A certain boss of mine who shall remain nameless (not Bill or Brian) told me the other day that I need to compromise more. Granted he was talking about golf but he got me thinking.

We as information security professionals are asked to compromise in one manner or another almost on a daily basis. In my opinion compromise is one of the many enemies of IT security people. It’s fine to compromise when you are at home and you and your wife are deciding what to watch on TV, but not when it comes to the security of the network you are paid to protect. Compromise is supposed to mean that each side concedes something. However when it comes to security requests it usually means you are being asked to change while the person making the request has no plans to do so.

I think the common example of this is the interaction between a company’s application team and the security team. One of the application guys comes to you and says that they have this new software and have installed it on some of the servers. Now they need you to make firewall changes to allow them access to what they need. This is where your stance on compromise is tested. Many security people would ask for a list of ports and when given it they would open the firewall for the requested access. But not you - you are going to ask them what the application is used for. You’re going to ask them questions like: Is the software up to date? Are you willing to submit it for a penetration test before we NAT it to the Internet? You’re going to do some research to see if that software has any known vulnerabilities. As a competent security professional you will do all those things before agreeing to any changes.

Please don’t mistake what I’m saying for being confrontational either. Too many people in this industry lack “people skills” and would rather argue than to work with someone to fix a problem. Work with the development and application people at your workplace. Take a proactive approach and communicate with them so they know what will need to happen from a network security perspective. Help them when they are making the decision of what software will be purchased. I know this may be from my own little reality where everyone plays nicely, but if you make yourself accessible people will come to you. If they know you will have to put your foot down if they don’t work with you, then they will be more eager to avoid those confrontations down the line.

I understand that not every situation is black and white. I know you may not always be in a position where you can dictate security policies and they are taken as law, but don’t compromise because it’s easy to do or you know that taking a stand will result in a fight. Work with those around you to avoid that fight. You will win more friends and keep your network safer if you draw that line in the sand that will not be crossed, but are willing to help people a hundred yards before they get to the line.