As I mentioned in passing last week, I had a job interview at the end of the week. There was one question, near the end of the interview, that’s a fairly common question, but I wanted to record my answer to that question because I think it’s important.
The question: What do I see my next role being?
Fair question. I said I didn’t know for sure, but I knew what I have to do to find out.
I’ve actually known for a couple of months. I’ve been on a new journey, and there are two things that I am trying to do. Even though I was interviewing for a security position, these two things aren’t pure security, so they’re a little bit counter-intuitive, but I think they’re the key to moving forward.
The first is working on certain soft skills. There is an art form to getting people to help you, and getting people motivated to come along with you, work together to get things done, and make something better than what always has been. Some people seem to be born with that ability, but for those of us who weren’t, it’s a skill that can be taught and learned. And since I’ve started that journey, I’ve seen a difference. There are still difficult people out there, but some of them help anyway. I’m still listening to podcasts and learning, but that’s going to be part of it.
The other part is a change in mindset. I think people have been saying this a while, but sometime around the start of the new year, it registered with me and I started hearing it. Security isn’t IT. IT is an important element of security, but security is more than IT. Security is business. That can be good, but it’s mostly bad, because so many security people understand IT intimately, but few security people understand business and even fewer business people understand security.
If we ever wonder why nobody likes the security department–and that’s a sentiment I’ve seen everywhere I’ve been–that’s why. We’re stuck between two worlds, neither world understands us, and we only understand one of those worlds as well as we probably need to.
So I’ve been trying to read books about business. It doesn’t seem 100% natural, but security can’t expect business to meet it halfway. But I have this crazy idea that if we as security people try to meet the business people at 90%, then the business people will be a lot more motivated to give their 10%.
I don’t know what’s going to happen after a year or two or three of doing those two things. But that’s how I’ll know what’s next.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.
Another thing security ISN’T –absolutely keeping people out or from doing bad things. Sure you minimize that as much as possible, BUT what you always want to do is be able to figure out what they did. Among other things this is called — well we’ll call it ‘hidden logs’ placing logs, usually copies where NOBODY will look for them, but not instead of, IN ADDITION to. Let the buggers ‘erase their tracks’… or think they have.
chuck
Chuck, it’s fantastic to hear from you. You’re 100% right, and I’ve spent the last 9 months of my career supporting a huge centralized logging system. Whatever you do on any other system gets spooled off over there, and only about a dozen people besides me have a clue it’s happening. Any place worth its salt does the same thing–it’s practically a regulatory requirement.