The Missing CISSP Domain
In the security world, the CISSP is the gold standard certification for information security professionals. The exam is incredibly broad covering a number of domains. However, over the course of my career I’ve realized that there’s a key domain that’s missing.
Oh really, Eric? And what might that domain be?
Huh? Securing relationships? What does that even mean, Eric? Have you finally gone security-mad?
Ok, hear me out. What I’m referring to specifically is, developing and cultivating relationships across teams outside of security. For a team often viewed as curmudgeonly, elitist, and an all-around roadblock to the business, it is imperative that significant effort is made reaching out and “securing relationships.”
A major function of security is performing risk assessments so that the business can make informed decisions. In that sense, security is serving the business and should have a service-oriented mindset. To that end, rather than simply saying no or objecting to a request, consider an alternative approach. Patiently educate others on the risks of a given situation, suggest a secure solution that meets or beats expectations, and always go the extra mile to ensure that any given recommendation continues to be the optimal method. Yes, it takes more time and effort and goes against our natural I-hate-everything-especially-people M.O. but the payoff will be more than worth it. While the business won’t always do exactly what we want, folks will be more willing to engage and listen to us if we offer reasonable solutions versus the traditional high-and-mighty-security-rage-and-hate.
This is certainly easier if you’re naturally social to begin with. And I know, we’re 1337 haxx0rs too busy saving the world to be bothered to look up from our computers. But it turns out, if we leave our desks once in a while to say hello or smile and to casually discuss security in a real-world context with someone who may not be as knowledgeable, we might just find that people are more interested and willing to support security than we may think. And ultimately, this leads to more security advocates, more support for our security (and career!) goals, and yes a more secure workplace. Plus, you might even make a friend or two. 😛
I think security professionals often operate with a superiority complex. We wrongly assume everyone knows and defaults to the “secure choice” and that anyone who doesn’t is “an idiot.” We rant that we’re the last to be told and first to be blamed for anything and everything (well maybe that’s kinda true… :P). But what are we doing to help this? What makes us think that internalizing the frustration, becoming more snarky, and fitting the classic grumpy security guy/girl stereotype solves this?
The truth is, if we want people to appreciate security and what we do, we’ve got to return the favor and recognize that what others do is equally valuable and work with them to educate and demonstrate how security can positively impact their own work. I honestly believe that most people want to be more secure, they just don’t know how. Typically, people don’t make the “secure choice” simply because no one’s ever illustrated the risks and outlined recommendations in a way that’s understandable to them. Ironically, people are intimidated to ask the security personnel (you know, the team paid to secure things all day) how they can help the company be more secure and it’s often a result of stereotypes that we as security professionals do little to change.
So I urge us to recognize our core strengths and use those to develop relationships. Personally, I use humor and my love of teaching to help make security fun and less intimidating. In my current position, through both effort and chance, I’ve had the opportunity to meet and work with a large part of the organization. I’ve made the most of this by making it a point to develop friendly and strong relationships with teams outside security. It has led to these same teams reporting possible security incidents, asking for security’s opinion before moving forward, and spreading the good security word to create a security-minded culture. It seems obvious, but as with most things, it takes significant effort.
Speaking of security-minded cultures, a great way to secure relationships is through awareness trainings. Check out my thoughts on the importance of security awareness trainings and how to deliver these in an effective manner.