I knew that wasn't it. Joe is used to lots of meetings. And lots of reports.
He then went on to describe a rather grim condition, at least for someone trying to keep corporate systems secure.
The focus of his work is becoming more about compliance for compliance sake. It's more about internal controls, procedures, and keeping auditors happy. This, said Joe, is actually working to make his organization compliant, but less secure.
In fact, he explained, he spent a good part of last week rectifying a decent number of vulnerabilities in print servers. It was Joe's opinion that these vulnerabilities were of low concern and mitigated by good network segmentation and firewall policies. "We had a few, far more serious, things that had to be taken care of. But they were postponed because they weren't on the audit finding," he said.
I continued to listen as Joe went to on explain how over the past 18 months he's tried to integrate security and compliance efforts, as a way to keep systems secure, compliant, and cut operational costs. He then listed a number of fires his security teams and the operation folks had to put out. Fires that kept him, among other managers, from getting to the higher level of governance they envisioned. These fires, more often than not, were lit by audit reports.
"Why don't you just go with it and deliver what the organization and auditors want?" I said.
"It's my job, and probably my career, when something goes wrong," he replied.
I keyed in on his use of the word "when" rather than "if," especially because Joe, more often than myself, sees the glass as half-full.
"E-mail me your resumé, I'll be happy to give it a read and call you later this evening with my thoughts," I said.
After I hung up I thought about this for a while. And if Joe's company really wanted to be secure and compliant -- and I mean in a long-term and sustainable way -- it would listen a bit more often to Joe and a little less to the auditors.