability to remain in play for the benefit of the business. In order to make that happen, you must factor all of the different ways in which people, places, and processes interact, and then work diligently to protect all of them. You don’t get to leave off the undignified bits (like shutting the bloody office window) just because the more tedious security controls lack a certain sexy ‘geek cred.’
 I had the man’s LinkedIn profile up on my laptop screen while he tried to escape-and-evade my question.
 He didn’t, and I never heard back about that position.
 For new readers, it’s tradition that all of my anonymized characters are ‘Bob.’ Good, bad, and indifferent. It’s safer to be Bob.
Keil Hubert is a retired U.S. Air Force ‘Cyberspace Operations’ officer, with over ten years of military command experience. He currently consults on business, security and technology issues in Texas. He’s built dot-com start-ups for KPMG Consulting, created an in-house consulting practice for Yahoo!, and helped to launch four small businesses (including his own).
Keil’s experience creating and leading IT teams in the defense, healthcare, media, government and non-profit sectors has afforded him an eclectic perspective on the integration of business needs, technical services and creative employee development… This serves him well as Business Technology’s resident U.S. blogger.