2 weeks to aliyah – “What is that voodoo that you do so well?”

For pretty much all of my professional career, people (including my family) have asked me what I do in the computer field. Of course, my role has evolved over the years so the answer to that question has evolved along with it. But now, especially with me being in this contest and so many of my friends and relatives passing along all of their networking contacts, I thought that this would be an opportune time for me to explain what it is that I do for a living.

Of course, if I were to spell out all of the gory details I would lose most of my audience in the first paragraph and thus not accomplish at least part of my goal. On the other hand, since there might be some potential employers reading this, it would be helpful to be at least a little specific. I will try my best to explain this clearly and concisely to satisfy the golden mean. Hopefully, all but the most ardent Luddites will be able to get some appreciation of what I do and maybe some of them might even say, “hey, I know someone who I ought to introduce to Daniel”.

Although my title is Information Security Officer (ISO), that title means different things in different companies here in the US, so when you transplant it to Israel, it practically loses all meaning altogether. The best way to describe my job is that I am responsible for 4 areas in the computer environment in the company, (or in Information Technology (IT)). They are:

• Security (אבטחת מידע),
• Compliance (ציות),
• Risk (סיכונים ניהול) and
• Audit (מידע מערכות ביקורת). 

(Have I lost any of you yet?)

Security is probably the most commonly known part of my job. It is like the lock that you put on your door or the bars that might go on your windows. They are designed to keep the bad guys out yet not impede your own access to your house. Similarly, a company makes strides to make the computer environment as secure as possible without making it too difficult for the people who do need access to the computer – either customers or employees – to do what they need to do. You can never make the environment 100% secure.

On the other hand, you can and should make your environment 100% compliant. Compliance means following the rules. For example, your auto insurance company might dictate that you have an alarm on your car or that you use seatbelts. If they catch you violating those rules, they might deny you coverage. Likewise, if an auditor discovers that you are not adhering to the regulations dictated by law or even just by the company’s bylaws itself, you can find yourself in trouble.

For that reason, in the US the focus tends to be on compliance whereas in Israel, they certainly concern themselves more with security. In general, it is best when the compliance regulations make sense to the employees. Otherwise, they tend to try to bypass the rules. It is my job to make the policies relevant so that they understand why it is important for them to adhere to them.

 

When compliance regulations do not seem relevant
to people, they often find ways to bypass them.

There is a great deal of overlap between the areas of security and risk. I would often conduct formal and informal risk assessments to determine how secure an environment is, where the holes are, and what can be done to stop them up. Risk assessment and management is an ongoing responsibility in which you are constantly determining the appetite that the organization has for risk vs new threats that are being discovered every day.

My involvement with IT Audit was primarily as a liaison between the infrastructure support people and the auditors. I would not conduct audits myself, but I would be the person translating the auditors’ requirements into meaningful terms that the systems people would understand and then reviewing the evidence that they would gather to determine if it was the correct information to pass along to the auditors. Although this sounds much like a paper pusher in some ways, this was actually a very important role. Just as you would not necessarily want to represent yourself legally – you would hire a lawyer – it is not wise to have the systems people dealing directly with the auditors. That would just be asking for trouble and at worst, might get the organization into legal hot water.

There are some aspects of all of this at which I am particularly adept and have enabled me to be very successful in making two large companies more compliant and secure. Much of that is attributable to my more technical background in Operating systems programming and administration than the average person in IT security. That has given me a practically unique combination of skills that has proven very effective in my dealings with both the systems people and the auditors.

Well, there is a very brief idea of what I do. There is of course a great deal more that I could say about what I have done but I think that I tested the limits of my audience already. So any hiring managers who would like to hear more, I still have some slots available for interviews.

Hopefully this will give you a better understanding of my job to help some of you to better describe my role to your contacts. And of course, it will give some employers a little insight into my background as an IT Security Officer.