In a profession that’s designed around problem identification, it’s no wonder security professionals are often labeled “contrarians” or “trouble makers.” From the outside in, it looks like security’s job is to find problems even when operations are seemingly gliding along smoothly. Security pros are trained to slog through logs and find anomalies. They test for areas of compromise even if an incident hasn’t been identified. Security makes the entire organization change network passwords for no reason, every 60-90 days!
Despite security professionals’ attempts to change the perception of the industry, there is almost no way of getting around spreading fear, uncertainty, and doubt. Security is an area where the absence of occurrence is positive. Without an example of “bad thing X” happening, how do we educate users or other departments about security best practices? It’s impossible. A story that resonates must be developed, but the story in security is, without question, that bad things can happen. Data can be stolen. Identities can be stolen. Bank accounts can be drained. Networks can be crippled. How do you wrap that story in a box with hearts and flowers?
I recently watched a TED Talk during which the researcher (academic) described the first time she heard her work described as storytelling. Her initial reaction was to balk. Years of collecting, analyzing, and presenting data was being described as “pixie dust,” in her interpretation. Then she sat back and realized, “maybe stories are just data with a soul.” Somehow security needs to give its stories a soul without having it painted black and encased in a cold, hard coating. This is not who we are – but this is how we’re sometimes received.
Security professionals want to poke holes in everything they can to see how resilient the thing is. We don’t do this to be the proverbial thorn in the business’s side; we do it because it’s necessary to find out where there are vulnerabilities so that protections can be built around them and the possibility of exploitation can be minimized. “Much of security is figuring things out from many perspectives to make better decisions,” write Michael Santarcangelo in his online column for CSO. We are a unique group, however. Have you ever noticed how, when a new business idea is proposed by another department, other people get excited and want to jump on board while the security person is sitting there asking, “How are we going to build this? How will it scale? Why would we do it that way? Are there alternative, better methods of getting to the goal? What is the goal in the first place?” If so, you’re not alone. Many security pros I speak to on a daily basis feel this way. Many have tough skins and like playing the role of the contrarian, but others struggle with the fact that they are being labeled negatively when, to them, it’s important to make risk-based decisions and making those risk-based decisions requires hole-poking. Think about it: no new security technology would ever be created if some engineer didn’t poke a hole and think, “There’s got to be a better way.”
Security’s long-standing reputation as the “grim reaper,” however, won’t necessarily help us achieve our aim: making the companies we work for more secure, more profitable, and run more efficiently with fewer incidents. I don’t necessarily advocate changing the process of examining problems or ideas from various angles (I think a few more business would be infinitely more successful if more questioning were occurring). Contrarianism is an effective way to ensure you’re paying attention to detail, to look at systems from a different perspective (i.e., the attacker’s), to spot flaws just beneath the surface where no one else is scratching. There are, however, ways to have a softer touch when working with the business and delivering the security story.
How to Avoid Labeling
While most security practitioners are allergic to pixie dust, just as in the example above, it’s not a bad idea to tell the security story in a way that resonates with your audience. Show the “why” behind your questioning. Explain that the end game is ensuring the company is investigating the situation from many angles and not just running with the herd. New business ideas are launched all the time. And about 50% of new businesses fail in their first five years. Why? Poor leadership, lack of capital, and unstable markets are a few leading reasons, but many of these things could be mitigated through decisions based on critical thinking.
For example, if the organization is considering outsourcing its IT help desk to maximize costs, share with decision makers reasons for concern. They might not be thinking about how all of your resources are now exposed to a third party whose trust is yet gained; they might not have factored in the need for encryption of sensitive data and documents, which could lead to unexpected costs; they might not have considered that privileged accounts, which will now be controlled by someone outside of your four walls, are a leading factor in breaches. Says Ed Moyle, Director of Emerging Business and Technology at ISACA, the type of critical thinking required of today’s security professional is “advantageous because you have to be cynical of the controls that are built into a product or service.” Blindly ignoring issues is never wise, but presenting the potential negatives can backfire if others feel their ideas are under attack. It’s the security team’s responsibility to make the team aware of possible security issues, and if you explain to others the aim of your problem-seeking, making it relevant to your audience, they’ll be more likely to cooperate with your questioning than to write you off as a curmudgeon. No one likes a naysayer. Everyone likes a team player.
Gaining support for yourself as a critical thinker is part of changing the perception of the security industry. Have honest and open conversations with colleagues; don’t let them fixate on negativity, and share with them that curiosity paves the pathway to better security talent, which means a more secure, and ultimately more profitable organization overall. Security may not be the most popular department among some colleagues, but the company will be appreciative when risks are mitigated and it’s kept out of the beach-of-the week spotlight.
Come visit us at InfoSec World 2016 in Orlando, April 4-6!