The recent Tripwire blog ‘7 Habits of highly effective Vulnerability Management’ by Tim Erlin was a great read with some sage advice on the always relevant security topic of VM. I noticed, however, that although the seven points themselves were all Tim’s own, the title snappily paraphrased Steven Covey’s classic management book. This made me think.
First published in 1989, Steven Covey’s ‘7 Habits of Highly Effective People’ is still one of the best and most enduring self-improvement and management books I’ve read. It continues to sell for the simple reason that it ignores trends and instead focuses on the achievement of higher performance through the use of timeless principles of fairness, integrity & honesty. All qualities you would surely seek in today’s professional security services and people.
So, based entirely on Covey’s seven habits, here’s my quick take as to how they can directly translate and relate to cybersecurity:
1 – Be proactive
A passive, ’box-ticking’ approach to security compliance alone is simply not going to cut it in today’s world of highly dynamic threat and challenge. Every minute spent reactively waiting around for better things to happen for you or doing just enough of what has always been done provides an advantage to your attackers. Instead, we all need to be continually reviewing what is happening around us and proactively making any necessary adjustments and improvements accordingly. Covey’s book talks about concepts of the ‘circle of concern’ and the ‘circle of influence.’ For security professionals, it’s all too easy to get caught up in the sometimes overwhelming ‘circle of concern’ (threats, vulnerabilities, incidents, regulations, negative press, misinformation, blockers, budgetary/resource constraints.) We can all do it. Yet by spending more time in our ‘circle of influence’ (areas we can positively affect and change), Covey suggests we actually increase the metaphoric size of that particular circle whilst tangibly reducing in some way our ‘circle of concern.’
2 – Begin with the end in mind
Whilst being proactive is essential, we can’t just randomly ‘act’ and hope for the best. We must know what the end goal should be and start with a clear destination in mind. This applies whether we are a newly appointed CISO to a company in need of radical security change or a technical expert embarking on an ambitious new solutions implementation. To borrow a quote made infamous from the ‘Shaolin and Wu-Tang’ movie, “The game of chess, is like a swordfight, you must think first before you move.”
3 – Put first things first
The world of IT security can be a very noisy and frantic one. One where we are constantly bombarded with all sorts of alerts, issues and sometimes conflicting demands on top of our more strategic and planned work. If we are not careful and disciplined, time can be lost to the wrong priorities or simply used up with reactive firefighting. This third Covey habit advocates the use of an Eisenhower-type matrix to differentiate between important and urgent activities and the combined effect of the two. We can be far more productive by identifying activities in terms of the quadrants defined below and ideally at least dealing with them in the following order:
Quadrant I. Urgent and important (Do) – important deadlines and crises
Quadrant II. Not urgent but important (Plan) – long-term development
Quadrant III. Urgent but not important (Delegate) – distractions with deadlines
Quadrant IV. Not urgent and not important (Eliminate) – frivolous distractions
4 – Think win-win
Practicing security correctly, particularly when driving through change, may inevitably present us with some difficult situations from time to time. Security practitioners at all levels, therefore, need the strength of conviction to diplomatically ensure the best possible outcome of any such scenario. Rather than focus on zero-sum approaches, (I win, you lose – you win, I lose, etc.) Covey advocates seeking ‘win-win’ outcomes to disputes and differences of views, ones which are mutually beneficial to both parties. This isn’t about complete compromise and certainly not about being passive or weak. It may well, however, prove to be the only effective way of delivering essential but unpopular security controls. That is, delivering them in a way that people actually buy into rather than immediately just look to undermine or circumvent.
5 – Seek first to understand, then to be understood
When there is so much FUD and nonsense being spoken about cybersecurity, we must use every approach we can to get the right information and messages across. In most organizations, of course, cybersecurity exists as an enabler rather than a dictator to the core business it protects. Unless we as the security experts actually understand the goals, needs and challenges of others in the business, how can we expect to convey security in a way that actually means something to them? We, therefore, have to listen, not just to key stakeholders but everyone we can, at all levels. This means ‘actively’ listening, not just ‘feigning it’ whilst waiting to state our own opinions or simply paying lip service. People can always tell.
Demonstrating that we have grasped other people’s perspectives better, they are in turn more likely to listen more openly to what we then have to say. This is why we need to do things in the order this habit promotes, understand and then try to be understood.
6 – Synergize!
This habit is really about positive teamwork, to achieve goals that no one could have individually attained in isolation. There are obvious benefits, working not only with other security experts and related third parties but perhaps other teams and areas of the business entirely.
This concept could also be stretched a little to think about technology itself. Following the well-recognised principle of ‘Defence-in-depth,’ there has to be synergy between different layers and levels of technical security solutions to provide an effective ‘whole.’ Disjointed solutions that work in isolation lead to gaps that may expose serious chinks in our protective armour. Know the strengths and shortcomings of the solutions you have available and how best to complement them. Whilst, of course, questioning the ‘snake oil’ solutions that claim to ‘do everything’ – in a box!
7 – Sharpen the Saw
“Give me six hours to chop down a tree, and I will spend the first four sharpening the axe.” —Abraham Lincoln
The last of Coveys 7 habits is all about devoting time to refreshing and renewing ourselves physically, mentally, socially and spiritually. To emphasise the consequence of trivialising or not practicing this habit, he uses what seems at first to be a slightly odd analogy. Paraphrasing for brevity here; the analogy is about an exhausted person working feverishly yet still struggling after many hours to cut down a tree with a blunt saw. When it is suggested to them that they simply take a break to sharpen their saw and perhaps yield a more effective result, their response is immediately that “I don’t have time to sharpen the saw, I’m too busy sawing!”
When presented like this, the paradox and absurdity of such a myopic view is clear. Yet, this type of situation in the cyber world could perhaps resonate with more security professionals than we would like to think. A global report earlier this year, for example, revealed that many CISOs are facing burnout with 27% surveyed working up to 60 hours a week and 89% never even taking a two week break from their job. And these are CISOs, who are at least at the higher and better rewarded end of the security food chain. So what about the threat hunters, SOC analysts and other technical respondents closer to the coalface? Whilst it ‘goes with the territory’ that we will all do whatever it takes, whenever we can, in the event of a critical alert or genuine emergency, continually putting in unsustainable hours incurs damaging mental, as well as physical, effects on individuals. Even from a more cynical business perspective, it makes little sense. It will simply result in atrophied resource and ‘blunted cyber saws’ come the next critical situation. So, let’s all make sure we devote time to ‘sharpening the saw’ whilst actively supporting and encouraging others to do likewise.
I hope this very surface and superficial look at Covey’s great book entices people who haven’t read it to do so. There is so much more in-depth advice within it which everyone in security can benefit from.
About the Author: Angus Macrae is a Certified Information Systems Security Professional (CISSP) in good standing. He has more recently been awarded the CESG Certified Professional – IT Security Officer (ITSO ) role at Senior Practitioner level. He is currently lucky enough to live in and publicly serve the beautiful county of Cornwall in the UK.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.