Two ways to be a super IT security admin

A friend/coworker and I were on a team that was trying to win over a huge customer. Our team was presenting all the found problems to the client’s senior management executives that day. Our leader was the main speaker; my friend and I were on hand in case some technical questions arose that the team leader couldn’t answer.

Early on, the meeting turned hostile, and our team leader appeared unprepared for all the executive’s questioning and pushback. My friend, on the other hand, was able to field the questions with aplomb. Soon, he was receiving all of the positive attention from the customer’s senior management team as  they peppered him with questions on  various subjects and problems for the next few hours. By the end of the day, it was pretty clear who the team leader really was. Everyone was happy — except for the original team leader.

[ Before you become an IT admin, you gotta get your foot in the door. Roger offers advice on how not blow your next IT security job interviewfree weekly Security newsletter to stay informed of the latest threats and fixes. ]

It got me thinking about how my coworker had been so successful in the meeting. How did he emerge as the natural leader? It came down to two key traits that he had that the others did not: He was strategic thinker and a problem solver. Developing and demonstrating these traits can be invaluable for advancing the career of an IT security admin — or any IT career, for that matter.

1. Think strategically

One way to be seen as a superior computer security worker is to fix procedurally but think strategically. Whenever you find a security problem (such as an overly open firewall, a weak password, an old anti-virus database definition, and so on), fix the problem, but think about the policies and procedures that allowed the problem to surface. Take every finding from its point cause and apply those results to devise a strategic fix. By recognizing the root cause, you’ll endear yourself to management and technical folks alike.

An easy example: You find service accounts with short passwords that are never changed. Obviously, the fix is to change the passwords to something longer and to enable password expirations. But the best security workers immediately recognize that weak passwords come about only because of a weak or inconsistently followed password policy. Fix the immediate problem, then work to help resolve the strategic issue. In this case, we are talking more about tactics, but the idea is to move past just fixing the immediate issue. We all know how to prevent malicious hacking and malware, but doing that across bunches of computers is the more difficult problem. That takes policy.

Continuing on with the password problem, don’t stop at fixing service account passwords. How are all user account passwords handled? If you found the problem on a Windows computer, how are passwords handled on Linux, Unix, midrange, and mainframes? How are passwords handled on security appliances, routers, and SNMP hosts? If you recommend disabling weak LAN Manager password hashes in Windows, do you recommend replacing weak password hashes in Linux and BSD (think Bcrypt)?

[ Does your organization have a strong password policy? Test it and find out. ]

I’ve tried to think this way all my career, and so far, it has worked out well. I’ve seen others do it too, and they’re the ones getting promoted and paid more. Sometimes finding the right policy or strategic deficiency takes a little research, but nothing impresses upper management more than someone who can work both sides of the problem.

On the flip side, we’ve all seen our share of supercowboys who can configure and troubleshoot with the best of them but can’t write a policy to save their life. They make good money but always seem to hit a ceiling they can never pass — and they stagnate.

2. Bring solutions When you present a problem, always present a possible solution. Executives have lives where everyone around them is telling them how broken everything is. I’ve seen consultants proudly go on and on about all their security findings and how broken every process was, only to have the executive listening say, “Tell me something I don’t know!”

The executive was pointing out that complaining and whining doesn’t fix the issues. To be a superior computer security worker, whenever you find a problem, also present a solution. This ties back to the first recommendation: Your solution should contain tactical and strategic fixes. If you want to see senior management smile, follow these two recommendations in your career. I bet you’ll end up smiling more too.

That was certainly the case for my friend. A few days after the executive presentation, the original team lead was let go and my friend was put in charge. The company won a huge future contract, and he landed a big promotion. It could not have been better — well, unless it had been me instead of my coworker. But I digress.

Related content Test the strength of your password policy Roger Grimes presents a useful tool for figuring out how susceptible your network might be to a password-cracking attack

Don’t blow your next IT security job interview A security certification won’t get you a job. You need to prove you really know how to keep a company safe