Andy ITGuy

Andy One of the first times I came about Andy was when I made a mistake. A huge one. And although the mistake was not about Andy, he reacted like a mad dog and told me exactly what he thought of me. In his own words:

“You are one cold hearted fellow.”

He got my attention right away! Then, since only a short time after that, he told me:

“Kai, I think you are confused.”

And these two episodes shows very well who Andy is; straight to the point; fearless if he thinks you are wrong, dishonest or evil; stands up for his friends and the weak. Andy speaks his mind, and I just love that!

In our later discussions and comments, it is pretty clear that Andy and I are much closer in our view of the world than at first glance. And the very fact that Andy accepted this Profiling of him tells a bit of him (no, not only that he is attracted to attention!).

He is able to walk the talk.

Andy’s blog was also noted as one of the most influential security blogs 2007 by IT-security. And true to himself, Andy is incredibly humble about it all (I know I would kick and scream and yell high and long if I was on such a list). But, equally true to him – he was the first commenter on the post – so I am not the only one running a searchbot for my name!

Unlike some of the previous Security Profiles, Andy is not able to identify the time he opened his eyes to security;

“I'm not sure I can pinpoint any one event. It just happened over time. As I learned more about computers and networks I saw things that people did that put the company at risk. It was also a time when the big name viruses were running rampant.

It amazed me how they worked and why they were successful on some systems and networks and why others kept them at bay. I started reading more about security and it really grabbed my interest. So I started focusing my career in that direction.”

Andy has a technological background like many security people I know. And he is focused on user awareness and training;

“Information Security is about much more than just technology and even about more than protecting your data and network. It is about changing the way people think. A program that focuses on technology will fail, just as one that focuses solely on people will fail. It takes a well balanced combination of focus on both.“

And have you found that balance yet?

“We know that technology will work to a certain level and then we can either ignore people and throw more technology at the problem; or we can strive to teach people how to be safe. When we are successful at training our employees then everybody wins. They work safer and smarter and when they go home they also live safer and smarter. “

Do you have any examples of how to approach this?

“We have to get across to them that security is about more than surfing the web and checking email in a safe manner. It's about who they interact with online, on the phone and in person. It's about learning when and where to talk about business related matters. On the phone while riding on a crowded bus isn't the time to do so.”

Business and management focus

On is LinkedIn profile, you can read that Andy is a CISSP. He is pursuing a CISM, and would like a PMP. It is safe to assume that Andy is not only the IT-security geek, but also a managerial guy. His interest in Project management gives that away pretty fast.

Andy, what is the impact security has on business?

“Security touches EVERY part of a business. If done properly it can really be an enabler but if done improperly it can cause major problems.

Since it does affect everything it's hard to narrow down the Key impacts. They vary from business to business and industry to industry. What is key is finding out what is needed and what works for your particular situation.

It is time to kick in the challenges! So let us hear what Andy considers challenges in the security sector!

The first challenge is knowing what to do with security.
Too many companies look at security as being the "necessary evil". They have security staff because it is required but they don't know how to really use them. They lack a plan for how to integrate security into the overall business plan. So therefore they throw technology at a problem without really considering the impact. Will it work as planned? Will it cause more problems than it solves? Will it be something that we have the time and expertise to maintain? What else do we currently have in use that may serve the same purpose? All of these need to be answered when looking at a security problem.
The second challenge is developing a good User Awareness Program.
Most of the ones out there are dull and boring. They also are "cookie cutter" one size fits all solutions. They don't take into account different learning styles and they don't give you good relevant information in a format that you can use throughout the year. Getting something every quarter isn't enough. It needs to come out at least monthly and it needs to be able to be delivered in a variety of formats. PDF, MP3, Video, email, etc...
The third problem qualified security staff.
There are too many people who really don't know what they are doing. They look for "best practices" and then that is what they do. Another of my pet peeves is the whole concept of best practices. Again, what works for you may not work for me. Companies need to hire and/or train their staff so that they understand security and how to make security work in their environment. You may be a great Cisco firewall engineer but if you don't know how to think outside of the sample configs that Cisco provides then you aren't the one I want managing my firewall.