Do network and security pros get along?

Tags:
Networking
Security
Hello, I'm an editor for SearchNetworking.com, and I'd like to throw out a question.

I know that SearchNetworking readers are very interested in network security, but there also seems to be tension between the networking team and the security team in large organizations. Does anyone have any experience with this? Do your teams work together and have similar objectives, or are they at odds? Can you describe a project where the two sides of the house worked together successfully?

Thanks in advance for any insight you can offer. If you would rather e-mail me directly, my address is sfogarty@techtarget.com.

Susan Fogarty
Senior Site Editor, Networking Media Group
SearchNetworking, SearchMobileComputing, SearchEnterpriseVoice
(781) 657-1471
sfogarty@techtarget.com

TechTarget, The Most Targeted IT Media
http://www.techtarget.com/

Answer Wiki

Thanks. We'll let you know when a new response is added.

You certainly seem to be providing me a soapbox this week!

There seem to be two general factors affecting the relationship.

1) How close the groups are organizationally speaking, and the overall attitudes of their management – meaning whether or not they have been set up to be adversaries.

2) Whether or not the groups work together on a regular basis solving problems – Which allows mutual respect to develop.

My personal take on the relationship business is that if people take the time and effort to treat their colleagues with respect, that goes a long way toward making things work better.

Bob

Discuss This Question: 10  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Ve3ofa
    Networking is about enhancing connectivity.. Security is about restricting connectivity.. You can't have a super secure system without trading off some user flexibility/connectivity. So it is a team collaboration and if not a team effort then it is bound to have problems. On a secured site a user can only log in via their own pc during office hours (and if that pc breaks (changes MAC address) then that user is SOL until the HelpDesk or Networking people change that users MAC address). The aim is to have sufficient security to perform without hindering network operations.. without security the network will go down, company may fail etc.. and without the network there is less need for security. Ergo, they have to have a consistent policy set by the CTO that is responsible for both sides of the house. Security will want more restrictions and networking will want less restrictions it is up to the CTO to make the final decision and set company policy. Networking then implements the policy and security monitors the policy. For instance, networking may not want to implement all patches until they've been thoroughly tested.. security wants all patches applied NOW .. if a patch breaks the network then networking will bear the responsibility and burden of restoring the network. It is somewhat like engineering and marketing.. Marketing may want a car with 90MPG gas consumption, 0-60 mph in 3 seconds, large comfortable car, that is easy to park and sells for less than $20K.. The designer then makes up a shell that all of this must fit in.. and now its up to engineering to make it all work. As you can clearly see there will have to be trade offs. The same goes in the computer business.. If the teams work together and respect each other then you get progress. If not then you get a fight.
    80 pointsBadges:
    report
  • Poppaman2
    As a networking professional with an emphasis on security, I often times feel like a schizoprenic: one side of me wants to be a "network Nazi" and allow only thiose processes which have been vetted against strict standards (think: "Ve haff vays of making zis network secure..."), while the other is more user centric and would love to allow everyone to stream their favorite radio station to their desktop while the CEO's video conference complete with VIOP connection hums merrily along. As stated so well by other respondents, there must be a happy medium somewhere, and unless the power(s) that be decide what the actual working framework will be, with allowances and consideration to ALL concerned, there will always be some level of turf battle/conflict going on...
    0 pointsBadges:
    report
  • ItDefPat1
    That is a difficult question, since I am or have been both, and sometimes am either. The question can be rephrased just like "router or firewall?". Routers are designed to move packets; Firewalls are designed to stop packets. Previously, in the days leading up to golden age of InfoSec, networkers saw firewalls as an impediment to the network. Application guys saw them as hindering the system. Management saw it as a hit to the bottom line. (I actually had a sign on my wall that said "It isn't a firewall problem"). Now, networkers are becoming security aware, and sometimes also wear the security hat. Teams are made up of networkers and security pros, especially where the Integrated Product Team (IPT) organization is used. Management may still see security as a hit to the bottom line, but I beleive it is also considered part of standard planning. The network team I currently work with consults with myself regularly. My chain of command has changed several times, and on occasion, I have worked within that team. I think that there may be different approaches, but that is based on expertise differences.
    15 pointsBadges:
    report
  • Solutions1
    There a natural and sometimes healthy tension between a security teams and the "doers" (not just the network "doers," but other IT functions - the system admins, the application people, etc.). Clearly the "doers" want to get assigned tasks done, keep essential services running, want to get off the critical path of projects, and certainly do not want to get enmeshed in complexity imposed by added security. The other side of the story is that Security is sort of a "conscience" function and necessarily has to tell the doers to "hold on" every so often. Today, both sides are typically addressing rare phenomena that, however, may have severe consequences (the equivalent of lightening strikes). However, people do not instinctively do well with such risks - they either overrate or underrate them (hence the success of state lotteries). Today IT "doers" are often dealing with Poisson-distributed functional risks - e.g., network links that go down very rarely, but that present complex restart issues when they do. On the other hand, security people may be concerned that, say, 1 in every 10,000 such network faults may somehow be symptomatic of a hacker attack and that restart should not be done (or not be automatic) until some sort of environmental scan is done, even if the help desk calls are flowing in. Another effect of dealing with Poisson-distributed risks is a propensity for resorting to "fads and fancies" and "ghostbusting." Both sides have their own nostrums, which may conflict. Therefore, given differing objectives and sometimes opposing critical success factors and KPI's, it is unrealistic and probably unhealthy to have perfect harmony.
    0 pointsBadges:
    report
  • Larrythethird
    I do the network at my company. There are some conflicts with the security guys, but usually minor ones. As a network guy, I sometimes feel limited by the lack of access to some of the security devices. I have to wait for someone else to get a task completed. On the other side, the security guys, I'm sure, feel the same way, waiting for the network guys to set something up so that they can finish their tasks. I do see the two merging, though. We are working towards port authentication so that the security will start as a user connects to the network. We are also moving more security on the end station itself. As MIS/IT has to integrate more and more security into the apps, network and end stations, the lines will blur between separate applications, help desk, security and network groups.
    0 pointsBadges:
    report
  • HumbleNetAdmin
    Like previous posters before me, I am a Network Admin wearing the hat of a Security Professional, in fact wearing all the hats in the roles of sysadmin and network engineer. The organization that I work for hired me into a newly created position three years ago and their really was no Networking/Security policies in place. In fact they had just recently implemented a firewall after having the website hacked. Although I have grown the network infrastructure leaps and bounds since feeling the position, it still is not were it should be as to security policy and enforcement of what policies are in place. And that seems to come from a lethargic attitude about securing an infrastructure that has now become keystone to business operations. (Maybe because the ISDept is a development shop comprised mostly of developers that think they should have access to anything and everything). In recent months the President of the company (about 80 employees, so not a large corp or anything) has come to me requesting me to research into a way to monitor employee activities on the web and more. This request did not come through the ISDirector or my Supervisor. I did research on a couple of products, primarily proxy services, however the Pres. was not satisfied and eventually came to be with product info he wanted to me to check out. This product went far beyond proxy. It could catch all, web, email, keystroke logger, network activity, and screen shots at regular interval of employees PC?s. (I did inform my bosses about the request however, especially about this new product). My direct supervisor and IS Director are a bit upset about the product and its implications and the fact that the Pres. did not go through them and came directly to me. The concern also is will be looking to have me implement it unknown to them. So the point I am getting at is like previous posters. Upper management, ISDept and Security/Network Managers need to come together on common ground on security issues. They need to work together with out circumventing. I am left stuck in the middle of how to handle the Pres. if he requests that I implement this product secretly. There is a need to monitor what our employees are doing on the company systems in order to protect those systems from abuse and for security. However it needs to be a team oriented operation that looks towards business needs and ends and revolves around the organizations polices and acceptable use policies that need to be established and users made aware of. It seems that here upper management and the IS management get together on issues, and the IS management get together on issues and one or the other consults with me for information and ideas but never all together were I am a integral part. I am in agreement with previous posters who have stated that their has to be security, and there has to be network functionality were business functions can be accomplished with as little hindrance a possible, and that management needs to work together with ISDept managers, Network/Security admins and users in order to find a happy median were these two functions can come together in order to best meet the needs of the organization. So for the long windedness, writing is not my forte.
    0 pointsBadges:
    report
  • DrillO
    Hi Susan and all..... I perform all tasks here with my network and I can tell you that it is a challenge. I can certainly see where there could be huge conflict. My situation is somewhat different...I work for a Library and securtiy is a huge issue on both sides of the fence. We have internal and external network resources. The internal for staff and external for public use. The internal network is kept as secure as possible without impacting the ability of staff to do research which in most networks would take them to places you don;t want to see your employees going. Interesting problems ensue. On the other hand there are the public machines. In the early days, we allowed nothing by way of policy as directed by the Board. Now, things are changing and the security issues are becoming harder to deal with. I am at wits-end with myself frequently. There is also a difficutly in that we pass our traffic through the network at the City Hall.....when they impliment secruity features without consultation ( a VERY common occurance), our staff flip out and I am left putting out those fires as well. I believe I touched on communication in a post to another question from you. The conflicts are real....not only between IT professionals, but upper Management and users as well. They want everything - the best of all worlds and don't understand why we can't deliver. That's my bit. Best regards, Paul
    15 pointsBadges:
    report
  • Maclanachu
    God no! We have had projects delayed for so long bc our net ops guys (security) shifted the goalposts on us at the last minute as we are about to roll out a new project. Improved communication and less condescension ("Windows? Bah! u know how much better Linux is...") would improve matters greatly. Having to constantly argue ur case doesn't help either. "Ur wrong" "No I'm right" "prove it" "Why should I? don't ever ask u to prove ur network topology." etc. Best one yet was being asked to put our new Ex cluster into the DMZ for security purposes!
    0 pointsBadges:
    report
  • Bobkberg
    Much as I sympathize with Maclanachu's position, I would suggest that some careful strategizing and tactics could take a lot of the sting out of ops vs. security issues. The number one thing to remember is that nobody is a villian in their own eyes. This is crucial to understanding how best to proceed. When you get confronted by a situation like this (and you'll need your manager's cooperation as well), treat it as a learning situation for yourself. By this, I specifically mean to sit down in a conference room with a white board (or whatever) with the security folks, draw out the basic diagram, and then start by asking them to please educate you on the benefits of doing it their way. Never mind whether or not you know better - a goodly part of this has to do with defusing tensions, of which there appear to be many based on your narrative. Simply by asking them to educate you, you have automatically raised their opinion of you. After all, how can you think less of a person who asks for your advice and knowledge? The next step is to start asking extensional questions. That is, have them walk you through (if they haven't already) When they/you get to a point where you see a problem, then ask them "Just a moment please. We have to do such-and-such at this point. How is this going to work with your new requirements?" And....avoid all traces of defensiveness - no matter how you might feel. That is a key factor in escalation of tensions. I hope that helps, Bob
    1,070 pointsBadges:
    report
  • DrillO
    I might add that having a strong and knowledgealbe IT Manager can really help. I know the absence of same has caused huge problems in some organizations that I have been involved with. There is no substitute for a good leader, and by that I mean someone who can direct such things and help keep tensions under control. On the part of the professionals involved it is very important that their cases are presented in a very matter of fact, all information, no bias or emotion sort of way. Paul
    15 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following