Breaking Out Of Your Zone

There is a blog entry over at the Security Catalyst website titled "Running Outside the Zone" that I think all IT security pros should take the time to read, ponder and put into practice. I won't rehash all of the details here, but the gist of the post is that as an infosec professional, you need to get step outside your comfort zone once in a while. It helps you stay sharp, learn new skills and get better in some areas you're already good in.While there is definitely the slant towards infosec in Julie's blog entry, it can apply to anyone in IT whether they're sysadmins or helpdesk techs. For example, I just assisted with the IT review for a local company and the need to cross-train and "step outside their zone" was never more apparent. The company had already suffered a pretty devastating security incident last year but they hadn't made any headway in securing their resources to prevent another breach.

All I kept thinking was how they needed to spend some time learning about simple things like logging on on their systems, centralized log management and regular log review. Learning more about the built-in firewall functionality in the different operating systems they used and how it could be used to layer the protection offered by their network firewall. And, so many more things that aren't rocket science.

The issue seems to be that they had settled down into their comfort zone and liked it there. Each person had their own specialty and very little effort was made to cross-train on the different job duties so their was adequate support when one of them was out of the office. The only time change occurred was when it was forced from above and it became inevitable; never because it was self-motivated.

If you find yourself never stepping outside your zone, it's time for a kick in the butt. IT is an ever-changing field, but specifically IT security is an area that requires constant attention, learning and a broad range of abilities that often include things like writing reports or making presentations.

As the author stated, "the main goal here is to push yourself and find new ways of thinking about problems you see in your daily work life." I like that. Now, if we can only instill this into other people we deal with on a daily basis...

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.