Life through the eyes of a security geek

I had dinner tonight with a vendor. They wanted to meet to talk about some of the challenges that I'm facing at work. We've had meetings before about what they can do for me and for my company to ease the pain of developing a security program and getting some of my initiatives off the ground and into production. As we talked about some the pains and the pain points (aka management and others who don't always understand security) one of the guys made a comment that struck home. He said that we look at the world through different eyes than network guys, server guys, application guys, etc.... How true.

That's why we can sit in a meeting and listen to someone from another IT discipline talk about a project and pick security vulnerabilities and issues out of thin air. These guys have been working on this for weeks or months and trying to avoid the very things that we see but still miss them. We have conditioned ourselves to not only look for potential security issues but also to look for ways to make it work in spite of the problems. We look for ways to enable business not hinder it. We look for ways to make things happen in a manner that secures the environment while allowing the user to do his/her job with minimal disruption.

I've said it before and I'm sure I'll say it again. IT is one of the first departments that needs to get a real clue as to how security works. IT needs to go beyond knowing how to secure their devices and environment but they need to understand security and how it affects the business as a whole. They need to understand how security fits into the business and not just how to secure. When you have one without the other you chance causing unnecessary disruptions, spending more money than necessary to secure the environment and deploying technologies that don't fit into the "big" picture.

So if you are in IT (or even if you aren't) take the time to learn what you can about how security works and why it works. It will give you a better understanding of why the Security department does some of what it does and it will allow you to deploy devices, applications and networks that are secure. They will be secure and they will be more likely to be secure in a way that fits into the big picture and in a way that fits into the business need.