Senior Advisor

Doctor of Social Imagineering (

When people ask me what I do, I say, “I make an iPhone app.” They understand immediately, and explain it to others as, “He makes an iPhone app.” I never forget how fortunate I am that I can be proud of what I do. ~ Marco Arment

My title is Senior Advisor. Outside of my employer, I've never seen it used to describe anything I do. Most of my peers in the industry go by the title Senior Analyst. At least with that title, people assume I spend my time analyzing something. But in fact, both titles are generic. They don't mean much of anything. Even after I tell people I work in the Information Security department I still get blank looks. Senior Advisor in Information Security doesn't improve understanding. I usually end up having to add more detail. Here's what I came up with after a few years of trying to explain it.

I help develop security strategy, architecture, process and policy to manage the security risks associated with employee access to the Internet and serve as a advisor to the Network Security and Security Awareness programs.

Does it work? Sometimes. But then I have to explain Security Awareness.  Am I proud of what I do?  Yes, but explaining it to non-technical folks isn't always simple.

Security and Business Productivity

I had an interesting discussion with my Associate Director and our Lead Forensics Analyst last week. I am responsible for the URL filtering solution for my employer, and once a year, we review the filtering categories provided by the vendor. The vendor sometimes splits an existing category into two or updates the definition of an existing one. We review these categories to ensure that we are restricting sites under the organization's policies and directives.

Some of the most apparent site categories are blocked; Pornography, Drugs, Criminal Skills etc., and some not so obvious ones; Gambling, Provocative Attire (Victoria's Secret), Media Downloads and Streaming Media. We blocked Media Downloads (iTunes, Napster) and Streaming Media (YouTube, Google Video) because the fat pipe of the corporate network is just too tempting for some people.

One category that we have chosen to allow (after much-heated discussion) is Hacking. The challenge with the category is that many excellent security analysis tools and techniques have been placed in this category. That means that tools like SysInternals would be blocked. So we decided that the benefits of the tools outweighed the risks. The vendor must have received feedback on this issue. The new category list includes a new Information Security category. According to the definition:

This category includes URLs that have a legitimate purpose of providing information about data protection, but in doing so present a risk that the information provided may be exploited by users in order to breach security or commit unlawful acts. This applies to detailed information intended to safeguard business or personal data, intellectual property, privacy, and infrastructure on the Internet, private networks, or in other bandwidth services such as telecommunications.

I think we may decide to block Hacking and allow Information Security.

The one new category that got our attention and resulted in many discussions was Interactive Web Applications.

This category includes URLs that provide access to live or interactive Web applications such as browser-based office suites and Groupware. Interactive Web applications can present security risks such as leaking or loss of proprietary data. Sites categorized as Interactive Web Applications include those with business, academic, or individual focus. Sites providing access to interactive Web applications that do not take critical user data or offer security risks, i.e. Google Maps, are excluded.

So what are Interactive Web Applications? Applications such as Google Docs & Sheets (word-processing and spreadsheet), BasecampHQ (project management), and (customer relationship management) would be included in this category.

The reason this category resulted in a lengthy discussion is the sentence "Interactive Web applications can present security risks such as leaking or loss of proprietary data." From my boss and coworkers point of view, these applications should not be used because the company already provides productivity tools (Microsoft Office, SAP etc.). From my point of view, the business side of the company was already using these tools and restricting access would be suicide. The genie was out of the bag, and all we could do was find ways to educate the business of the risk and methods for mitigating those risks. They came around to my point of view; we will not be restricting access to this category.