Security Ripcord

One of the hardest things for a security group to overcome is the relationships between the information technology (IT) administrative groups, to include server and workstation groups if they are separate, and the security group. Whether an organization is small and the security personnel are integrated with the IT group or the organization is large enough to support a separate security group, many of the same problems persist. There are many common and well covered problems between these groups.

• IT Group
  • Does not trust the technical expertise of the security group.
  • Does not believe the security group understands why the technology has been deployed in a certain manner.
  • Does not think the security group has taken cost, technical and man-power, into consideration.
  • Views input from the security group as directives instead of recommendations.
  • Cannot take constructive criticism about their environment.
• Security Group
  • Takes it personally when their input is not acted upon, whether it was taken into consideration or summarily dismissed.
  • Believes the IT group does not have the technical expertise to secure their environment, whether or not they have the ability to deploy it effectively.
  • Believes that the IT group has not effectively identified their critical assets.
  • Believes that the IT group has not effectively evaluated the controls that protect their assets, critical or otherwise.

Certainly the list can go on and on for both sides. But when you really boil a lot of these issues down to their root cause, I think it is easy to see that they are all related to human behavior. Each one of the personnel that makes up these separate roles are merely defending their individual and group understanding of an issue. In most cases these are technical issues, something that the personnel can touch and feel. Something that they have molded and cared for during design, development, deployment, and maintenance. And when somebody comes along and starts providing input, whether critical or not, the individuals or group of individuals have a tenancy to take it personally. I like to refer to it as the “ugly baby problem.” (If I could remember where I first heard this I would reference it properly.) Nobody likes to hear that their baby is ugly. Even if the word “ugly” is not used, when you start pointing out how fat, baggy, pointy headed, close eyed, huge eared, etc a baby is all the parents hear is, “Damn, that is one ugly baby!” And so human nature kicks in. People pull back and either, privately or publicly, take a defensive stance. And when a person or group has taken a defensive position it is very hard to lure or pull them out of it. In the military we were told that when attacking a defensive position the attackers should bring three times as many personnel as those who are defending the position. In the business world I would advise managers planning a project that it is going to take three times as long to accomplish the project if there is a personality conflict between groups. Actually, I would say it will take more than three times, but no business manager will want to see those types of numbers and they may be more inclined to find somebody else who could breach the divide more quickly.

What is the solution, you ask? Well, you have often heard me speak about professionalism. Certainly we can all agree that professionalism is key within any organization and especially between groups and individuals. However, in special cases such as the relationship between IT and security personnel, it has to be taken one step further. There needs to be consistency to the professionalism. My current manager has given me a great quote, “Discipline practiced over time becomes habit.” (I am not sure who originally made this statement but it appears to be a common business management methodology.) As I am a manager within a security group I will say that it is the security group’s responsibility to take the lead on disciplined or consistent professionalism. Since the security group and manager have more to loose and gain from the state of its relationships with other groups, it is up to them to realize that they do have to adhere to a higher standard. The security group has to realize that they must be consistent in their actions, approaches, recommendations, interactions, relationships, and reactions.

There is a good part to this situation. Normally security professionals have selected their profession very specifically. They have volunteered to become a member of the security group, grunt or leader, and they are usually aware that they are being held to a higher standard and that their actions undergo a magnified evaluation. Hell, most security professionals have selected this profession because of this fact. What many of them did not expect is how operating under these conditions can affect them in and out of work. Operating under these conditions will, after time, begin to take their toll. This “toll” will begin to affect their approach to their responsibilities, how they view technologies, how they interact within their own group, and how they interact with other individuals and groups. We are back to the human nature aspect again. This is all natural, but it is often very hard for individuals to understand. To this end, security professionals need to band together in a support structure. Although security managers play a critical part in helping their team and individuals identify and overcoming these situations, it can also be accomplished by relationships within the group or through personal relationships with people throughout the security industry.

Security professionals who portray consistent professionalism in their careers are very noticeable and are often sought out for their guidance and input. I am willing to bet that everybody reading this post can point to one or two individuals, whether you know them personally or not, who falls into this category. It is these persons who have made a difference within their organizations, to the IT community, and the security profession as a whole. We need take their example. We need to apply their approach to professionalism during our interactions with groups within and outside of our organizations. By doing this a security professional will begin to break down the walls that have developed, bridge the gapes that have been formed, and create fruitful interactions that benefit all parties. It is consistency of actions that will help people understand approaches and methodologies. It is consistency during interactions that will open channels of communication. It is consistency in behavior that will breed thoughtful exchanges. These, and other, combined consistent professionalism behaviors will help everybody involved understand that yes, the baby is ugly, but over time it will grow into its skin and it will develop into something that is pleasant to behold.

Go forth and do good things,

Don C. Weber

professionalism, security, Security Ripcord

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.