27

I've accepted a position at a different company working on their security team and have been mentally putting together a list of questions to ask so I can rapidly get up to speed in the environment and start gathering ideas about things to prioritize.

A lot of what I'm thinking of is based on http://www.opsreportcard.com/section/28, but surely there are others. What are your go-to questions to ask when onboarding in a new environment?

bobmagoo
  • 434
  • 4
  • 11
  • What's your job title in the new role? And is the team an operational or policy team? – paj28 Nov 19 '14 at 20:41
  • InfoSec Engineer, and the team does both operations and policy/compliance work. – bobmagoo Nov 19 '14 at 20:42
  • Well, I was going to write you an answer, but theterribletrivium has done such a good job, I've nothing left to say! – paj28 Nov 20 '14 at 11:58

1 Answers1

40
  • What are the strengths of each team member that I will work with regularly? (i.e. programming, linux, networking, regulations, etc.)
  • Where is our documentation? You hopefully have a wiki, a knowledge base, or set of documents somewhere that explain your processes and policies. If you don't, be a hero and get started on one.
  • What are the current projects the Security team is working on? This is pretty self-explanatory, get up to speed on the team's roadmap and figure out how you can best help.
  • What is my career path here and how is my performance rated? Not security related, but always important to know at any job.
  • What is your change control process (if any)? This one is super important and if you don't have one you'll want to push for one eventually.
  • Which technical team does what and what is the process to engage them? This is important since you'll want to quickly identify who can answer your questions about specific topics and who to talk to about specific issues. Different teams may have different engagement styles and it's important to follow their process.
  • Who are our allies in the company? This is pretty self-explanatory. Which employees or teams "care about security". It's nice to identify which groups are less likely to resist reasonable security requests or even be champions for security improvements.
  • What is the team's philosophy? This is important because you want to be sure that you're approaching situations the same way as the rest of the team. You want a one voice approach as best you can externally. Keep the snarkiness internal. ;)
  • How far can I push our users? I generally find the "advisory approach" where you seldom really push works better, but some organizations view security as paramount and want security to be aggressive in their stance.
  • How does the business operate? This involves understanding the org chart, understanding the company's strategy, business risks, etc. Without knowing this you don't have the context to give them the best security answers you can. I find a lot of people don't focus on this to their detriment, but it's really important.
theterribletrivium
  • 2,679
  • 17
  • 18
  • This is a fantastic list and just what I was after. Thanks! – bobmagoo Nov 20 '14 at 01:59
  • Thank you, this is actually pulled from a list I made to ask before I started my last job. I removed the obvious technical stuff such as asking about network diagrams but I figured you weren't asking that. :) – theterribletrivium Nov 20 '14 at 02:37
  • 4
    The best part about this list, honestly, is that the bold headings are almost 100% copy/paste to any joining-a-new-team. These are things you need to know whether you're in security, development, support, sales, factory work, fast food, any position. The explanatory text is clearly security focused, but the questions themselves are applicable to a wide audience. Do you hang out at workplace.stackexchange.com? =) – corsiKa Nov 20 '14 at 16:57
  • 1
    This is a fantastic list and can easily be adapted to much more than just a security context - any software developer will benefit! – woody121 Nov 20 '14 at 19:55