At a recent job interview, the CISO asked me a really good question that I wish more people would ask.
He asked me how I conduct myself as a security professional when dealing with the rest of IT.
He liked my answer. I said that I came up as an operational sysadmin, and I still think of myself as a sysadmin, not as Security Dude. I understand system administration, and I know when I’m asking for something easy or something hard, and when I’m asking for something that’s difficult, I acknowledge that it’s difficult.
I’ve seen from my own experience that it’s far more productive to be collaborative rather than dictatorial. Dictating to the rest of IT causes resentment, but collaborating with the rest of IT leads to good working relationships, which leads not only to getting what you need today more quickly, but also to getting what you need later on more quickly and effectively as well.
Traditionally, IT has looked to security to be adversarial, but increasingly, IT and security departments are finding that it’s more productive for security and the rest of IT to behave and act like teammates. We’re measured on different things, and that’s still a problem that we have to solve, but in the end, we all want the same results: reliable, well-protected computer systems.
Something else I didn’t mention, but could have, is that I know when to keep my mouth shut. And that just because we can do something doesn’t necessarily mean we should.
I think that’s a great interview question and I hope more people start asking it.