One of the constant challenges for security professionals is that they bear an unusual resemblance to marathoners to the rest of the world. They speak a strange language, like to hang out with other people who are into the same thing, and even seem to want to leave a mark on the traditional holiday pastimes, for example wanting to change tried and true traditions of overeating, sloth and gluttony into opportunities for doing something new that they swear will make you better (or explain how you should and should not shop on Black Friday / Cyber Monday). Not surprisingly, like runners, they get a LOT of weird looks for trotting out these ideas. And, like runners should attempt, I advocate that security professionals should also embrace that weirdness; and keep trying to bring the family along. The one thing they need to do is realize that no multi-marathoner is made over night, or over even a single year (on average). To get business oriented people invested in security, you are in for a long, at times slow, haul.
One of the communication challenges that we seem to trip over in security, is likely a consequence of our large personal investment in the space. In many circles, to be considered a “real” security professional, you’ve probably logged hundreds upon hundreds of hours of learning, absorbing and conversing on the topic. This is an exceptionally similar type of investment to what it takes to become a repetitive long distance (half marathon or higher) runner. When that marathoner tries to talk up the wonders of Boston or any other long race to (sedentary) Uncle Ralph and Aunt Ernestine over the turkey dinner; there’s so little common ground that in many cases the conversation is at best awkward and mostly dies without in any way changing uncle Ralph’s near term plans. In fact, Aunt and Uncle are left thinking that the running side of the family is crazy and “not-normal”. As uncomfortable as it is, as either a security pro, or a long distance runner – I want to assert that this conversation fail is partially, if not mostly, our fault. As industry experts, we often bring unreasonable expectations to the table and seem to be continually surprised by how little changes when the mismatch in world view is so large.
Someone outside the conversation interested in making progress, not seeking perfection, would likely suggest that Uncle Ralph and Aunt Ernestine would be much more open if the conversation were tailored to them, and had goals related to their interests. Unfortunately a really high percentage of security people say, “It doesn’t matter if you like it, you have failed unless you do something in ALL the domains, or have compensating controls in every location.” I understand that perspective; given the ever increasing threat surfaces; and ongoing increase in attacks it can make us feel that we have to be as far along as we can. I just don’t think it’s actually helping move our customers, and consequently our domain forward overall. Just like getting off the couch improves your fitness, marathon or no; you don’t have to do and solve everything to improve your security posture. An awful lot of breaches seem to happen to pretty unprepared organizations; and I think there is a relationship between an industry expert pursuit of perfection, or inability to speak in a compelling way to the business which seems to lead to the non-motion of many businesses toward more secure underpinnings.
If the goal is to make your organization more secure, I want to challenge the idea of all or nothing. If you aren’t winning the hearts and minds campaign to the point that you aren’t getting improvement in any domain? You are in the process of failure. You failed a lot more than you would have if you’d gotten just one improvement. You can always build on one improvement. I understand that some places no one can make changes, but if others around you are making progress in other domains? Odds are your approach isn’t working. Just like a runner starts with 1 mile and progresses to 5K races and builds to 10K, leading to a half marathon, then marathon or ultras, you need to focus on a single, incremental improvement at a time as part of an overall agile improvement strategy to your organizational security and business continuity.
What if you personally haven’t been able to make that one improvement and start building on it in your organization? (Assuming that others are making improvements either in your or other domains.) Well, then you may have a reputation problem you have to solve as the first step to that one change. If everyone in your organization knows that your Team One is other security people; and not the business, or not the management team – that means you are not their Team One either. Since you are not perceived to be working to make them successful, you likely have low to zero credibility within your organization; and you personally will be unable to effect change.
Let me expand on the credibility statement. You may very well be a well-respected person considered an expert in security. Your challenge is likely to be that you are not perceived to be a team player in and for your company. They may perceive that all your security knowledge and skills are focused outwards; or that you cannot understand how to translate your knowledge into useful, simple, pragmatic, single increment, and agile business centric improvements that will work internally. You are the runner who talks esoteric terms like fartlek, rolling repeats and talks about how anti chafe is awesome to normal folk; which only makes sense, or, frankly, is interesting to other long distance runners.
This Holiday season, why not try something new? Why not change your approach? You and your audience might just give Thanks for it, and well before you need to double down on Turkey next year. If you really listen to your audience (org), you can find out what the org is willing to work with or on. You can help them identify what changes they are willing to make and how to be successful at those changes. Strive to create a common goal your audience in interested in and can aspire to. As long as you are still alive, and still there, there is hope for improvement. Think of it like getting your uncle and aunt to start walking a mile a day. If you spend time making sure they are set up for success, and maybe even walking with them, maybe eventually they will join you on a 5K. Something solid in every domain will come. Don’t let perfect be the enemy of good, either in running or organizational security.
Image courtesy of marcovarro @ Shutterstock