After almost 20 years working for IBM in various IT roles and working under bosses of different temperaments, Wes Knight was perfectly happy to run his own training and consultancy firm in Atlanta, Georgia.
“In my company, pretty much I was the company, the sole revenue generator,” he says. He worked long hours, travelled more days than he wamted and dealt with the pressures that come from running his own firm.
Soon his zeal took a toll on his health. He was diagnosed with cancer in 2000 and while recovering he lost his most lucrative client. And then, with the dot com crash, money for consultants dwindled, and he had to work twice as much to earn what he earned previous to the crash.
“I was not really a young man. At that time, I had five kids,” he says. “So, I sat down with my wife and we decided I would have to give up my business, and start working for somebody else again. That job had to be exciting but should not require me to travel.”
Sure enough, he found an opening at the state Department of Revenue. “If you work for the State, where are you gonna go?”
That was 11 years ago, and Wes has stayed put since then.
The diagnostician
Technology was not part of Knight’s early interests. There were no computers when he was growing up. What Knight did know was that he was a good diagnostician – he looked at something and was able to figure out what was wrong with it, pretty quickly. That was what brought him to IBM in the late 1970s, out of an auto center job that made him miserable.
It was also in IBM that Knight started teaching people how to work with computers. He enjoyed the sense of accomplishment. “You had a broken machine, you sat down, you fixed it, you won. You beat it!”
Because he did his job well, Knight was able to tap his connections when he started his own company. “I didn’t have to start from scratch, and I was really thankful for that.”
The “Department of No”
At the state Department of Revenue, Knight rose from being senior network security engineer to his current post as CISO. Then as now, the crown jewels he is trying to protect at all costs are taxpayers’ data. But while this is unchanged, the attitude about information security has greatly evolved.
“Ten years ago, we were seen as the Department of No. Many thought that for us to be effective, we needed to stop people from doing things,” he says.
Now that view has changed. “We’ve got good buy-in now. More people understand that my job is not to hinder them but help them do what they do in a safe and secure way. They’ve got a business to run – this time, it’s collect taxes. If I don’t let them, how do they give my paycheck?
All about relationships
“People have to feel like they can trust a CISO,” says Knight. “You have to give them good advice and steer them to the right direction. You got to have a good relationships with the business units, and the C suite, the new hires you have to train at the outset. But you also have to be ready to make difficult decisions.”
In his job Knight is much involved in project initiation. “I know the projects going on and I can give input right away. Doing things right from the beginning saves you time and money.” Able to use his experience as trainer/instructor, Knight enjoys talking to his colleagues about security, not only about security at work but also in their homes. “It’s not really all that altruistic. If their home computer gets infected, and they hook it up with their work laptop, then the problem crosses over and it becomes my problem as well. That already bypasses several layers of our defense.”
Aside from giving regular training during staff meetings and training people who work under him, Knight is also a speaker at conferences. “They appreciate my sharing knowledge with them. I get a kick out of that.”
The foreseeable future
Ten years ago, security meant relying largely on perimeter defenses – firewalls, for instance.
“Now they are still important, but they are just a small piece. You have to have a holistic, multi-layered approach these days. Now, I don’t worry so much about the hard hack as much as I do about social engineering. These bad guys are exploiting the weakness – careless humans.”
He does not believe most folks would compromise their own organization’s safety. “But we are all human, we all commit mistakes. You can tell people not to click but they do click. So the vector is still going to be people. And the attackers don’t have the same controls we work under – they are always going to be just doing what they do.”
Knight has a pragmatic view of the good versus the bad. “I just don’t see the good guys ever overtaking the bad guys, I think we will always be chasing them.”
The next phase
Knight has a year until retirement and already he knows he will miss the people he works with. “They are tremendously good, smart, hardworking. They know what they are doing.”
At the same time, he looks forward to spending more time with family: his wife of 45 years, five children and 11 grandchildren. “It’s a madhouse when we get together.”
Knight likes to make himself useful around the house repairing things, and also likes playing golf and target shooting. He plans to do some training and consulting when he finally retires.
“I think I’m going to have a blast.”