Lesson Three: Get accustomed to arrogance. For a lot of reasons, arrogance seems commonplace in the IT domain. Some of this is a natural consequence of the confidence that comes when you are good at what you do. Some of it is a defense mechanism when you are better dealing with things like systems than things like people. Some of that arrogance is an expedient for dealing with too much change and too much complexity. Whatever the cause, arrogance seems to be found in abundance in the IT environment. Don't take it personally.
Lesson Four: Size matters. Typical IT projects are much larger than typical security projects. Many IT departments have in-house staffs to handle the tasks that security departments traditionally outsource to integrators. The IT business model often involves direct purchases from manufacturers, a current anathema for our industry. As security comes under closer IT control, there will be a tendency to adopt the paradigms of their industry, particularly for larger projects. This could require radical changes to our traditional business models.
Lesson Five: Who's the daddy? Just because security has adopted the use of IT building blocks doesn't mean the IT department automatically becomes the system's parent. Sometimes the house IT rules place untenable burdens on the security project. Sometimes creating separate infrastructure exclusively for security or virtual boundaries within the IT infrastructure to allow security centric rules without jeopardizing IT reliability. This approach requires either a high level of expertise on the integrators part or an open minded IT manager and often both.
Lesson Six: When things stop working. Getting security systems to work over networks is one thing...keeping them working is a second challenge. Is the problem in the security equipment or in the network? One experience involved a new network firewall being installed. The security equipment used a port address excluded by the firewall. Everything else in the building except the security system worked fine. Demonstrating that the security equipment worked fine when bypassing the network held little sway with the IT technicians. Getting to the root problem required a detailed explanation of the process the security system uses to authenticate a connection, something not usually covered in the installation manuals. Effective troubleshooting requires the ability of the security technician describing the problem in IT terms.
Lesson Seven: Shop Standards. Every IT shop has developed standards. Some use only Windows, others only UNIX; some use only a certain brand of computer or database or network switch. Limiting the number of "approved" products keeps things more manageable. In a similar manner, many security integrators limit the number of products they sell and service. Each client seems to develop their own standards. It requires the security integrator to gain a working knowledge of each client's standards. No one ever said the future was going to be easier!
Lesson Eight: Patches. IT security has become a big issue. Viruses and other security challenges cause the software companies to issue patches and revisions at increasingly frequent intervals. Some IT policies require installing a patch within a short time window after it is released. Conflicts with these policies have been encountered because many security equipment manufactures have not been as responsive as the general IT community when it comes to certifying their software will work with an operating system upgrade. Some IT departments have policies to set up their computers for automatic upgrades online. The recent Windows XP Service Pack upgrade from Microsoft caused a firewall to be automatically created, causing a rash of service phone calls when security connections suddenly stopped working.
Lesson Nine: Maintenance costs. Who pays for a service call when the source of the problem is something in the network? How do you estimate a maintenance budget when the number of responses is outside your control? When security systems utilize enterprise networks, issues of maintenance cost become more complicated. Some integrators exempt network issues from their maintenance agreements, other use historical records as a guide.