Who is Your Mechanic: InfoSec Level Equivalents

Question: Who is the most important person in an organization? Is it the CEO? Is it the Finance director? Is it Bob in Sales? Is it you? We are all cogs in the machine, but sometimes there are some key components a company can not do without.A few years ago I read a quote  from the book Solider by Richard Holmes, an excellent military historian. The quote was from a Colour Sergeant Major (CSM), who said to the other Sergeants;“The Officers drive the car, but it’s the Sergeants that run the engine”.In essence, the Officers like to think they drive the car – they give orders, but without a solid team of sergeants, everything falls apart.Think about that for a minute. Modern armies have a hierarchy of CO (commissioned officers), NCO’s (non-commissioned officers) and then the soldiers, troops, squaddies or grunts.Not too different for a company:•    the CO is your C-level management•    the NCOs are middle management†•    the business users are troopsTranslate that to an InfoSec/IT environment•    the CO is your CISO/IT Director•    the NCO’s are middle management†•    the techies are the troops†A CISSP; if working on the ground with the troops;  I would classify as a NCO.An organisation needs direction, this can come from policies and the top, but you need some strong NCOs keeping everyone in check. The NCOs get the job done.NCOs don't have to be middle managers either, they can also be team leaders. The grunts do the legwork, the NCO or “Sarge” has worked through the ranks and has the knowledge to mentor and support the team. The CO gives direction.But a well-oiled regiment of troops runs nice and smooth because the Sergeants are running the engine to make it so.Here’s the thing, if you run off and get a certification and think you can jump straight into a NCO role – wrong. That is not how it works in the military unless you are lucky. This does not happen in the real world either. To get into an NCO role you need be to be qualified, but more importantly you need to be time served, you need to be experienced and you need to be trusted.But this is what should motivate you. InfoSec can be like the military.The military recognize talent, they encourage development, they will train their people to be the best they can, if someone responds and performs then they will promote those people higher up, in turn they will help others to become the best they can.The NCO needs to get the best out of the team, and sometimes gets to shout at people for doing ridiculously stupid things (think users opening suspect attachments for example).However, unlike Gunnery Sergeant Hartman in Full Metal Jacket, don’t shout at people “What is your major malfunction” – that really won’t help, no matter how funny that may seem at the time. :)So what do you want to be? A grunt, or a Sarge? I know what I want to be, do you?