For a long time, security was its own entity in the IT infrastructure. Security and IT didn’t always see eye to eye, and there were often points of contention. Nowadays, as collaboration between the two has become more common, both IT and security are combining forces to better understand the risks and threats to the enterprise. IT looks at security for expertise on finding weaknesses, how they can exploited, and how big that particular weakness or vulnerability is. Security needs IT to help implement proper controls.
As this collaboration increases, there are four ways for security professionals to better understand the relationship between security and IT (and even the business) in order to better protect the enterprise and make themselves more valuable to their companies in the process:
1) Get out of your chair. You don’t establish relationships by sitting at your desk and sending emails. You establish relationships by talking to people as much as possible, whether it be face-to-face, over the phone or using new technologies, such as Skype. Develop relationships with those in the IT department and in other business areas within your company. As you develop these relationships, start to work on building trust by listening to the problems of those in other business areas and sharing your problems as well. Help your colleagues by showing them that you care about their issues and want to help them solve their problems. People don’t care how much you know until they know how much you care.
This also means becoming involved with different organizations, whether it be a local or online chapter. Some of the larger organizations are ISSA (the Information System Security Association) and ISC2 (the International Information Systems Security Certification Consortium). Both of these have local and national chapters. Another is InfraGard, which is an organization that works in conjunction with the FBI to discuss all aspects of security.
Participating in these groups will make you realize that you are not alone as a security professional. Others have walked the same path for years and are eager to help those in their community.
2) Attend conferences and meetings at both the local and national level. This ties into No. 1 quite a bit, but it’s important for security professionals to attend both security and IT conferences. These are opportunities for you to get out and meet people and to find out what are the latest threats and vulnerabilities. At the conferences, you can watch presentations from industry experts to stay up to date on what’s happening out there in the world of IT and in the world of security – or even in the world of business. You can also learn more about the current best practices and standards by talking with those that are at the cutting-edge of their process or technology.
3) Pursue formal training and/or education. First, understand the difference between training and education. Training will teach you a very specific skill, while education teaches you the critical thinking necessary to work with those skills. On the training side, there are numerous classes you can take to boost a particular skill.
On the education side, it is important to realize that technology alone does not solve or prevent problems. Technologies are just tools you use by having the right training and experience. With education comes the knowledge and critical thinking skill set necessary to solve not just one problem but multiple problems. Another thing that education gives you is exposure to different subject areas and problems within each of these subjects, as well as knowledge about how to solve these problems using many different types of tools and techniques.
You’ll need the right combination of training and education in order to get hired and do well in your position. There is no magic bullet where you can say, “Well, if you do all of this, you’ll be guaranteed a job.”
4) Always Be Curious (ABC). You can also call this “always be learning.” One good problem-solving technique that I use all the time is called the “five whys.” Ask yourself why five times. For example, why is this a problem? Why did this occur? Why wasn’t this prevented? Why is this the best solution? Why will my solution prevent the problem from occurring again? This includes using the professional network discussed in the earlier points to discuss the situation with professionals both inside and outside your company. Make sure to read current news, websites, blogs and literature. Going back to the collaboration between security and IT, don’t just read about security but also read about IT and the business practices in other parts of your industry. Understand how your business works, and what your company is in business to do. Most companies are not in business to do security, and you should know what your business processes are.
Another important part of being curious is studying on your own. Do your homework. If you aren’t familiar with a topic, you don’t need a big budget in order to learn more about it. There are a ton of free resources on the Internet. In addition, don’t be afraid to use your network to learn more. If you don’t know much about a particular technology, find an expert to answer your question. Ninety-nine percent of the time, someone will be willing to help you if you come across as being curious and wanting to learn.
The last part is being willing to play. Get out and practice on your own systems. Try out new things, and set up your own virtual lab. It doesn’t cost anything, and PCs are so robust nowadays that it is very easy to set up a virtual lab on one computer. One of the best ways to learn is to use your own systems, and if you accidentally destroy something, all that is harmed is one of your own systems. And, if it’s a virtual system, you can just wipe it away and restart it without hurting your base system.
One thing to keep in mind is that to be a good security professional, the most important attribute is maturity. Once you’ve been around the block and understand how things work, you will know how to influence your environment in a positive fashion in order to improve security. In addition, you will know how to see things from others’ viewpoints in order to understand whether they have a valid concern or are just throwing up a roadblock. But, how does one gain this maturity? This goes back to attending conferences, pursuing more training and education, and remaining curious. Performing these activities within your organization and outside network will give you a chance to learn how things have been done in the past, whether procedures or solutions can be successful, and whether there might be some pitfalls.
This maturity will also help you tackle complicated problems and come up with more than one potential solution, as problems often are not black and white with only one solution. Proper problem definition is often a key challenge, and these techniques will put you in a position to best identify ways to approach problems and solutions from both a technical and non-technical standpoint.
This article was previously published in the print magazine as "Want Better IT Collaboration? Be Willing to Play (and other tips)."