How many times have you heard that it is easier to catch flies with honey than vinegar? That can be applied to everything in life and especially securing your environment. Your team, coworkers, and customers all deserve to be kept aware of how our security teams operate and work to support them.
The Iron Fist
It was common place, 10 years ago, for the CISO or head of security to operate like a ruthless dictator. They would demand teams do one thing or another for the sake of security and do it with an iron fist. This method of securing a network because the companies didn’t understand security and they feared the unknown so the company blindly did whatever the CISO said. It also didn’t make anyone in the company enjoy their presence. To a lesser degree, ruling with an iron fist still exists. If you work for one of those companies, I am sorry. We aren’t all like that.
But we have to dictate how to securely operate, right?! Of course! There will always be times that you have to correct actions but you should do that with an open mind and listening to problems and helping them come up with solutions. Most people get fixated on a particular solution and close themselves off to anything outside of that. Help them navigate that so that you can make sure the solution that works is also secure. Being a team player with everyone wins some major brownie points. Not only are they able to move forward with their job, but you build trust and respect with them for when you need them to do something that they aren’t looking forward to doing. Ever find someone excited about wiping their machine? Neither have I but if you have been in security long enough, you have told at least a couple of people it was the fastest and most reliable solution. Having some built up trust and respect helps ease that burden knowing you were in their corner before.
Third Times a Charm
Patching… Everyone hates an unexpected reboot due to patches. Work on a good communication plan with timing your coworkers can count on. That may vary from company to company but I found repeating it 3 times is the most effective. I have no idea why. There is probably someone that could explain it but it is a tried and true method that I have been using for the better part of the last 2 decades. I like to communicate it a week before, a couple days before, and the day before patching. That plan works far beyond patching as well. Use it for security awareness training, policy changes, you name it and it works for the masses. There will always be a couple of stragglers but forwarding that triple email chain typically quiets the disgruntled few.
Under promise and over deliver. I think that is the anti-motto of every sales person on the planet. Sorry sales people! Inevitably you will run behind on a deliverable. You may tell your compliance team that you will have evidence submitted by the end of the week but then have to deal with a major incident on Wednesday that runs into Friday and before you know it, your week is up in smoke. You can’t always prevent the incident but you can over estimate how much time it takes to get something done. If you think you can get something done by Friday, tell them Wednesday. Only need 1,000 licenses, request 1,250. Always over shoot what you need to account for a margin of error. I have never had anyone mad at me because I completed a task early or didn’t have to go back to finance to ask for more money after a hiring surge.
Compassion
I brushed past compassion earlier but let’s talk about how it can help. It is so easy to have the horse blinders on and to be hyper focused on solving our security issues. They are every where and new ones are popping up by the moment. We need to take those blinders off and look around and take in the big picture. The majority of the people we work with are just trying to do their jobs. Even the folks that ping as insider threats typically aren’t malicious, they just don’t know better. Security is a big support role. We are critical to the business but are not the primary function of the business unless you are a security consulting firm or security vendor. Try to see past the violation or complaint so that you can educate your teams on how to better conduct their work. Keep an open door and be approachable. If you can gain everyone’s trust and show compassion where you can, they will come to you if they feel there is a security issue. That is as close as you will ever get to securing the human factor.
I hope you all have a fantastic day, be safe, and stay vigilant!
