Security Education & Training

4 Ways to Improve IT Collaboration

For a long time, security was its own entity in the IT infrastructure. Security and IT didn’t always see eye to eye, and there were often points of contention. Nowadays, as collaboration between the two has become more common, both IT and security are combining forces to better understand the risks and threats to the enterprise.  IT looks at security for expertise on finding weaknesses, how they can exploited, and how big that particular weakness or vulnerability is. Security needs IT to help implement proper controls.

As this collaboration increases, there are four ways for security professionals to better understand the relationship between security and IT (and even the business) in order to better protect the enterprise and make themselves more valuable to their companies in the process:

1)         Get out of your chair. You don’t establish relationships by sitting at your desk and sending emails. You establish relationships by talking to people as much as possible, whether it be face-to-face, over the phone or using new technologies, such as Skype. Develop relationships with those in the IT department and in other business areas within your company. As you develop these relationships, start to work on building trust by listening to the problems of those in other business areas and sharing your problems as well. Help your colleagues by showing them that you care about their issues and want to help them solve their problems. People don’t care how much you know until they know how much you care.

This also means becoming involved with different organizations, whether it be a local or online chapter. Some of the larger organizations are ISSA (the  Information System Security Association) and ISC2 (the International Information Systems Security Certification Consortium). Both of these have local and national chapters. Another is InfraGard, which is an organization that works in conjunction with the FBI to discuss all aspects of security.   

 Participating in these groups will make you realize that you are not alone as a security professional. Others have walked the same path for years and are eager to help those in their community.

2)         Attend conferences and meetings at both the local and national level. This ties into No. 1 quite a bit, but it’s important for security professionals to attend both security and IT conferences. These are opportunities for you to get out and meet people and to find out what are the latest threats and vulnerabilities. At the conferences, you can watch presentations from industry experts to stay up to date on what’s happening out there in the world of IT and in the world of security – or even in the world of business. You can also learn more about the current best practices and standards by talking with those that are at the cutting-edge of their process or technology.

3)         Pursue formal training and/or education. First, understand the difference between training and education. Training will teach you a very specific skill, while education teaches you the critical thinking necessary to work with those skills. On the training side, there are numerous classes you can take to boost a particular skill.

On the education side, it is important to realize that technology alone does not solve or prevent problems. Technologies are just tools you use by having the right training and experience. With education comes the knowledge and critical thinking skill set necessary to solve not just one problem but multiple problems. Another thing that education gives you is exposure to different subject areas and problems within each of these subjects, as well as knowledge about how to solve these problems using many different types of tools and techniques.

You’ll need the right combination of training and education in order to get hired and do well in your position. There is no magic bullet where you can say, “Well, if you do all of this, you’ll be guaranteed a job.”

4)         Always Be Curious (ABC). You can also call this “always be learning.” One good problem-solving technique that I use all the time is called the “five whys.” Ask yourself why five times. For example, why is this a problem? Why did this occur? Why wasn’t this prevented? Why is this the best solution? Why will my solution prevent the problem from occurring again? This includes using the professional network discussed in the earlier points to discuss the situation with professionals both inside and outside your company. Make sure to read current news, websites, blogs and literature. Going back to the collaboration between security and IT, don’t just read about security but also read about IT and the business practices in other parts of your industry. Understand how your business works, and what your company is in business to do. Most companies are not in business to do security, and you should know what your business processes are.

Another important part of being curious is studying on your own. Do your homework. If you aren’t familiar with a topic, you don’t need a big budget in order to learn more about it. There are a ton of free resources on the Internet. In addition, don’t be afraid to use your network to learn more. If you don’t know much about a particular technology, find an expert to answer your question. Ninety-nine percent of the time, someone will be willing to help you if you come across as being curious and wanting to learn.

The last part is being willing to play. Get out and practice on your own systems. Try out new things, and set up your own virtual lab. It doesn’t cost anything, and PCs are so robust nowadays that it is very easy to set up a virtual lab on one computer. One of the best ways to learn is to use your own systems, and if you accidentally destroy something, all that is harmed is one of your own systems. And, if it’s a virtual system, you can just wipe it away and restart it without hurting your base system.

One thing to keep in mind is that to be a good security professional, the most important attribute is maturity. Once you’ve been around the block and understand how things work, you will know how to influence your environment in a positive fashion in order to improve security.  In addition, you will know how to see things from others’ viewpoints in order to understand whether they have a valid concern or are just throwing up a roadblock. But, how does one gain this maturity? This goes back to attending conferences, pursuing more training and education, and remaining curious. Performing these activities within your organization and outside network will give you a chance to learn how things have been done in the past, whether procedures or solutions can be successful, and whether there might be some pitfalls.

This maturity will also help you tackle complicated problems and come up with more than one potential solution, as problems often are not black and white with only one solution. Proper problem definition is often a key challenge, and these techniques will put you in a position to best identify ways to approach problems and solutions from both a technical and non-technical standpoint. 

 

This article was previously published in the print magazine as "Want Better IT Collaboration? Be Willing to Play (and other tips)."

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Ron Woerner

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

2014 November cover of Security Magazine

2014 November

Don't miss our 2014 Security 500 issue, with rankings, data on sectors, and other security benchmarkings, all contained within this November 2014 edition of Security magazine. Also, (re)learn the basics of lobby security and how to make the highest impact retrofit for your budget.
Table Of Contents Subscribe

Travel & the Ebola Risk

Are you and your enterprise restricting travel due to Ebola risks?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.