Security is often a battle. In one corner we have the security team warning the rest of the business of the dangers of “X” or fighting to implement new policies and technologies that will help keep the business secure. In the other corner we have lines of business wanting and needing faster, better, more profitable enablement tools and processes.
Security professionals express frustration and dissatisfaction, and many have adopted a never-understood, always-the-outsider persona. Just look at (the thousands of) tweets and blog posts each day and attend a few conference talks. In a community which is at once vast but also very tight, it’s hard to not join the fray; jumping on the bandwagon is a comfort because, in fact, security is frequently going against the grain. It’s hard to be the lone voice. It’s draining to feel like every day is a fight. And a large portion of security professionals are passionate about what they do, which is why they’re “in it to win it.”
One could point to the last few years and say, “We’re beginning to win! Just look at mainstream media!” It’s true: cybersecurity is a headline. Even without the security community’s help, the average person now has a modicum of awareness about security issues and dangers. Inside our companies executives are demanding a higher level of protections. Security is no longer a footnote but a central part of business operations. Yet many security practitioners still approach the practice of security and business colleagues as adversaries—a person, a team, a faction that must be converted wholesale. When business colleagues make decisions contrary to security’s recommendations we say, “It’s your risk,” as if the security team can abdicate all responsibility when or if things go awry.
He come groovin’ up slowly
Security didn’t become a headline because security practitioners have made great strides in awareness or because information security has improved (nor because companies were taken out for the count because of breaches). The awareness came as a result of too many breaches, too much data lost, too many people affected. While there are many reasons for increased security incidents, the attention is a byproduct, almost separate from whatever security teams are doing, whatever products are developed, whatever policies are enacted. Viewing the problem from a battlefield point of view: We’re losing. Security is losing. We can’t keep up and the business knows it. They ask the head of security to make projections and promises. The head of security, in turn, states (rightfully so) that there are no guarantees: adversaries are better funded, have more time; no technology is impenetrable.
The waters are circumnavigated, better security isn’t achieved, and everyone’s frustrated.
Maybe, though, security isn’t a battle to be won or lost. Perhaps viewing it as such is preventing companies from safeguarding assets. Every time security practitioners have to sit in a conference room with the business and defend security practices, attention and focus is shifted away from progress. Conceivably, that time is better spent making progress together. Security and the business aren’t two opposing teams, trying to prevent one another from scoring. Yet the industry behaves as if it is.
Got to be a joker he just do what he please
This is not to say this is all security’s fault. The business provides its share of provocation as well; they may not understand the technical limitations, they’re aggravated, or they might be afraid of what happens if the company is breached and feel powerless as a result. Says Michael Santarcangelo, “The business tends to underestimate the business consequences while security overestimates them,” which draws the battles lines even darker. What’s needed, rather than tackling the problem head on, is understanding and compassion—true leadership. Security must elevate the organization, and that’s not going to happen if every conversation is a heated debate. Humans’ reactions to confrontation generally falls into one of two camps: they shut down or their instinct to fight kicks in. Who wins? No one. And we’re not stopping breaches because of it.
Much has been said about the CISO and her or his role in communicating with the business, but it’s not entirely up to the CISO. The entire security organization must evolve interactions with business colleagues and stop facing every problem like users are at fault: Bad passwords. Clicking on links. Someone in IT missed a critical alert. There are two sides to every story and security has a better chance of recruiting partners inside the business if the tone changes from argument to persuasion. When a knowledgeable, passionate security practitioner hears a non-security person talking about how “bad” security is or why a certain application is good for the business regardless of security posture, the hackles go up and the temptation to fight is strong. How often, though, does the fight lead to a productive, quick resolution? Hardly ever, at best.
Instead, security needs to lead the conversation by taking an interest—a genuine interest—in the business’s perspective. Security must learn to understand the needs of the business, even if they’re in conflict with information security. The security community can talk about baking security in or leading with security all we want, but the fact is that the business is going to drive innovation and security needs to come along. Rather than fighting this eventuality, security would do well to see the business’s point of view and work within the constraints. Does this mean security, itself, can’t innovate? Of course not! Does it mean we should all give up, go home, and take our toys with us? The notion is ridiculous.
He bag production, he got walrus gumboat
What it does mean is that listening to the business—really listening—and taking an interest in what they’re trying to accomplish will help alleviate the unnecessary arguments, blame, and wasted time. A highly regarded security practitioner once said to me that when confronted with a statement or argument with which she doesn’t agree, she never fights back to make the other person see her point of view, nor does she agree with the opposing view to make the conversation stop. Her tactic is to listen and subtly shift the discussion to a more common ground. In this way, both sides feel like they’re making progress and are more willing to listen to another point of view, and perhaps even edit their thoughts and feelings. This same person also once swayed an 11-1 hung jury in her favor. She was the “1.”
The same idea—using listening skills and persuasion—is one that can be applied generously to security conversations with the business. Although security now has a proverbial “seat at the table,” we’re not as impactful as we can be, and it’s in part due to the difficult situations faced every day and in part how we react to them. Information security will be stronger and more effective if everyone’s playing on the same team, heading towards the same goal, and working together against the real opponent: threat actors and criminals. “One of the great things about security is that most security professionals have a natural curiosity. Instead of trying to tell the business how it’s going to be, use that curiosity to find out how you can better help them,” advises Santarcangelo. “Stop pretending you have all the answers.” Use your strengths—in this case curiosity—to your advantage; elevate the conversation. Fighting against one another isn’t working, so start leading your team—the whole team, not just security colleagues—towards a place of understanding and collaboration.