Professionals starting in network security (or any other specialized IT job) are often concerned about improving their skills and knowledge in networking and the products and gear they spend most of their time with. Although it’s extremely important to know the technology you work with, it’s also very important to learn at least a little about all the other technologies you may find in the IT environments you’re (and will be) dealing with. Even very basic tasks as defining or reviewing firewall rules are challenging when there’s no context available. I’m tired of seeing people with stupid hardwired rules in their minds (HTTPS is good; FTP is bad; and so on…) struggling to understand why a specific control is in place or swallowing stupid justifications such as “we need port 80 open both ways (bi-directional – ugh) for this app to work” just because they know nothing about any other technology or process that is not directly related to their job descriptions.
Almost all security professionals learn that the Business defines Security, and not the opposite. However, few are able to tell you how to transform that piece of wisdom into practical advice. So here it is: learn about what the organization is doing:
· What does the “business people” do?
· Which applications do they use?
· How those applications work? What kind of data, architecture, protocols?
· What’s the data flow for the business? What are the people’s roles in the business process?
There’s plenty to learn from the other IT silos too, such as:
· What is running on all these servers? What do all these applications and middleware do?
· How are the operations teams doing their jobs? How are they accessing and connect to servers and applications? Jump boxes? Shared IDs?
Learning about how the organization works is as important as learning more about security. You’ll find which issues are easy to fix, what process deficiencies will keep spitting out vulnerabilities, how controls will or will not work. Security is usually not part of their core job descriptions, so don’t expect them to go the extra mile to understand how security should be done for their context. If you want it to work, get that context yourself and apply your security knowledge to it. You’ll be far more effective and, surprisingly, they will listen when you start to sound like you know what they do.