二十多年前,我刚开始在外企从事供应链安全工作时,没有接受过正式培训,也没有相关经验。我入职的第三天,老板让我去一个航空公司的网关(gateway)办公室做安全审计。
背景说明:网关(gateway)是航空公司在机场运营区域内的办公室,航司员工在这里处理航班的各种飞行日常事务。换句话说,这是航空供应安全链中的一个关键节点。
当时我就震惊了——我刚来,连新员工入职培训还没参加完呢,我怎么可能去审计一个我完全不了解的地方呢?
我老板的回答很简单:
“你到那儿后,做个自我介绍,告诉他们这是一次突击安全审计,按照标准检查清单,照着审计程序一步一步来,不懂就问。就这样。”
于是,我就带着一叠安全审计表格和一颗忐忑的心走进了那个网关办公室。
网关办公室经理非常重视这次审计,专门指派了一位资深主管协助我。现场审计花了四个多小时,之后又花了四个小时写报告并在系统录入数据。
我问了无数问题——很多问题不是天真就是愚蠢——但那位主管非常耐心。
第二天,我老板详细审阅了我的审计结果,然后给了我做了一场如何正确进行航司网关安全审计的正式培训。
那次经历让我学到了塑造我整个职业生涯的一课:新手的视角很重要。
老板解释说:“正式因为你刚来,所以你拥有很多经验丰富的安全人员已经失去的东西——新手视角。”对什么事太熟悉了,反而就看不见隐藏的风险了。知道得越多,就越容易忽略房间里的大象(喻指明明存在但所有人都熟视无睹的事务)。
二十年后,我仍然按照当年老板的那句经验之谈来做安全审计:
“学会问问题,不断提问,一直追问到底。”
如果对方回答“是”,就让他给你出示证据,证明的确“是”。
如果对方回答“否”,就让他告诉你为什么,做出清晰的合理解释。
你公司内审部的审计师比你更懂安全吗?不会的,他们没你懂安全,但他们拥有我们许多人已经失去的东西——新手视角——而且他们都是永不放弃的提问者。这就是审计师的法宝。
所以,不论你是刚开始从事安全工作,还是已经是经验丰富的专业人士,记住一点:
安全工作从审计开始。
带着好奇心、谦逊的态度和对原则的坚持去审计,你的全新视角可能会发现被很多人忽略的风险。
永远不要低估新手视角的力量,这就是安全小白的价值。【完】
*这篇文章是我为公司内部安全培训而写的,原文用英文写成。以上是我自己翻译的中文,下为英文原文。
Why Your Security Journey Should
Start with an Audit
When I began my career in security over two decades ago, I
had no formal training or experience. Just two days into my first job, my
boss—the Head of Security—asked me to conduct a security audit at an airline
gateway.
For context: A gateway is the airline’s office within
the airport’s operational area. It’s where employees check in, receive
briefings, and manage flight operations. In other words, a critical node in the
security chain.
I was stunned—I hadn’t even had my new-hire orientation. How
could I possibly audit something I knew nothing about?
My boss’s answer was simple:
“Go there, introduce yourself, tell them it’s a surprise security audit, use
the checklist, follow the procedures, and ask questions whenever you don’t
understand.”
So, armed with nothing but a stack of audit forms and a
nervous heart, I stepped into that gateway.
To my surprise, the gateway manager took the audit seriously
and assigned a senior supervisor to assist me. The audit took over four hours
on-site, followed by another four hours writing the report and entering data.
I asked countless questions—many probably naïve and
stupid—but the supervisor was incredibly patient.
The next day, my boss reviewed my findings with me in detail
and gave me a formal training on how to conduct gateway security audits
properly.
That experience taught me a lesson that’s shaped my entire
career:
Fresh eyes matter.
My boss explained, “You have something experienced security
people often lose—fresh eyes.” Familiarity can blind us to hidden risks. The
more you know, the easier it is to overlook the elephant in the room.
Even 20 years later, I still live by his mantra:
-
Always ask—and keep asking
questions. -
If the answer is yes, say, “Show me
where,” and demand proof. -
If the answer is no, say, “Tell me why”
and expect a clear explanation.
Do internal auditors in your company know more about
security than you? No, they don’t. But they have something many of us don’t
have anymore—fresh eyes —and they are relentless questioners. That’s how
they audit.
So, if you’re just starting out in security—or even if
you’re a seasoned security professional—remember this:
Start with an audit.
Approach it with curiosity, humility, and persistence. Your fresh perspective
could be the key to uncovering risks that others miss.
Never underestimate the power of fresh eyes.
Reference and further reading
-
Physical
Security Toolkit (https://www.cdse.edu/Training/Toolkits/Physical-Security-Toolkit/) -
Effective
Physical Security (Edition 5), Edited by Lawrence J. Fennelly -
Security
Risk Assessment: Managing Physical and Operational Security, by John M.
White
