Some 38 years ago, I started working for the systems group at CUCCA (Columbia Center for Computing Activities). I was fresh out of engineering school (Columbia, by coincidence) and a brand new junior systems programmer.
In those days, we actually wrote modifications to the operating system in assembly language – it was a lot of fun. I guess I wanted to prove that I was a worthwhile addition to the team, so I kept my head down and cranked out code.
One day, my boss walked into my office and said something that has stuck with me all of these years. He told me that he expected me to spend part of my time every day with my feet up on the desk either reading or thinking – he did not want me to spend all of my time coding. He had hired me for my ability to think, not to be a “code monkey.”
Fast forward about 25 years and I found myself getting ready to shut down the academic mainframe computer. I decided that security was a growth industry (little did I know), so I started learning everything I could about it.
From the beginning, I decided that the ability to think about security was more important to me than what I refer to as “screen monkeys.” I make it a point to hire people for their ability to think and not play the “whack a mole” security game. Because of this, we have built a highly automated security system, and my people have time to think.
One of the things I spend a significant portion of my time on every day is reading the various security magazines (including Security Current) that come into my inbox. I am also a member of various lists and groups, some public and many private. These sources generate at least 100 emails a day that I browse through looking for the Next Big Thing.
As it turns out, some of us security people are just a little paranoid (just because you’re paranoid, doesn’t mean that they are NOT chasing you.) The problem, as I see it, revolves around a small chicken (Chicken Little). Columbia is a big decentralized place – if I announce that the Sky is Falling every day, I believe, in my opinion, that in a very short time, I would be out looking for another job.
The trick is to try and figure out (I sometimes use tea leaves) which of the many warnings are critical (the sky is really falling) and which can wait until the normal patch cycle. This is not a simple task, as it requires reading and correlating reports from many different sources, and knowing which sources can be trusted to provide a balanced opinion.
I fully realize that not everyone works for an organization that provides “thinking time” – I believe that I have been very lucky that way. I think that regardless of the culture, thinking is a good thing (even if you have to hide in the bathroom to do it.)
As you walk your security tightrope, the balance between thinking and doing will make a big difference as to how long you can stay on the rope.