#NOFUD

Over the past couple of weeks, nearly all the conversations I’ve had were related in some way to SolarWinds – except one.  A friend of mine called, and, as in previous conversations I’d had that day, I dove into the impact and potential impact to supply chain, etc.  After a second of silence he said, “What are you talking about?!”  For those within the security and IT fields, across industries, both public and private, it’s been a harrowing couple of weeks. For those on the outside, it has dropped from the news-cycle and life goes on.

Reflecting on those countless discussions, it became clear that fear, uncertainty, and doubt were the drivers.  Why?  We all know that fear isn’t actually a motivator; in fact, it’s the opposite.  It leaves one in a constant state of anxiety, which can easily lead to paralysis.  Unfortunately, we see fear used everywhere in our industry.  Companies use it to express the dangers of clicking on phishing emails or sharing information internally.   Product companies use fear in their marketing and sales pitches to try to get prospects to buy.  Consultants use fear in their reports in an effort to get clients to remediate findings.  Even password requirements rely on fear in their many demands.

Can this latest discovery serve as a wakeup call?  Is there a better way to communicate to those outside our realm, including within our organization? Or is this just confirmation – “See I told you so!”  How can we as an industry do better?  How can we help our organizations by truly understanding what their goals are? How can we help to drive our organizations and stop being just the gatekeepers?

Understanding Goals

Those responsible for security, both strategic and tactical, must make it the core of their job to fully understand and embrace their organization’s strategy, vision, operation, functions, and culture.  Without an in-depth understanding, one cannot create and execute a security strategy; rather, it becomes a checklist of controls.

Be a Leader, Provide Guidance

Leverage the organizational understanding and provide resources.  Instead of only providing statements of policy, get in the trenches and work with them – provide real training and skill to help them.  Those in security are excellent at problem-solving and identifying opportunities that are often overlooked.  You will likely learn more about your organization and improve your strategy and tactics within your program. The modus operandi should be onboarding everyone to the security team; a focus on building relationships based on mutual understanding is the key.  Regardless of the organization chart, security should be in a position of leadership, rather than a forced obstacle. 

Remove Obstacles

Does everyone want to work with you and your team?  What is your reputation?  Is fear your driver? Do you bring more than “No” to the table?  Perception is reality.  If fear is the driver, if authoritarian is the posture, should we be surprised when people move away from pain?  Security is a people problem and always will be.  We must be in a position of cooperation and providing solutions.  We must really understand our impact, both day-to-day and long-term.  That doesn’t mean we shy away from making hard or unpopular decisions.  It means we are holistically diligent, partnering for their goals, not ours.

In the end, how can the security function move from the myopic goal of protection to that of an enabler that protects?  Let’s be known for making the needs of the organization happen and support its success through understanding, diligence, communication, and teamwork.  #NOFUD

  

OCTELLIENT - Our mission: simplify information security. With a Business First approach, we want to help you and your organization get to your core priorities and make the most of your infosec investments.  Our goal is to be your side-by-side partner, working together to navigate a tailored infosec strategy and bring expert advice to your toughest challenges.

Ask us about Propulsion, Deepwater, and the 8-point Dossier

info@octellient.com

www.octellient.com

Previous
Previous

Luck Favors the Prepared

Next
Next

Incident Response = Measured Response