We've all gotten the panicked call: Some user double-clicked an e-mail attachment and infected his department's network with the latest worm. Screens are flickering, workstations are crashing, and the prospect of losing productivity time--and revenue--is looming.
Do you understand his pain? His panic? I do. In my enterprise, I've walked in his shoes.
Before assuming the role of security technology manager at Wells Fargo, I spent a year training in the company's Leadership Development Program, a rotational study of all the core areas at Wells Fargo Services.
The program consists of several weeklong stints in many of the company's critical infrastructure and operations groups--from the data center to on-site customer service. I experienced firsthand employees' and managers' tolerance for lost integrity, availability and confidentiality.
I worked as a proof operator in the check-processing department and answered help desk calls. With each passing week, I gained an understanding of what each department does and to whom it reports--both internally and externally--and acquired a true sense of what each Wells Fargo employee does day in and day out.
The goals of the program are simple: Provide future managers with exposure to various business units and increase their understanding of each department's missions and operations. Through this, tomorrow's managers will have a greater understanding of the big picture and be able to better align their operations with enterprise-wide business objectives.
When I chose a job in IT security, the exposure and cross-training I received had an additional benefit: I had an appreciation for the problems and pains of my "customers." My training has shaped the way I now respond to those frantic calls.
Daily, my security remediation team has direct contact with tellers, bankers, mortgage associates, sysadmins and company VPs--with every infosecurity issue centered on business continuity. If these people can't use their systems, they can't do business.
My understanding of their needs and how to best integrate business and infosecurity requirements has been invaluable in advising my team on good customer service.
Through my meetings and training sessions, I have built strong, service-oriented relationships with groups that I might not otherwise have interacted with, which, in turn, has helped me tailor security issues directly to the needs of our customers.
I also try to utilize the diversity of my team. Knowing who your customers are and how to best serve them is as important in the infosecurity world as it is in retail banking. From CPAs and lawyers to sysadmins and help desk agents, diverse training backgrounds offer daily opportunities to teach each other about the person on the other end of the phone.
When the security luminaries say you should align your security with business imperatives, they mean aligning security strategies with business objectives. But, as I found in my experience, making security pros walk in the users' shoes definitely shapes the way they service and secure their constituents.