Wednesday, April 1, 2009

Crossing Over

One of the most difficult things to do for a technologist is to take a tour of duty on the other side of the table.

For someone who deals every day with the technology and realities of security it's difficult to understand why anyone in their right mind would want to do things the wrong way.  And yet, every day we're presented with oft-bizarre problems that defy logic and sometimes even common sense - coming from whom we would otherwise thing of as reasonable people.  Our associates in the business world can sure as the sun rises ask for some ridiculous things some times, right?  What makes them tick and why do they think the way they do?  There is a bit of magic that happens when one understands the mind of a business analyst because we can then communicate using the same language and on the same level.

Whilel this sounds great in theory let me first point out why it's so difficult for technologists to comprehend the vernacular of business and the logic.  From the outset technologists are taught to see the problem as a technology-centric problem.  When packets don't cross the wire, the wire must be broken... or something on that wire is dropping the packets on the floor.  If we've just patched a server and upon reboot it goes nuclear then the obvious thought that comes to mind is the patch must somehow cause the defect.

We technologists get a tunnel-vision for technology solutions and everything begins to look black and white.  Every problem is either solvable, or it's not.  The network is either secured by the firewall, or it's not.  The server is either patched or it isn't.  Things are either secured... or they're not.  Black or white.  Yea... that's mostly wrong.

What we consistently fail to see is the middle ground out there, the gray areas, the good enough that eludes our technical genius.

So the most logical thing to do is to cross over.  Go shed your technical propeller-hat and become a business analyst for a few months... but this is a lot more difficult than it may seem at first.  Standing in the midst of people who don't think like you do, who don't immediately throw technology at a problem - that may be more difficult tha you're prepared to handle.  Remember... technology is simply an enabler for the business.  Often times the correct answer for the business is absolutely the wrong answer for technology and security - but it's got to be done.

Here are a few things you'll need to change your thinking on in order to succeed as a business analyst:
  1. IT is a tool to accomplish a business-end
  2. Risk is acceptable, to a degree
  3. Cost is important
Crossing over, and understanding the other side is paramount in a successful technical security agent's career.  Understanding the mindsets, the drives, and the goals of the business side of things will make you better prepared to have a conversation about security.


No comments: