Pulling responsibilities into new role

I have a bit of a dilemma. Not too long ago, I was promoted to security manager at my current company. The plan was always for this to be a partly hands on role. Since I've been in many roles at my company, I've been asked to think about what technical responsibilities I can pull over from both server and network teams into my new role.

This is where my dilemma comes in. The one thing I want to see come over to the security area is firewall management. This was previously one of my responsibilities and I've cleaned up a decent amount of sloppy policies, implemented new features, etc. The problem is that I know this is going to piss the network manager off and I'm sure he'd fight it. I was thinking of presenting it as the network team will continue to deploy and monitor performance, but from I will own the policy creation, feature implementations, etc, and we'll jointly handle design placement. Not sure if this makes sense. I'm also not yet sure what other responsibilities I'll recommend to bring over.

Opinions?

Find more posts tagged with

Comments

gespenstern

Not even an issue.

I personally like making people mad by doing the right thing. And I do this all the time.

The thing here is making sure that the emphasis on doing the right thing and not on screwing people up.

If you believe it would be a good move for the company -- you have my blessing. Gather arguments, check with Gartner or whatever is considered respectable and convincing in your company, that's you ammo. Then, start a fight. If you win -- awesome, if you lose -- you analyze and learn on how to avoid mistakes. Those who don't engage never see glory and live empty lives.

Also, if you win -- make sure that the network manager knows that you didn't do that to upset him, you do that because you believed it would be right for the company and he lost only because he wasn't able to defend his position. Ultimately, it's what is best for the company.

EANx

Don't forget an auditing role.

Who has the authority to say what's right when you disagree? What sort of policies will guide that implementation?

MitM

Good points gespenstern and EANx.

I will admit that a tiny bit of this is what's best for me (for my career). However, I'm the one who keeps up with the technology, follows best practices, etc. I won't mention the negative when I have my discussions but between us on this thread haha, I find too often things are done with shortcuts instead of doing it the right way. This makes the environment less secure.

As for the audit role, that was another thought. Maybe let them keep control but I'll audit the rules and changes. I think that would be even worse, as I'm sure the network manager will hate being told that policy x needs to be changed.

Today, all changes are approved by the IT head, but he doesn't do the auditing.

EANx

Then the way I would approach this is that division of duties is an industry best-practice and that you don't care if config falls under you and auditing falls under him or vice versa but you think that one of you should maintain the devices and the other be responsible for the occasional audit to be sure things were done the way they ought to be. That way, you don't come across as someone who is trying to control what he's doing, you're happy to let him audit you if you get firewall config.

MitM

I'd prefer I implement and my manager audit

TechGuru80

MitM wrote: »

I'd prefer I implement and my manager audit

You should probably stay out of security then as the more mature things get, the more security audits versus configuring. Besides if you let the other team do a lot of the configurations...you get to keep up with vulnerability management and start TESTING configurations, detect intrusions, forensics, etc.

Also, if firewalls or infrastructure fall under your responsibilities you have to do undesirable things like being on call.

MitM

TechGuru80 wrote: »

You should probably stay out of security then as the more mature things get, the more security audits versus configuring. Besides if you let the other team do a lot of the configurations...you get to keep up with vulnerability management and start TESTING configurations, detect intrusions, forensics, etc.

Also, if firewalls or infrastructure fall under your responsibilities you have to do undesirable things like being on call.

The comment you quoted was meant as if I'm configuring I'd rather my manager audit, opposed to the network manager audit. I'm not working for a very large company. The point is the end goal is to have a more secure environment. I'm perfectly fine with approving and auditing rules.