Career Advice Tuesday – “Access Denied”
June 22, 2010
A few months ago I accepted an IT Security job with an organization I will refer to as company X. In my interview process I was asked a number of very technical questions, as well as questions regarding my experience with policy. The position is a brand new position, having never had a dedicated security person. Traditionally the network group has managed these tasks and have implemented a number of effective technical security controls with serious gaps on the policy, process maturity, security testing and risk management side of the house. I accepted the position after reviewing the position description as it was a more purely security focused role than my previous job and it appeared from the description that I would be engaged in a security operations role.
Unknown to me, this position was originally slated to report to the network manager and was reworked to report to another group within IT that is more focused on administrative tasks. Having started the new position several months ago, I have still not been granted access to the resources I need to do my job as laid out in my position description and it appears that the network group would like me to be a policy drone. The network manager is very overprotective, and since I do not report to him, he sees me as a threat to his network dominance.
I have been unable to garner management support to push the issue as his superiors find themselves in a position where he is the sole source of much of the knowledge about the environment and are afraid if they upset him he will leave. he has threatened to do so in the past and they have caved in to his every demand. Even for his own staff, the vetting period before he trusts them enough for access seems to be in the neighborhood of 3 to 5 years. One network admin I spoke to had been there for 5 years and did not have the passwords for the switches, access points or routers. The network manager would change a password temporarily, grant access to the admin, and then change them back when the work was done. To make things worse, his level of understanding of technology is very outdated and his lack of faith in the technical staff and his extreme reliance on contractors and VAR guidance has lead to some questionable purchases. I see great potential in this position for a number of reasons, but this is a major roadblock for me.
If you could help me out I’d be most appreciative.
Dear “Access Denied”
It appears to us that you find yourself in a position where the position that you felt that you were originally signing up for is not the one that your encoutered when you began working. Unfortunately, you are not alone – many information security professionals fall victim to this for a variety of reason – some within their control and some outside of it.
The first thing that we can give you credit for is assessing the situation and understanding the lay of the land. It appears that you have identified your major issue, the person who holds the key to your job satisfaction, and the obstacles that you may need to overcome in order to recognize the full value in your current opportunity.
Here is some advice on how to handle them:
1) Your issue – You are having a hard time getting the support and resources that you need to do your job – and your employer wants to limit your influence.
The best advice we can give on this is to focus on the tasks that you are given and do an outstanding job. In doing this, you will demonstrate to everyone your level of competence and the quality of your work. You will begin building your internal brand as someone who is a “credible resource” and people will respect your thoughts and decisions – especially upper management. By building the credibility, you should find yourself in a position where the “controlling” network manager may be forced to grant you some access and listen to your opinions.
2) The Person – The overprotective network manager
Like it or not, you are going to have to adapt your style to work with this person – if you have any desire to remain at the company. We all have to deal with difficult people in our jobs, our success and satisfaction is often determined by the way that we handle these relationships and figure out ways to have them work to our advantage. It becomes a simple case of, “if you can’t beat ‘em, join ‘em.”
Our advice would be to go out of your way to be helpful to the “network manager”, and perform this work on his terms. Regardless of your opinion, you should defer to his and demonstrate both loyalty and value. At some point, you will gain their confidence and build some level of trust. At that time, he may begin to be receptive to your ideas and grant you access, considering he will believe that your intentions are pure.
This is going to take time and a concentrated effort. You will have frustrations and you may have to bite your tongue, but only you will be able to determine if the value of the opportunity is worth the work. You may begin attempting this, and get frustrated. If you do and decide that this is more trouble than it is worth, you should begin to look for another position. But you owe it to yourself and your career to give this your best shot.
One thing that I think you need to accept is that you are not going to change anyone who is set in their ways and their personality. You may be able to change some of their behaviors – but that will only happen if they see a personal benefit to their own job and success.
It would be good to look at your sitaution as an opoortunity for personal growth to see if you can change the culture of the organization and build a relationship of mutual respect between yourself and the network manager.
Good luck – hopefully you will get the result and the access that you desire to make your role a success.
Mike and Lee