What It's Like To....Be The Fall Guy

What is it like to be in charge of security at a health-care organization? One employee reveals the truth about his job in information security.

The man who ran information security here, my boss, was set to take some vacation time to attend his daughter's wedding. But the CIO called him in and ordered him to stay. There was a downtime issue; the CIO wanted him around "just in case."

Harsh words were exchanged, and my boss left that afternoon. When he didn't show up to work the next day, management called and his wife informed them that he had died in the middle of the night. A brain aneurysm.

I have his job now. My official title is "computer security analyst," but I am the only person at our 8,000-employee facility dedicated to information security and enforcement of HIPAA. I am variously referred to as the CSO, CISO, ISO or Security Officer, but I report to a manager, who reports to a director, who reports to a senior director of operations, who finally reports to the CIO.

I have no power. But if something goes wrong—a virus, a HIPAA violation—I will be fired.

I submitted budget requests for nearly $1 million on security-related hardware and software, and got less than $50,000 approved. Rarely do I get to interact with senior management. In fact, I've been told that bad things have happened to those who have gone to the CEO with security concerns. And my CIO is more concerned with pleasing users than meeting security requirements.

RELATED LINKS

See more "What It's Like To..." stories

The message, in so many words, is: "Keep the bad guys out, but we're not going to let you enforce any rules."

That's my role: I'm the guy sitting on the bomb. I'm here to take the fall when it all blows up.

It's a stressful position. I get migraines. I don't sleep well. I worry constantly about what's going to happen but at the same time I feel like I can't do anything to affect it. I'm irritable with my family and friends.

Occasionally, I search the job boards. But security is my calling, and I'm stubborn. You have to be to survive in this line of work. While part of me wants to quit, I don't want to go down without a fight.

But when I think about my old boss, I think about that fight he had with management. And how he died.

Now I'm facing the same issues. I just hope I don't snap.

—As told to Scott Berinato

* Tom requested anonymity

Related:

Copyright © 2004 IDG Communications, Inc.

7 secrets of successful remote IT teams