As a networking professional, you can't just focus on the nuts and bolts (or bits and bytes) of what you do. As
a high-level network engineer or manager, particularly in bigger companies, you will need to establish and maintain relationships with other departments in your company. Some of the most crucial people with whom you need to have a good rapport are in your organization's security department.
Although these people may sometimes seem to hinder you in doing your job, it's important to understand the role they have been granted and why they are empowered to perform that role. Network security is a much more important focus in the corporate world today than yesteryear. With an increased number of attacks assailing your network, there may be nothing more important organizationally than securing the network infrastructure. At many levels, that is perceived as being more important than deploying new core switches or file servers.
What can you do when the security staff opposes your position? One option is to fight them or try to work around them -- figure out what the loopholes are and do your best to get things done without Security's involvement. Despite your best intentions, rest assured that people will find out what you're doing and it won't be a good thing.
For instance, suppose you are trying to complete an important milestone on your project plan but have encountered some problems. You want to have the ISV log on to your system to fix the problem because that would be the most efficient way of resolving the issue. The ISV is willing to do this at no charge. What is the problem? Security, of course. They have locked down all ports and established a formal policy preventing external access to internal systems of any kind. The paperwork that must be done to work around this could take at least a week.
Many will try to use brute force to fix the problem on their own, working with phone vendor support, or they will attempt to circumvent the system by using something like WebEx to have the vendor directly log into the system, without the security staff's knowledge. Many security departments don't know how to block this, so we'll do what we have to, right? Wrong! Apart from the security risk, your personal risk here can be huge -- you may not have a job tomorrow.
The other option you have is to work with your security staff. What I would do here, and have done successfully, is set up a meeting with Security to discuss the WebEx session. It is possible that your company's security policy even supports this already! The worst thing you can do is hide stuff from Security. Work with them and establish the relationships you need to succeed.
You may need to compromise on issues such as which subnet to put an application on, but at the end of the day, you should still be able to do deploy what needs to be done. Try to establish harmonious relationships with the people you need to have on your side. In my last position, I saw very petty battles fought by network staff against the security department. Those battles were fought primarily as power plays. The network engineers felt that Security was overstepping its bounds.
The strategic goals of IT and the security department don't always mesh. The strategic goal of IT is usually to support functional departments in making money or to put in systems to increase efficiencies to save money. Too often, the goal of corporate security seems to be to take absolutely every precaution, no matter how mindless, with no regard to the effect on the rest of the business.
In a case where you feel that Security is truly hindering the business, the VP in your group will need to take matters a step up and go right to the CEO. It is not the job of a network manager to do this type of politicking. Bump it up the food chain and recognize that not every battle can be won, and -- more important -- choose your battles wisely!
That said, here are some hints for maintaining a good relationship between your networking and security departments:
- Include security staff in planning meetings with functional staff or meetings that determine network infrastructure issues.
- The relationship that you develop with the security department will largely depend on your attitude. If you see them as a stumbling block in your efforts to get real work done, then that's what they will be. Change your mindset, and you will be able to move past the notion that Security is there to make your life difficult.
- Choose your battles: Don't create strife over minor issues.
- Be willing to compromise in the interest of the greater good (your company).
- In a worst-case scenario, you may need to involve your VP.
To recap, you must understand that corporate IT security policies are really not put into place to inconvenience networking staff. They are there to enable business to do everything it needs to do, in a responsible manner that does not put the company at risk. If you can understand that working with them is truly in your interests, you will eventually be much better for it. More important, so will the business, in whose interests you are presumably fighting these battles in the first place!
About the author: Kenneth Milberg is systems consultant with his own independent consulting firm, Unix-Linux Solutions. He has fifteen year's worth of experience with Unix and Linux systems, as well as broad technical and functional experience with AIX, HP, SCO, Linux and Solaris. Milberg holds certifications with IBM (IBM Certified Systems Expert - eServer p5 and pSeries Enterprise Technical Support AIX 5L V5.3 & IBM Certified Specialist -HACMP), SUN (SCNA,SCSA), HP (HP Certified -HP-UX administration) Cisco (CCNA) and Oracle (OCP-DBO).