Just prior to my resignation (formatting hosed due to cut and paste)
Seems Sebastian was screaming at the void for money that was not going to happen or budget. I have multiple text messages saved. It is called banter, people do it when chatting including Sean. The PMO was rebelrousing, and the Change Manager/Learning specialist non-existent.
Lynn,
Thank you for the discussion on hiring a coach today and I will seriously consider this. As we agreed I would like a week to decide how to move forward. I do have reservations as I think it may not fix a number of reservations I have about ability to solve some of the challenges even with coaching including:
· A statement by you today that a 60 hour work week is typical. (During interviews Craig mentioned a 45 hour work week was typical).
· Priorities for the team not unified for 2013 and the first quarter has passed
· Introducing security with current organizational constraints may not be possible with only coaching.
1. Background on the text messaging subject
· The text dialogue with Sean was indeed too terse. I take responsibility for this. I can, will, and do apologize for being terse.
· Sean did not mention it bothered him to communicate over text in the past nor did he ask the texts to stop. There was no designation of boundaries before escalation.
· I considered the messages a personal conversation since Sean frequently communicates with me in text and e-mail as an ordinary course of day to day communications. Some examples of this are provided in Exhibit A.
· Sean was one of the few staff in IT who I felt showed willingness to dialogue with me about security and try to build rapport. Often he relates that my experiences are similar to his own personal experience coming in the firm. I have appreciated him for this.
· More recently his behavior changed from “cooperator” to “challenging”. For example he suggested changing the scope of the Windows 7 project, mid-stream, to implement a substantially larger volume of security standards , he stated in the meeting on March 21st, 2013 that “he’s done this before and has the most experience”, then he sent email to all staff disagreeing with my approach when I asked for five minutes of work to be done (Resulting in the five minutes of security setting review not being done) (Exhibit A.9)
· This is a setback as we are re-working topics once tried for resolution in June (Exhibit B.2)
· I tried to call Sean twice at 10:20AM on Friday to try to solve this, while I was in jury duty on March 22nd. Sean did not answer the phone when I called.
· On Sunday the 24th of March Sean continued to push back to management when I suggested we ‘slow down’ the project by delivering it in phases. He also stated that I was in all meetings. Perhaps he does not realize I was not in the office the week of March 7 that a meeting was held. (Exhibit A.10)
· I find myself becoming more terse as the stress continues to mount.
·
There is no excuse for being terse, only
explanations for why I feel stressed and not coping well this leads me to
highlight some concerns we have discussed in our meetings about the current
situation.
2. Background on Challenges Embedding Security in IT
o IT staff were not accessible for six months when I arrived in the firm – there was very little knowledge transfer, few documented processes, and staff were in many cases unable to meet. Staff explained there was not enough time to work with me during 2012. They stated the Windows 7 initiative had the workload up higher than any other year.
o The tone with Sean changed (from cooperator to challenging) after an investigation was done when a password cracker was found on a laptop issued to his team. Item A.6 in Exhibit A is the e-mail conversation.
o Over the past eight months, when trying to solicit help with security initiatives, staff mention in every meeting that they are overworked before discussions about security may begin. (Exhibit B1 is a recent example of an employee email)
o I am frequently told that my e-mails, documents and checklists even are too long to read. (Exhibit B2 is one of many cases where “remarks” were made throughout 2012 that a thoughtful communication was too long to read).
o I was “yelled” by a manager for suggesting we should not send disks with sensitive data to a third party recycler without the appropriate NDA and review in place.
o When I started working in AK I was frequently told in meetings that I/we/he/she would be “fired” if we introduce changes to the firm.
o I receive communications from many staff, including Sean, that we do not prioritize work , or we do not have enough staff to do the work, and there are too many projects.
o When trying to be proactive about Windows 7 settings, by engaging Microsoft, I was interrupted and advised during the meeting that the settings conversation was “out of scope”.
o Excessive worrying in staff where they express to me they get “blamed” if anything goes wrong. .
o Checklists for BYOD, China Travelers, Test Plans for Applications, patch management processes– are not handled in a collaborative way or are unresponded to.
o I am challenged, often in front of staff, when I ask for a topology of a system or network. This occurred in a very abrupt way in the second Windows 7 meeting with Craig Swain, and several times when I tried to understand the Lync deployment earlier in the year.
o I am often told “just tell me what I need to do and I’ll do it”, yet when I do make a suggestion it is challenged usually highlighting a law firm that does not do it that way. The challenge rarely takes into consideration the firms that I show are changing and doing these activities.
o I have suggested on three occasions that we consider “teambuilding” mentioning I-OPT as one option (Ana Researched cost) as well as another option about the “ladder of inference” trying to find constructive suggestions on how to work together rather than raising complaints.
Exhibit A: Text messages received from Sean
A.1
--
A.2
A.3
A.4
A.5
A.6
-----Original
Message-----
From: Burke, Sean
Sent: Friday, March 01, 2013 3:31 PM
To: Vasquez, Moira
Subject: Re: Suggestion
The problem is that people like Jonathan and the Directors set my priorities. They just go to Lynn and Lynn says make it happen. They are NEVER told no or they have to wait. The only person who is willing to wait is Jim D.
I wish it was that easy. My focus would be to focus on the systems we have and to stop purchasing more and more systems that we can't support. We can install them but then we are asked to run to another project.
I hear what you are saying but the reality is so different. It's heard to see how that could ever happen with out a paradigm sift in Management.
(Message sent from a mobile device - please pardon any typos.)
----- Original Message -----
From: Vasquez, Moira
Sent: Friday, March 01, 2013 07:49 AM
To: Burke, Sean
Subject: Suggestion
Sean,
This firm should be so proud that you dig in, roll up your sleeves, pitch in for areas that aren't yours to own etc. I know I am simply honored to have you as a team mate. The reality is that I am also understaffed, we won't get rewarded for doing the right thing in all cases. I have seen this time and time in my career---- Todd would probably get promoted if you took all his teams work on, and there are indeed many projects as well as operations gap. Can I make a suggestion? I know your team addresses many details, yet it may help to pick your teams top 5 priorities and make those top 5 consistent and visible to everyone in every email and meeting. Stick to them yourself- ( I struggle with this too).
My real top five priorities are;
- get security on management agenda (this is huge and a lot of work)
- raise awareness of gaps and real vulnerabilities in the firm (not fix them all- raise them to get support to fix them)
- propose and garner support a systematic way to address security and work to show the firm it requires investment in resources /skills
- ensure the firm understands security is not a sound byte but a full culture change in the way we work
- defend against threats at a level that shows reasonable care and keeps us out of potential litigation
I sometimes have to dig in to get the details to build this case- then i get stuck there and wind up working morning night and weekends to get back to my top five. A real failing on my part for my own health. I stay with my nose in the AV console I would never build the rest of the pieces. I also simply cannot build all the checklists this organization requires overnight.
I see you falling into similar traps- every day hands on in AD, writing applications and code, solving problems others should be solving (sometimes solving them instead of just handing them over to let balls drop if they will). This is all very commendable yet are we achieving results optimally together?
When you write notes that say my team has "so many projects" - people sympathize but do they know your top priorities? Are you really focusing on them as well?
If you, Todd, Craig and I all had five top priorities we would still have more than 15 projects we need to help each other with. Does that really work? Is it an option to pick a "joint" top 5-7 for the year and then challenge each other when we stray from them? Do we have an agreed plan?
One thing Todd does better than us is stick to his priorities. You often pick up the work "because they are needed for the firm" Some things will have to fail to get the top items over the finish line!
M
A.7
---Original
Message-----
From: Burke, Sean
Sent: Tuesday, February 05, 2013 10:22 PM
To: Vasquez, Moira
Subject: Re: Projects.
I sent the list to Lynn but from my experience it doesn't really matter. If I push real hard he will ask that I write up a list projected hours for each and show the gaps and, blah, blah, blah. It's just more work in the end and if we are lucky we will get a 30/60 day reprieve on one of the projects. The problem is that all of these are started at this point with the exception of the SQL conversion to SSIS of all the firms SQL Jobs.
The P-Drive will be the 3rd simultaneous project (significant project) that Jonathan has going on. Each is a minimum 6 month project and all are managed by Hyperion. I don't know why people don't use their talents and the talent around the firm to research and plot the way forward.
Plus we have all these new roles of Director level staff (KM - Bobby, Practice Support - Jonathan, and Security - You). All of which demand Resources and we don't have any extra staff. Not to mention some of the departments lost staff a few years ago like HR, Conflicts, etc. And they now are having my group take over a significant amount of tasks that they used to perform like employee Eval's (which takes 6 months a year of my teams time) and Financial Reports for the Firm (Another Huge Process). The firm is regularly requiring my team to put in 65 plus hour weeks for years on end.
Everything is such a rush that we never get the opportunity to do it the correct way by taking our time and assigning different pieces to different units and allow them to do what they were hired to do. Unfortunately the consultants we hire only put additional pressures on the limited IT resources we have and they don't talk to the departments that should be part of the process.
Plus we pay these consultants a fortune that could be used to hire employees to fill the resource gaps. If we are going to do that then we should at least get consultants that are going to make our lives easier.
Just venting a bit. I've only been back two days and I'm already stressed.
(Message sent from a mobile device - please pardon any typos.)
----- Original Message -----
From: Vasquez, Moira
Sent: Tuesday, February 05, 2013 08:01 PM
To: Burke, Sean
Subject: RE: Projects.
There must be a prioritization discussion. How and to whom do we speak to make that happen together? Don't forget testing data center moves...and have you really looked at Net Ops and PMO list to see which projects are impacting?
A.8
Fom: Burke, Sean
Sent: Saturday, February 02, 2013 1:51 PM
To: Vasquez, Moira
Subject: Re: MoveComputerToOU_Loaner.vbs
No
but before it makes it to my employees and others within IT that you are saying
I'm a hacker and I am being accused of Hacking I would appreciate it being done
in a sensitive and professional manor. I have nothing to hide. I've been a
successful manager for a long time and that's. Not because I choose to hack my
employer. If you think I would put my family at risk for something so stupid
then you don't know me very well. Additionally, to control a pc in our firm by
hacking is stupid when I already have the ability to log in to most firm pc's.
I wouldn't know the first thing about Java exploits and using them for remote
control purposes. Again, if I want to control a pc I will ask for permissions
if I don't already have them. My position in the firm affords me that.
To me, this is the silliest thing I have ever been accused of in my
professional life. Do what you need to do. At the end of the day, all the
people in the office who are talking about this should be told the truth. As a
manager I have a degree of respect and trust that must be maintained.
Sean
(Message sent from a mobile device - please pardon any typos.)
From: Vasquez, Moira
Sent: Saturday, February 02, 2013 12:34 PM
To: Burke, Sean
Cc: Vasquez, Moira; Cavignac, Sebastian; Coury, Todd
Subject: Re: MoveComputerToOU_Loaner.vbs r
Thanks so much Sean. Sebastian, please can you confirm the script used the account titled "Administrator" on HOUDATA1?
Sean-- further to this. Thank you.
As we discussed yesterday there is little access control with so many users with administrative privileges in the firm. On the other hand, failed login attempts at a high threshold would be unusual especially since staff have so much access. It is an indication (not fact) of potential hacking to be investigated. As you know, today it does not take much to command administrative control over a machine through java, adobe and Microsoft apps. Once in the network accessing sensitive data would be an attackers next goal.
With the existence if a password cracker and so many failed login attempts in the same day... It simply requires looking into as a professional duty to the firm.
My ability to investigate anything is limited as I do not have the tools to take copies of computers, a secure server to store them on for chain of custody, and have to ask for information the old fashioned verbal way around our team. Sorry if that puts us into uncomfortable conversations-- it will stay the case until budget is obtained and also the "access" paradigm where we put more restrictions on the security manager instead of staff gets resolved. I don't like it, and I am sure you don't either.
Please pardon any typos, this message was sent from a mobile device.
On Feb 2, 2013, at 11:52 AM, "Burke, Sean" <SeanBurke@andrewskurth.com> wrote:
I
don't know what the. HOUDATA1 connection is other than that's where the script
may have been located. Sebastian - what was the path to where the
MoveComputer2OU script is stored? I can tell you that I know for sure 100
percent that I was working on that script till about 7:30 that night and I
worked on it most of the day. That computer was in my hands and the focus of
that day was that script. That's all I can say.
Sean
(Message sent from a mobile device - please pardon any typos.)
From: Vasquez, Moira
Sent: Saturday, February 02, 2013 07:45 AM
To: Burke, Sean
Cc: Vasquez, Moira; Cavignac, Sebastian; Coury, Todd
Subject: Re: MoveComputerToOU_Loaner.vbs
Hi Sean,
I did close this last for the following:
- The server was HOUDATA1
- The local Administrator was being logged into
-The time was 6PM on January. 4th.
Did the OU script require login to HOUDATA1?
Cheers,
M
A.9
From: Burke, Sean
Sent: Friday, March 22, 2013 9:21 AM
To: Vasquez, Moira
Cc: Kaiser, Cory; Guajardo, Alexandra; Cavignac, Sebastian; Coury, Todd;
Swain, Craig
Subject: Re: Batch 1
Its
not often we are able to get the amount of resources together on a project like
this that we have now. Are you suggesting we only do a partial review and then
walk away and hope to do the rest by getting everyone together again in the
future?
I am of the mind set that you take the opportunity you are afforded to
accomplish everything you can.
I believe we are given a tremendous advantage by having these baseline
pre-configured because it free's up engineering time to focus on all the
settings that Microsoft has built in to each product.
I have never expected that we will be able to accomplish every setting but I
find a lot of value in learning them and identifying which ones we can
accomplish while we have the opportunity.
We may not have this chance to pull all these resources together on this
project again for years.
We have 1 opportunity a year to get a group like this together to focus on the
desktop.
To me, focusing on the desktop is the first step. The next step will be to take
what we have learned to use Microsoft's baselines for particular servers.
I find it premature to say these baselines are to hard or two big when we
haven't even started to review the settings.
I am curious which settings we know at this point that fall in to that
category.
Sean
From: Vasquez, Moira
Sent: Friday, March 22, 2013 08:34 AM
To: Burke, Sean
Cc: Vasquez, Moira; Kaiser, Cory; Guajardo, Alexandra; Cavignac,
Sebastian; Coury, Todd; Swain, Craig
Subject: Re: Batch 1
Baby steps- how
many times I hear this coming to AK. Lets stick with CIS and make a baby step.
It's easy to follow the settings are so well documented.
- Please pardon any typos, this message was sent from a mobile device.
On Mar 22, 2013, at 8:29 AM, "Burke, Sean" <SeanBurke@andrewskurth.com> wrote:
I
thought we were going to first find to see if the Microsoft policies exceeded
the CIS standard. I also thought we were going to try and find a tool that had
the baselines in a format we could import and compare to our existing
baselines. Finally we still haven't verified what components they address (IE9,
etc).
On another note: Anzil isn't a domain administrator. someone with Domain admin
rights will have to do it.
Sean
From: Vasquez, Moira
Sent: Friday, March 22, 2013 06:33 AM
To: Kaiser, Cory; Guajardo, Alexandra; Cavignac, Sebastian; Burke, Sean;
Coury, Todd; Swain, Craig
Subject: Batch 1
Oops- here is the right attachment. The other one I saved to my phone because it was a nice model policy i had downloaded for thought, which we may consider doing for ourselves in the end...
I would like to have a discussion about "batch 1" in our next meeting. This should be easy to configure in SCM and get rolled in- leaving risky stuff to deal with separately.
Can we get started on batch one and then move to batch 2?
M
All,
Here are the first 37 settings from the CIS benchmark. Here forward titled
"batch 1". Anzil can add these to a template, he creates, called CIS
benchmark in SCM.
I have put a comment in the right hand column with my view. The setting is
either easy or risky. Suggest we get three to agree - me and two others. We can
test and implement easy and we need to make a plan for how we will address
risky.
I will work on batch 2 in a few days just as soon as I have built a deck for
the steering committee coming up on Wednesday.
M
- Please pardon any typos, this message was sent from a mobile device.
A.10
From: Burke, Sean
Sent: Sunday, March 24, 2013 11:20 AM
To: Vasquez, Moira; Swain, Craig; McGuire, Lynn; Coury, Todd
Subject: Re: Direction Setting: Security settings
The
team with your help has already come up with an agreed project plan and time
line. Why are we suggesting that change now when we just spent the last 3
meetings building a project plan that already had dates based off existing
projects and the time the engineers felt they would need.
We have had 6 team meetings. Craig has built a detailed project plan and the
team as done a significant amount of work.
Why is it now, after we have gotten the entire team ready that this is all
being done? I don't understand this approach and its very frustrating. This
should have been done before we did all this work and when we were still
discussing our plans. Moira, you were at each meeting and you already blessed
the existing project dates.
Sean
From: Vasquez, Moira
Sent: Sunday, March 24, 2013 08:54 AM
To: Swain, Craig; McGuire, Lynn; Coury, Todd; Burke, Sean
Subject: Direction Setting: Security settings
All,
I am sorry but I must e-mail on weekends to get caught up with all of the work on my plate. You are not obligated to reply until your working hours and/or when you have time for a thoughtful response.
Recommendation: To ensure Windows 7 “settings” project can succeed with achieving security objectives (and properly communicate those changes to the firm) I would like to see this project split in to four phases.
Phase 1) Windows 7 core workstation configuration settings (complete by June-July)
Phase 2) IE settings - (complete by August/September)
Phase 3) Office Settings - (complete by Year End)
Phase 4) Identify what other settings were agreed and push them in to 2014 - or request consulting support)
Reasons:
1. Baby steps are essential to make progress
2. A lot of hours are getting applied to the project - yet one of the basic objectives (agreeing “security settings”) aren’t yet visible
3. We haven’t yet achieved a security settings review to ensure we understand their “impact”. We need to start small and determine how we will do that
4. I found the last meeting “overwhelming” to keep up with (yes now the tables are turned and I’m overwhelmed!)
5. I don’t think we have worked out roles and responsibilities and ways of operating together- we need to start with a digestable approach and keep the staff involved limited so they have good direction.
6. We will expend excessive staff hours in churn if we take on too much at once - this is a change for everyone.
Kind Regards,
Moira
Exhibit B: Escalations
B1.
On Feb 27, 2013, at 6:44 PM, "Cavignac, Sebastian" <SebastianCavignac@andrewskurth.com> wrote:
We in the choir agree that you should have budget for tools, resources, consulting dollars, and dare I say it, staff. We were understaffed BEFORE you started here, this just brings it out even more. I see money spent on stuff I wouldn’t waste it on, and I’d rather see that money go to stuff as stated above and below.
Understanding the ins and outs of system behavior and tuning hips and thresholds and excluding legitimate but wonky devices, etc is a full time job. The management side of it is too. That’s two full time jobs, Documentation and policies, maybe a third full time job, OR some really good consultants.
It all comes down to money and time. I don’t sign the checks or you’d have a dedicated engineer, a consulting team, and some shiny new security toys. What you need is a fully stocked tool cabinet, what you have is a couple of swiss army knives.
Don’t know what upper management has told you re: false positives but speaking as the bottle opener on one of those knives will always try to determine whether something is or not, within my assigned areas of this initiative, a false positive, before I bring in other resources (Unless compartmentalization prevents that) and especially my superiors. Expectations are exceedingly high on us as senior engineers here, and criticism is sometimes liberal and can be very detailed. Metrics on job performance are a little arbitrary sometimes, and we work in a “sudden death” kind of culture so we try really hard not to be wrong too often. This is a team norm, for us pocket knives.
We will adapt to how each other works and find equilibrium, I’m sure of it. If I’m guilty of emotion obscuring professionalism, its probably resentment, not directed at anyone specifically, over being essentially on call 24/7 and responding to incident investigations etc. after hours, on weekends, blah blah and dropping other assignments which also are on short deadlines, just to deliver a false positive. [But please don’t bristle at that- same emotions come when you have to leave mom’s birthday party because a partner can’t send “time-sensitive email” (snack schedule) to the “membership of a non-profit organization they sit on the board of” (daughter’s soccer league)]
Again, as stated above, all of the shaking out of the system takes time and tuning, I’m aware of that. Every false positive (is that even the right term? Who came up with that?) we uncover should result in an exclusion, some tuned rule, or some policy change to avoid having to repeat the same work again in the future, by closing a vector or teaching our tool to ignore what we don’t care about.
Projects here sometimes have more managers than implementers involved, and lots cross-talk, and lots of dotted lines to people in other teams, and so I’ve learned to optimize my efforts in any area by making sure the main stakeholders and ultimate decision makers make up their minds for sure before doing too much heavy work. It breaks my heart to work nights weekends and sick hours to deliver something, and then have to re-do it because someone that wasn’t in a couple of meetings decides against it, or scrambling at yuck times to deliver information that never gets looked at.
Like I mentioned in your office last week I realize that this is not, strictly speaking, your fault, or your problem. If I’m told to work on something I gotta do it, but if it seems like I push back, the above screed might explain why. But I’m not pushing back out of laziness, petulance, or spite. It is also not personal. I recognize your credentials, background, and education and I’m glad we have someone with that experience and credibility in your position. I’m not certified and I don’t even have a college degree, but I will tell you that for sure I’ve done a lot of the in-the-trenches kind of grunt work and lots of incident remediations , and log crawls, and packet sniffing, etc. and even gotten the chance to work with law enforcement and “black ops” kind of engineers-without-portfolio at Microsoft and McAfee and even knocked back beers with Scott Riley and Jesper Johanssen at Microsoft security seminar and talked for hours about how to defeat rootkits. I normally lean towards skepticism and initial silence unless stuff is acting REALLY pear-shaped.
I feel like Gregory Hines , with all this tap-dancing im doing, hahaha.
_S
B2
From: Coury, Todd
Sent: Tuesday, June 12, 2012 10:57 AM
To: Vasquez, Moira; Swain, Craig; McGuire, Lynn
Subject: RE: Microsoft TAM ?
really long email. Will read it in a bit.
Here is the TAM info
Chris Laughinghouse
(713) 875-7196
From: Vasquez, Moira
Sent: Tuesday, June 12, 2012 10:22 AM
To: Coury, Todd; Swain, Craig; McGuire, Lynn
Subject: Microsoft TAM ?
Todd, Craig,
The purpose of this email is to request a meeting with the Microsoft TAM to explore our options for their support of security objectives during the Windows 7 roll-out. I would think we could negotiate some tactical support to ensure our roll-out is support secure (ideally at no cost, yet that option would need to be discussed /explored).
Background
I’ve been looking around at our options and alternatives for Windows 7 desktop settings selection. No matter what we choose, I think we should be able to notionally agree that a best practice security approach is to select a way of checking settings which is repeatable, low cost and easily automated to deal with new images and a changing threat landscape over time…
I’ve been looking at some options and alternatives for settings:
A. Take Microsoft recommended configurations
B. Compare Microsoft recommendations to an industry standard such as CIS and take best of breed: http://www.cisecurity.org/
C. Look for a gold plated solution such as NIST: http://web.nvd.nist.gov/view/ncp/repository
Given there are no regulatory pressures, and I need time to establish buy-in and a security program, I would suggest we consider option A to begin with as a matter of tactical due care. I don’t think the organization is ready for more yet. I would suggest that using the manufacturers recommendations for securing the desktop environment is easy to defend, if there were an incident.
The reason I would like to explore discussions with the TAM is that Microsoft has bundled their recommended security configurations in the SCM tool http://technet.microsoft.com/en-us/library/cc677002.aspx . I spent most of yesterday looking at this tool, but was struggling to figure out how to really make it work for our deployment. Perhaps they would provide us with a resource to go through the tool and figure out how to make use of it during the deployment roll-out. Given the aggressive schedule of the project, it may be most beneficial to see if Microsoft would give us some training on how to best use SCM for our deployment or offer better alternatives to us.
Please keep in mind this discussion is intended to be about settings. For “procedures”, I think we will need to work further on the agreed security program on the most sustainable and cost effective way to manage security over time.
What do you think? Lynn, any thoughts?
Kind Regards,
Moira Vasquez
Security Compliance Manager
