When People Get It, You’ve Done Your Job
In this post I will attempt to tackle part of a problem as old as civilization itself: providing actionable counsel to leaders who may not have the knowledge, skills, and/or abilities needed to do it themselves. For those of us in information security, the issue is this: how to we provide information such that leaders and end-users alike will be able to make the appropriate risk-based decisions for the business and themselves?
I don’t really have an answer. But that begs the question in that it assumes there actually is an answer. Rather, I think there are many answers and they can be tackled in another post. What I do know is this: If you are an Information Security professional, this is your job. Further, I know if people don’t get it, you’ve failed. If you’ve read my previous posts, 1) this makes you a member of a very small group of people, and 2) you know I have strong feelings about excuse-making. Claiming “they just don’t get it” is making excuses. Knock it off.
Like everything in life, there are exceptions. History is replete with analysts, guards, advisors, and counselors providing information to leaders warning of impending doom only to have their warnings ignored. I get that as does any thinking person. At the same time, my career - and others’ - includes moments when my inability to convey risk led to poor decisions being made. My job was to empower leadership with knowledge and good advice and I failed. Sometimes miserably.*
I promise you this. I’ll never make those mistakes again.
Our lives and our careers are a process and most processes have multiple steps. One of the first steps in being an Information Security professional is accepting that your job is to make people get it. If they don’t get it you haven’t done your job. Go back and try again and keep trying. When they get it, you’ll know you’ve done your job.
I once failed to articulate the risks of open physical interfaces in a public place. The interfaces were trunked all the way back to our core network with minimal layer 2 and 3 controls. Talk about blocking and tackling….wow. It wasn’t so much that I failed to speak to the risk but rather, I failed more in not providing a vision for how it should be properly implemented.
Putting together voice messaging security I somehow didn’t think that user authentication and authorization to the mailbox should have been a focus of my time and my leadership's time. It was something that would have taken me a week to do but instead, I put all my time on advanced permissions to the data objects and management of the box from an administrator's perspective. Failing to focus on the user and his/her security cost me serious amounts of credibility and I lost the trust of senior leaders. The lesson for more junior professionals is that you really need to focus on getting the basics right first.
Haroon Meer just posted something like this on teh twitters. I promise this is just a coincidence. But at least I’m in good company