My name, and my department’s name in general, gets thrown around a lot at work. We have a bit of a reputation as the can’t-do guys.
Professionalism dictates I not go into specifics about what kinds of things we reject or disapprove, but if I were to explain them, no security professional would disagree with me.
The other side of the argument, of course, is that the system still does its job the way it’s supposed to do and the system cost a lot of money. Here’s a story of a tense situation and how we were able to come to an understanding.
It started on Monday with a rumor that my department was shutting down their department’s servers on November 15. That prompted a scorching e-mail message in my inbox. Keeping a computer system for 20 years is completely reasonable, I read.
That set me off. Twenty years, of course, is longer than Microsoft supported Windows XP, and it’s about twice as long as Microsoft intends to support anything else going forward. Keeping a computer system for 10 years after support and maintenance ends is completely irresponsible and reckless and unreasonable, of course. Among other things.
I walked over and vented to some of my coworkers. They just shook their heads knowingly and smiled a little. This wasn’t the first time they’d heard that song and dance.
“Maybe they just don’t know,” someone offered.
“They know and they knew,” offered the longest-tenured of the group.
One of the other coworkers offered to respond, which was probably a good thing for the moment.
On Friday, guess who I met?
At an IT social function, I spotted someone I worked with 15 years ago. I walked over and re-introduced myself. He’s administering VMS systems, just as he was all those years ago, and it turns out we work in the same building, just on different floors.
We were talking, and then a third person walked up. My once and now-current coworker introduced us. It was the guy who’d flamed me in e-mail earlier in the week.
I introduced myself as Dave Farquhar from security, and added, “I know I’ve caused some trouble for you.”
That’s owning the problem. The truth was that I’m not shutting down his server in November. But that discussion doesn’t solve anything. I can claim to be powerless or I can claim I’ll shut down his server that very night after he goes home, and he’ll still believe what he’s been led to believe all along. What we needed was an understanding.
So we talked. The system is going away eventually anyway, but nobody knows precisely when. Maybe February. Maybe in a year or two.
The system functions under newer operating systems. It’s not necessarily optimal, but he has workarounds, and he has a newer server he can load it on. He can even run it side by side for a month or two to validate it’s working well enough. And that would buy some time to get a more permanent, longer-lasting solution in place if it turns out they need it.
His interim solution won’t be popular in all circles, but it’s better than anything else we can throw together in the next month or so. I told him I would go to bat for him. It will function well enough, we can secure it adequately, and then we have time to build something better if it turns out we need it.
A five-minute face-to-face conversation didn’t solve everything, but it accomplished more than a week’s worth of back-and-forth over e-mail. It allowed us to both see we are human beings who want to solve a problem, and aren’t just Internet trolls trying to wind each other up.
This is probably the toughest part of being a security professional. Working the balance between protecting the business while meeting the business’ requirements requires room to compromise, and there’s never as much room for that as we would like. But it’s a skill we have to learn. And when we can give a little, I think we have to, so we build up some goodwill for those times when we can’t budge.