I had dinner tonight with a vendor. They wanted to meet to talk about some of the challenges that I'm facing at work. We've had meetings before about what they can do for me and for my company to ease the pain of developing a security program and getting some of my initiatives off the ground and into production. As we talked about some the pains and the pain points (aka management and others who don't always understand security) one of the guys made a comment that struck home. He said that we look at the world through different eyes than network guys, server guys, application guys, etc.... How true.
That's why we can sit in a meeting and listen to someone from another IT discipline talk about a project and pick security vulnerabilities and issues out of thin air. These guys have been working on this for weeks or months and trying to avoid the very things that we see but still miss them. We have conditioned ourselves to not only look for potential security issues but also to look for ways to make it work in spite of the problems. We look for ways to enable business not hinder it. We look for ways to make things happen in a manner that secures the environment while allowing the user to do his/her job with minimal disruption.
I've said it before and I'm sure I'll say it again. IT is one of the first departments that needs to get a real clue as to how security works. IT needs to go beyond knowing how to secure their devices and environment but they need to understand security and how it affects the business as a whole. They need to understand how security fits into the business and not just how to secure. When you have one without the other you chance causing unnecessary disruptions, spending more money than necessary to secure the environment and deploying technologies that don't fit into the "big" picture.
So if you are in IT (or even if you aren't) take the time to learn what you can about how security works and why it works. It will give you a better understanding of why the Security department does some of what it does and it will allow you to deploy devices, applications and networks that are secure. They will be secure and they will be more likely to be secure in a way that fits into the big picture and in a way that fits into the business need.
Security's Everyman
Wednesday, May 14, 2008
Life through the eyes of a security geek
Logging you in...Comments by IntenseDebate
Subscribe to:
Post Comments (Atom)
Barry · 880 weeks ago
I'm sure this wasn't your intent, but to suggest that business people have a better idea of how security works than IT folks is cring-inducing!
James · 880 weeks ago
We've all seen IT folks who want someone else to "secure" their systems by bolting on a quick fix to something they've already purchased or built. The message that such an approach isn't good for business (it achieves both poor security and reduced productivity) is often strenuously resisted.
Moving on from that isn't easy, either. I've seen IT folks who are unwilling and unable to change their processes for securing their systems despite critical business needs mandating new approaches. We get into the ironic situation of the security folks advocating fewer prevention measures in favor of more detection and quicker response, and the IT staff saying they can't handle it.
Even with management on board, the IT staff doesn't feel they can change the way they operate, meaning we lose business in the long term. Hopefully we can get this turned around before too much more of that happens.