Home > Information Security, Musings > ‘How to Win Friends & Influence People’ for Security Professionals

‘How to Win Friends & Influence People’ for Security Professionals

January 4th, 2009

Yep, that’s right – I got all serious with the whole “security professionals” thing. Here in SecurityLand, we’re all trying REAL hard to take ourselves seriously these days, and that’s not wholly bad. But what I’m about to tell you is not for the faint of heart – and definitely not for those of you who take yourselves SO seriously that you walk a little funny and I’m missing my broom handle.

The key to being successful in security is to work WITH people. Thinking you have some “power” to say NO to business unit folks (you know, the ones that actually make your company money?) is a completely wrong mentality these days. No, I’d go so far as to say that the REAL risk management professionals of the world, some of whom are more technical, others more on the analytical and processing side of things, are good at understanding that you are solely around to provide INPUT and OPINIONS. Let me ‘splain.

No one really likes the concept of security people controlling things. Not the business unit people, the operations people, the programmers, nobody. So it’s easy to get a bad rap in the security biz when you take that approach. I used to laugh with one of my colleagues named Tom at a Company-That-Shall-Not-Be-Named about the horrible nepotism that went on – the CIO’s brother-in-law knew someone who had a software company, and that guy knew some good consultants, and the next thing you knew, a critical enterprise application was being coded and implemented by Joe Bob’s Bait, Tackle, and Software.

The funny thing? We couldn’t change a thing about it. The CIO wanted it to happen, she had the influence, and we just had to figure out how to implement the damn thing. What does all this lead to?

It’s the concept of working WITH people instead of against them. We security folken tend to think we’re smarter than the average bear, and hey – maybe we are in lots of cases. But a bunch of smart people endlessly poo-pooing stuff gets you exactly NOWHERE in business. Business is risky. Companies take chances. They deploy stupid apps to lure in new customers. They try ridiculous marketing campaigns to get leads. You will not change that, so here’s my goal for all of us – work on helping these people do what they’re going to do anyway…SECURELY.

This means a bit of a paradigm shift for the average security person. You have to go into a project planning meeting, or a tollgate in an existing project, with the intent to say YES, with perhaps a caveat or three. Not NO. Nope, nobody likes a NO person. How about “Yes, but with X”. Compromise. Point out the ways things could be done with lower risk, and find the happy middle ground where you get a little more security, they get a little more development work and an extra week of project time or the cost of a pen test, whatever, but work on being a help instead of a hindrance, and you’ll go far.

Over time, people will loosen up a bit. They’ll actually listen to you. You’re there to help, remember? Think of yourself like an internal consultant to the business units and operations teams, and make customer satisfaction your primary goal. Eventually, security will actually get better with this approach, I have seen it with my own eyes.

Categories: Information Security, Musings Tags:
  1. Andrew Kalat
    January 5th, 2009 at 15:08 | #1

    Well, for the most part I agree with, to a point.

    Few counter-points:
    First: If you are responsible for the security outcome, and your job depends on getting it right, then you need authority. Too often, security folks have no real clout, and as such are ignored, then thrown under the bus when things go bad. If you can build in a certain level of immunity, then you can play it as you state above. If your ricebowl depends on keeping other people from being security ignorant in their business goals, then sometimes we have to put our foot down to get heard. It’s the old thing of responsibility without authority. It’s often a no win.

    Aside from that, I agree, we do need to be more collaborative with those who will collaborate with us. However, that requires a business process that includes security EARLY in the process. If security is a bolt on after the fact, you’re likely already on a ticking time bomb.

    Second, Jack Bauer never apologizes or compromises, and he gets all sorts of respect. 😉 Come on, think how well a security review would go if you kill the first two idiots in the room and shout “WE’RE RUNNING OUT OF TIME! TELL ME WHAT I WANT TO KNOW!”

    Try it. Tell me it doesn’t yield results…

  2. admin
    January 5th, 2009 at 18:29 | #2

    @Andrew Kalat
    Hilarious, Andy, I can always count on you for the “security maniac” approach. The lack of authority is a problem in some ways, agreed, but I believe we can usually overcome MOST, if not all, of those with a better sense of collaboration. Now, if security is just hated and loathed and completely ignored with executive blessing, that’s no good either. Every situation is a bit different, for sure.

  3. January 7th, 2009 at 17:04 | #3

    Hey Dave,
    I agree with your position. It’s all about the business. Security should be seen as an enabler of business. I do think it’s the security manager’s responsibility to document the risk, and have management agree that they are willing to take the risk. This may also be an opportunity to get someone from audit on your team. Otherwise you may be the first one to be thrown under the bus when at best, some off-shore contractor changes or deletes something they never should have had access to in a million years, or at worst your custmers private data is stolen and you’re on CNN.

Comments are closed.