Wednesday, February 13, 2008

Reformed Lawyer Loves Information Security

David says I need to introduce myself if I want to post here. Since I want to post, here goes. I am a reformed lawyer now working in information security in higher education. My focus is primarily on policy development, although once in a while "they" let me out of my cell and I get to participate in a risk assessment or a special project related to information security and "the law." I truly enjoy the ability to meld my lawyer skills within the constantly changing, always evolving, never still discipline of information security. Without further ado (or with much ado about nothing), here goes...

-------------
I love Google Web Alerts. It proves to be a handy reconnaissance tool for gathering intel on coworkers, friends, family and the like. It also is helpful for assessing your own internet popularity presence (or notoriety as the case may be). Thus, it is with great anticipation that I scan my own weekly Google Web Alert to see if I have "popped up" someplace unexpected.

Today I did. Today's report showed that an article that I wrote back in 2004 has been included in a web-based bibliography. What is notable is the article is from my first career as an attorney, and the article discusses resources that all good general practitioners should have in their legal toolkit.

These days I talk about what a person needs in their security toolkit; IT resource acceptable use policies; and how to navigate the various federal, state, and local laws related specifically to technology and information security. Not only am I a quasi-geek, but I am also a information security policy wonk.

The story of the journey from general practitioner to information security policy writer is not terribly exciting. What is interesting though is that many of the skills, tools, and talents that are useful for the law are also useful for information security. Problem solving, the ability to critically analyze materials in front of you, and an unending desire to know your topic in depth (and always "be right" about the knowledge) are invaluable.

Lawyers working on a case need to know by rote the facts particular to a client, as well as the constraints that the law imposes on those facts. We need to be able to point out from a legal, business, and practical standpoint why a client's desired course of action may have an undesired result (jail, fines, and interaction with additional lawyers are nearly always undesired). Similarly, information security professionals need to know how information systems work, and how their clients and employers intend to use that system. Then the fun begins, pointing out the legitimate business trade offs between data security, business efficiency, and sometimes, plain old common sense.

Since I write policy, I get the best of all worlds (much like being a general practitioner attorney). Sort of a "jack of all trades, master of none" role. For short periods of time (usually spanning months), I get to develop some kind of subject matter expertise in a particular information security area while a policy is being created. I meet with the security professionals who know their areas inside and out, I meet with the administrators who know the business side of an organization cold, and I get to try to facilitate the development of a policy that balances information security and business efficiency in a way that makes sense for my organization. Like a law practice, sometimes it is frustrating, sometimes it is exhilarating. It is never dull.

Most readers of this blog are already information security professionals. For those that are not, I can offer the following tidbits that helped me as I entered this field:

1. Study up and don't be afraid to ask questions. This is not a field where you can bluff your way through complex projects with a "fake it till you make it" attitude. Study for certifications and then continue to study after that. Get to know professionals in the field and turn to them for advice frequently. Some day you will be able to return the favor.

2. Know your strengths/find your niche. I like to write formal documents and found a good match with my attorney training in contracts and information security policy writing. My role blends these strengths perfectly and I enjoy the challenge of looking for loopholes.

3. Don't stand still or get complacent. The information security area is always changing. For instance, new federal and state laws are really starting to grasp that information security, data security, electronic information stores, identity information, medical information, and digital forensics are areas ripe for legislation. Learn about what such legislation means for you as an information security professional.

I am really enjoying "phase two" of my professional career. One sign that it might be a good move: My Google Web Alerts for information security topics are at least as many as my alerts for lawyer topics!

No comments: