Farquhar’s security New Year’s resolutions

As I mentioned in passing last week, I had a job interview at the end of the week. There was one question, near the end of the interview, that’s a fairly common question, but I wanted to record my answer to that question because I think it’s important.

The question: What do I see my next role being?

Fair question. I said I didn’t know for sure, but I knew what I have to do to find out.

I’ve actually known for a couple of months. I’ve been on a new journey, and there are two things that I am trying to do. Even though I was interviewing for a security position, these two things aren’t pure security, so they’re a little bit counter-intuitive, but I think they’re the key to moving forward.

The first is working on certain soft skills. There is an art form to getting people to help you, and getting people motivated to come along with you, work together to get things done, and make something better than what always has been. Some people seem to be born with that ability, but for those of us who weren’t, it’s a skill that can be taught and learned. And since I’ve started that journey, I’ve seen a difference. There are still difficult people out there, but some of them help anyway. I’m still listening to podcasts and learning, but that’s going to be part of it.

The other part is a change in mindset. I think people have been saying this a while, but sometime around the start of the new year, it registered with me and I started hearing it. Security isn’t IT. IT is an important element of security, but security is more than IT. Security is business. That can be good, but it’s mostly bad, because so many security people understand IT intimately, but few security people understand business and even fewer business people understand security.

If we ever wonder why nobody likes the security department–and that’s a sentiment I’ve seen everywhere I’ve been–that’s why. We’re stuck between two worlds, neither world understands us, and we only understand one of those worlds as well as we probably need to.

So I’ve been trying to read books about business. It doesn’t seem 100% natural, but security can’t expect business to meet it halfway. But I have this crazy idea that if we as security people try to meet the business people at 90%, then the business people will be a lot more motivated to give their 10%.

I don’t know what’s going to happen after a year or two or three of doing those two things. But that’s how I’ll know what’s next.

2 thoughts on “Farquhar’s security New Year’s resolutions

  • February 28, 2014 at 11:06 pm
    Permalink

    Another thing security ISN’T –absolutely keeping people out or from doing bad things. Sure you minimize that as much as possible, BUT what you always want to do is be able to figure out what they did. Among other things this is called — well we’ll call it ‘hidden logs’ placing logs, usually copies where NOBODY will look for them, but not instead of, IN ADDITION to. Let the buggers ‘erase their tracks’… or think they have.

    chuck

    • February 28, 2014 at 11:19 pm
      Permalink

      Chuck, it’s fantastic to hear from you. You’re 100% right, and I’ve spent the last 9 months of my career supporting a huge centralized logging system. Whatever you do on any other system gets spooled off over there, and only about a dozen people besides me have a clue it’s happening. Any place worth its salt does the same thing–it’s practically a regulatory requirement.

Comments are closed.

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux