Share Tweet Share

Wow, the dust hasn’t even settled yet on the controversial million dollar deal-breaking e-mail and I’m receiving a ton of e-mail from the community on their own frustrations working in information security. I had no idea so many folks in this line of work were so miserable!

I am seriously blown away at some of the information that you’re all sharing (and trusting me) with.

I was halfway through a chilled coffee frap when I found this gem in my inbox (edited for grammar and privacy):

Chief Monkey,

After reading your story on dbsecpro’s adventure with his employment, I had to dig deep and share something that I’ve only shared amongst my closest friends and my wife/children. Since I know you anonymize things pretty well before publishing, you have my permission to publish this. Maybe it will help someone.

My story goes something like this. I grew up in India, and my parents moved to the USA when I was a teenager. My father was a computer scientist, and my mother was a homemaker. It was always impressed on me to be the best at everything that I did, and I think I did a good job at that. I excelled through all of my academics (4.0) and worked at several big tech companies. I moved up the ranks pretty fast, and ended up as a department head for information security. I was in my 20’s and making $250k a year. My parents were very proud, and I have to admit that life was great.

After a few years as department head, my company brought in a new EVP of technology. This lady was lured away from a competitor, and I don’t even want to imagine her compensation, but that is besides the point.

My introduction to her was torturous at best. She didn’t like my supervisor (a SVP of technology) and made it immediately known that she didn’t care for me either. She looked over all of our accomplishments during that last few years and tore them all apart. Her reasons made no sense, and it was readily apparent that she actually didn’t understand risk or security very well at all.

Within her first few weeks, she completely reorganized the technology branch of the company, including my area. She transformed us from a hierarchical reporting structure to a bizarre maze of matrixed reporting. She had VPs reporting to Directors, and in some cases department heads (like myself) reporting to consultants! The real magic came when she fired my supervisor (for being too old?) and replaced him with someone 20 years younger and 30 years dumber. From the moment this person entered the company, she had “I am a yes woman” tattoo’d on her forehead.

Fast forward a few more weeks, and the EVP completely changed how the company tracks and reports on projects. This created mass havoc in my area, because we mapped our security and compliance activities directly to business and technology projects. With this new method (which did not follow any known sane PM processes) in play, projects began running behind and communication broke down between stakeholders. Of course, every department head was then brought in to her majesty’s (that’s what we called her) conference room and lambasted for being inefficient and inept at our duties. (I should add here that every staff member in the room had a pristine track record at our company, and were very well credentialed and successful). This created an atmosphere of fear, uncertainty and doubt amongst the department heads. Instead of working closely together as we had always done before, everyone became suspicious of one another and they went into “kingdom protection mode”. Everyone looked out for their own well-being.

The crown moment of all of this was how she “explained away” all of these issues to the board of directors. She drew a picture to the board of a company full of inept management, no direction, and no drive. Several board members weren’t buying this, because we had been a raging success under the previous EVP of technology. She was persuasive and managed to convince everyone that (another) reshuffle needed to occur.

I walked into my office the following Monday to find that nearly all of my information security projects had died on the vine in finance committee, my staff increase requests were denied, and I was asked to re-write my entire security plan for the organization (all 30 pages) with half of the budget, no new people, and had to address 20 new “security projects” that the EVP had come up with. I looked at the project list and was shocked to see that she had simply taken my original list of security projects, changed their name, and adjusted their scope just enough to look differently and NOT meet the gap they were created for in the first place. It made no sense to me!

And then, the hammer dropped. A co-worker of mine had managed to exist under the radar of this EVP and was promoted in her department to a manager role. Everyone knew how hard this girl worked for this, and we wanted to throw her a lunch time party. Since we were good friends, I organized the entire party myself and used $30 from our “employee celebratory” budget fund to buy some food (which is the purpose of this fund!). The party was a great success. Two days after the party, I was called into the EVP’s office and told that my $30 expenditure was “against policy” and that I couldn’t be trusted as a member of management. THIRTY DOLLARS! My operating budget before this new EVP came on board was $MM! And I couldn’t be trusted with THIRTY DOLLARS. I asked to see this policy (I knew there was no such policy) and was told that I should step down into a first-level management role.

I handed her my ID card, my cell phone, my data center access badge, my keys and my laptop and left her office without saying a word.

There’s a lot of unexplainable stuff in my story, but the one thing that bothers me more than anything is: how does a seasoned board of directors believe someone like this? Don’t they have a responsibility to dig deeper on concerns like the ones she raised (which were obviously false)? Why didn’t her supervisors immediately dig deeper when the entire business line’s numbers went to crap when she took over?

My wife and my children talked when I came home that day and agreed that Dad was better off looking to work somewhere else.

I am currently a security manager for a medium sized retail company and am much happier. My paycheck is not even half of what I used to make, but my happiness fills in that void.

Lesson learned? Money does not equal happiness – and if it does, one might want to take pause and do a level 3 system diagnostic.

Thanks for listening,

Majeeb