Blogger: Eric Maiwald
In security, we must understand how we are perceived by the business. What we think is critical may not matter at all to the business overall. We will not learn what matters to the business if we only focus on security vulnerabilities and the latest technology. We need to get out and learn how the business functions and how security impacts it. A recent experience brought this home to me.
I was in the Midwest visiting friends and I had the pleasure of being introduced to a man named Neil. Neil works in the maintenance division of a large agricultural services company. When he found out that I worked in IT security, he launched into a story about two IT people he knew. The first IT guy he really liked. This guy came into the division where Neil worked and helped them get their computers up and running. Neil explained how the computers helped him do his job and how this IT guy really paid attention to how the shop was run. Neil lamented the fact that this “good” IT guy took a job with another company and left.
Neil then launched into a story (you could almost call it a tirade except that Neil didn’t raise his voice) about the second IT guy (let’s call this the “bad” IT guy). The bad IT guy showed up and started changing things. He introduced a new system to track parts in inventory and then found ways to cut costs by reducing the inventory. Neil went into a long discussion about the parts inventory. It seems that his shop has to maintain a lot of equipment – much of it quite old – and they kept a lot of older parts on hand for the simple reason that some of the parts were hard to find. In addition, the mechanics would often only use components of a part if that was all that was really needed and they would keep the remaining components for use at some later time. Neil freely admitted that they were pack rats to some extent but he explained that they hoarded some of the parts because it allowed them to fix equipment quickly and get it back into operation without waiting for a part to arrive.
It is still unclear to me what position the bad IT guy held within Neil’s company (and it really doesn’t matter for this story – Neil perceived him as an IT guy) but he was able to change the parts inventory practice and get rid of a lot of the older parts. This was touted as a cost saving measure and was done without consulting with the people who did the work. Without the parts readily available, the time to repair older equipment increased. Equipment waited for parts to arrive (or in some cases to even be found!) and the overall availability of the equipment suffered.
So why am I relating this story? Neil’s perception of IT is formed by the IT people he interacts with. On the one hand, the good IT guy paid attention to Neil and his coworkers. He provided support for their work and helped them improve the shop practices. The bad IT guy didn’t learn how and why certain business practices existed in the shop. He only saw the potential cost savings without understanding how changing the practices might increase other costs and reduce the availability of equipment.
Who do you want to be? Who do you think your business perceives you to be? We need to be more like the good IT guy in the story. We need to learn how the business functions, what is important to the business, and how security impacts the business.
Comments