This philosophy boils down to three things:
1. My jobs as an Security Engineer is to improve the protection of users, data and processes while impeding those users, data and/or processes as little as possible.
- Don't negatively affect the mission of your organization. In a fight between security and mission, mission will always win.
2. I can't do #1 without understanding how my protection improvements work, and how they have to be integrated into the network to work properly and what the impact to the network will be during and after integration.
- Nothing affects your credibility more than appearing that you don't have a clue about how your tools work or how the environment your tools are in work or that the effects were unanticipated.
3. My job cannot be done in isolation. I must have a good interactive relationship with the operations group, dev group, compliance group, users group and the management group. Otherwise I run the risk of being ineffective, disrupting the mission and making the network less secure.
- You will make your job that much harder if you are arrogant, or stubborn, or condescending, or all three toward your coworkers. They will not want to cooperate and will stonewall you and your efforts regardless of how much those efforts make sense or are required.