My friend Lee used to work for a company that did Sales training. Sales is, at its very essence, about persuading people to buy something. Even if they need that something, you have to persuade them to buy yours, rather than someone else’s. And one of the big maxims Lee’s company would teach is that logic is not persuasive.
And it’s true. I have my own version of the phrase: “Don’t drag logic into a conversation where she’s not invited.”
There’s an enormous problem inside some organizations where, whether this is just perceived or actually true, the InfoSec team “maintains” security by “just saying no to everything.”
Obviously, no business can survive if one component of itself is simply shutting down all initiatives willy-nilly. “No” isn’t a security position; it’s a death knell. And, if you work for a company where this is really, really true, you should maybe evaluate your career choices. It doesn’t make sense for good IT people to work at that kind of organization, and if the answer is always “no” anyway, they don’t actually need you. InfoSec should say, “yes – but.” Meaning, they should be taking the time to understand why something is necessary to the business, understand how it works and what its vulnerabilities are, and understand how to safely and securely introduce it to the business.
Just as many IT Ops people are not experts in the InfoSec disciplines like auditing, forensics, pen testing, incident detection and response, and so on, many InfoSec people are not familiar with the intimate details of Ops technologies, what their business benefits might be, or how they work under the hood. This is why everyone needs to work as a team to make these decisions.
“Hey, we’d like to implement PowerShell Remoting. It uses WS-MAN.”
Totally understandable conversation, actually. It should have gone like this:
“It’s massively lower-weight in terms of server overhead, and unlike RDP it’ll trigger less mandatory restarting of servers – so we get better availability.”
“How’s it work?”
“It runs over a single port, and we should have a requirement that that port be HTTPS. Credentials are delegated across that connection – no clear-text passwords! – and I can show you how we’d enable full-text auditing of everything admins do via that channel. It’s actually a lot more auditable and locked-down than RDP.”
“OK, let’s look.”
If you present a valid business case, and then can work together to understand how the technology works, then you’re doing it right. “We need to understand the encryption used” isn’t a challenge you need to defend. The proper response is, “yeah, we do! I don’t know a ton about encryption – can we dig into this together?” Encourage that teamwork. Nobody should be on the defensive or offensive – you’re all supposed to be working for the same team. Too many times, though, the Ops folks I’ve seen go down this road – with anything, not just PowerShell Remoting – aren’t taking a team approach, and they’re not making a business case.
And let’s say you do start the conversation right, with a business-level justification (with some numbers, please – businesses understand numbers). You do go in as a team player. If you still get needlessly rebuffed without even a fair hearing, and without a reasonable justification (“yeah, not now – we’re busy recovering from the 10M user accounts that were compromised last week, k?”), then…
Evaluate your career choices. Ask yourself why you’re so broken inside that you’d work for a dysfunctional situation.
Ever invest money? Like, even a 401(k) or something? What’s the first piece of advice you’re usually given by investment people?
The idea in finance is that, if one part of your portfolio sucks at the moment, you kind of want it balanced with something that doesn’t suck. So you invest a bit in domestic, a bit in international. A bit in stocks, a bit in bonds. That kind of thing.
Investing solely in one kind of thing creates what’s called a homogeneous portfolio, and it’s typically a bad idea. The same applies to your career.
Orin Thomas recently told me that the average IT Pro, in the Microsoft world, is 43 years old. Makes some sense; younger kids tend to be attracted to younger companies, and younger companies are largely deploying Linux for their big dot-com-startup projects (which is why Microsoft ❤️ Linux all of a sudden). So there are fewer young people getting into Microsoft-centric IT Ops.
And so we’re having a midlife career crisis.
Man, these guys are a lot smarter than me. I’ll just sit here and try to look pretty.
Here’s a little secret: Every one of us feels that way, almost all the time.
I feel fortunate to have been pretty successful – by my family’s measure, if nobody else’s – in my career. I’m often asked if there was a secret to it all – and the answer is “yes.” My former business partner, Greg Shields, and I had three simple rules. These apply whether you’re independent, working for a company, or thinking about your customers.
I talk, and write, a lot about how important it is to think about your career. To feed your career. To keep your career foremost in your vision.
There comes a time when your career is doing pretty well, and you’re comfortable resting for a moment and enjoying what it’s brought you. There may also come a time when you’ve gotten pretty far along in your career, and you start to think, “what’s next?”
Let me propose something.