Don't say no

In Cybersecurity? Remove “No” From Your Vocabulary!

In the vast majority of organisations for whom I’ve provided guidance, the security departments are seen as something to work around, not alongside. In not one of those organisations was security actually seen the critical and intrinsic-to-the-business asset is can, and should be.

While I have written incessantly about this all being the CEO’s fault for not creating the necessary culture, the fact remains that most security professionals do themselves no favours. However good intentioned our actions may be, most of us completely miss the point. Like it or not, our entire existence is predicated on achieving the following:

“To provide the business with all the information, and as much context, as we can to enable them to make the best decision they can.”

Yes, that may include decisions that we in security would consider completely unacceptable, and would likely never make ourselves. It also may even include decisions that turn out to be really bad ones, but that’s just as much our failure as theirs.

The bottom line is that if we cannot speak the business’s language, if we are unable to convince them of the risks, we have failed them. There is no room for towering egos or hubris in security, it does not matter what we want, it only what the business needs. This will never be our decision, and we should never expect the business to speak our language.

I’m not saying that if you’re a cybersecurity professional that you have to say yes all the time, but you should avoid saying no whenever possible. Frankly, it’s not your job to do so. And as much as we would love to believe that as security experts we’re here to help, and that we have the best interests of our clients at heart, we will never be anything more than enablers. What’s more, if we’re anything less than that, there’s little point in having us around.

In the movie Office Space, one of the most cringe-worthy moments was when Bill Lumber reveals the “Is this good for the Company” banner. I remember laughing at the ridiculousness of the message, and laughing again when our hero tears it down. Almost 18 years later, here I am expounding the exact same message as that banner.

Why?

Because in security, we rarely have enough knowledge of the company’s big picture to put our guidance and recommendations into the right context. Even if we know that the company’s long-term goals are, unless we sit on the board we are in no position to appropriately address the risk appetite. A Sword of Damocles scenario to us, may well be a necessary gamble to keep the business competitive.

That leaves us only 2 things to do:

o

  1. Explain risk in the format they respond to best; detail the impact of not doing what we suggest; provide suitable alternatives; and
    o
  2. Cover your arse by having THEM sign-off on the residual risk.

The business does not need our approval to proceed with even the most egregious risks, but that does not mean we have to like it. Legal have far more power than we’ll ever have, but even they have to compromise. That said, we are fully entitled to document our objections as part of the final sign-off, but we should never take this personally.

As a corollary to the last paragraph, never, EVER say “I told you so”! Given that it’s likely partially your fault that senior leadership didn’t make the right decision, your only focus should be to help mitigate the negative impact. Take the high road, you’ll be employed longer.

In the simplest terms, map everything on your Risk Register to the business’s goals, and only worry about the things that impact them. Doing the right thing in security is rarely, if ever, measured by security metrics, it’s measured by the company’s success.

[If you liked this article, please share! Want more like it, subscribe!]

CISO Lifespan

Why CSOs / CISOs Only Have a 2 Year Lifespan

In previous blogs I expanded upon two main reasons why CISOs seem to have such a limited lifespan, and why the role is currently one of the most difficult senior leadership roles to both fulfil, and stay in long-term.

In Make the CSO Role a Board Appointment, or Don’t Bother Having One I touched upon the fact that so few CSOs; 1) are hired by the right people or for the right reasons, 2) report to the correct hierarchy, and 3) have the necessary support from the people from whom they need it most.

In The 3 Types of CISO: Know Which You Need I tried to explain why there is effectively no such thing as an ‘all-rounder’ CISO, so expectations are already completely out of line with reality.

I’ve now come up with a 3rd; Expecting the CISO alone to fix everything.

While this may be a byproduct of the first two, it is nevertheless important enough to be addressed by itself. And for once, I can’t actually blame the CEO entirely for this issue, the CISO is every bit as culpable.

Consider this scenario; An organisation, for whatever reason, decides it needs a security expert in senior management. Even if the BoD does get involved from the beginning, the organisation will end up writing a job description of some sort. This is no different from going to the Doctor’s, diagnosing yourself, and writing your own prescription.

This description will then be advertised in some fashion, guaranteeing that the only people who respond are the ones wholly unqualified to fill it. In the same way that anyone who wants to be in politics should be stopped from doing so, anyone who responds to a CISO role that they didn’t draft themselves has no idea what they are doing.

There is only one exception to this, and that’s if the organisation has already put the basics of a security program in place and need someone to optimise it. Everything before this is a series of consulting gigs, the aim of which is to prepare the organisation’s security program to the point a CISO can come in and run with it.

So, whether you’re an organisation looking for a long-term CISO, or a CISO looking for a long-term gig, what do you do?

A Security Program in 10 Difficult-as-Hell Steps

o

Clearly there are many steps in between these, as none of this appropriately addresses two of the most important aspects of any security program; 1) Senior Leadership’s role in changing the corporate culture, and 2) a Knowledge Management program personified by documented processes and procedures.

But in no way do I wish to downplay the CISO role to one of a babysitter, it is still one of the most difficult roles imaginable. However, I have never met a CISO who joined an organisation at Step 1, and was still the CISO a year or so later. Because the CISO role is perceived by many security professionals as the pinnacle of their career, too few ask the hard questions before committing;

  1. Has the organisation followed the 10 steps? – If no, where are they in the process?. If yes;
  2. Am I right for the job? – If no, can I help them find someone who is. If yes;
  3. Do I really want the job? – Go in with your eyes wide open, or again, walk away.

As long as both the organisation and the prospective CISO are fully aware of these issues, there is no reason a CISO can’t go the distance. That said, there is no reason a security program can’t be put on track without one…

[If you liked this article, please share! Want more like it, subscribe!]

Cybersecurity Professional

So You Want to be a Cybersecurity Professional?

Like almost everything else in my life (e.g. marriage, fatherhood), I became a cybersecurity professional with little to no planning. I was happily plodding along with zero direction, and even less qualifications, when an employer required me to get an MCSE in Windows NT.

In a very short time I realised that if I was looking at a computer my boss thought I was working, so being lazy, IT was the career for me! However, I did get bored, so when I received a call about my resume on Monster.com from a start-up cybersecurity company, I jumped at the chance. A little homework showed that security was the place to be in IT, even then, especially when the company consisted almost entirely of incredibly smart ex-NSA types.

This was in 2000.

In the 16 subsequent years I have gone from firewall admin, to managed service manager, to consultant, to manager of consultants, to self-employed. I have loved [almost] every minute of it. The funny thing is though, I have no passion for security per se, I just love helping others fix broken stuff. Especially processes.

There is a LOT of work out there.

So my first piece of advice; decide why you want to be a cybersecurity professional in the first place. If it’s just for the money, move on to something else, you’re not welcome here. Having performed the Keirsey Temperament test on 30-odd security consultants across the globe, it was clear that certain characteristics are dominant in their type (ESTJ). Bottom line; they actually care, and they are:

  • Highly social and community minded;
  • Generous with their time and energy;
  • Hard working; and
  • Friendly and talk easily to others.

That’s not to say others can’t do well (I’m an INTJ for example), but you have to know yourself before you know what aspect of security would suit you best. Follow the money, or choose something for which you are not suited, and you will likely fail.

Then Bear These Things in Mind…

  1. Qualifications: A degree in cybersecurity should not be seen as a pre-requisite, as certifications are almost as much good, and neither of these things can trump experience. Regardless of your qualifications, you will start at the bottom, and there is no better place to learn. Make the most of it.
    o
  2. Specialise or Generalise: You’ll need to decide very quickly which you’re going to be; Specialist, or Generalist. You cannot be both, there are just too many aspects of cybersecurity. Medicine, law, engineering, and a whole host of other careers are the same, you must find what suits you best.
    o
  3. Learn the Basics: Jumping straight into a career in User and Entity Behavior Analytics (UEBA) or Intelligence-Driven Security Operations Center Orchestration Solutions (whatever the hell that is) may be tempting, but you are not doing your career, or more importantly, your clients, any favours. From Confidentiality, Integrity & Availability, to Risk Assessment, Asset Management, to Policy & Procedure, the basics have never, and will never change. Whenever you find yourself stuck, only the basics can give you a clear way forward.
    o
  4. Choose a Camp: Unfortunately most cybersecurity professionals tend to fall into one of two camps; 1) those focused primarily on Technology, and 2) those focused primarily on People and Process. These are two distinct skill-sets, so know which you are, and make sure you pair up with a counterpart.
    o
  5. Ask for Help: I got where I am without a mentor as such, but I most certainly didn’t get here without a LOT of help. Nor would I be able to stay here without the constant support of my peers. If there’s one thing I love about cybersecurity professionals it’s their generosity and desire to help. So join your local chapter of ISC2, ISACA and / or ISSA and start talking to people.
    Use mentors too if you can, as while I have few regrets in my career path, not having mentor is one of them.

Without question, a career in cybersecurity can be very rewarding, both in personal achievement and financial terms. It can also chew you up and spit you out if you’re not careful.

In the end, cybersecurity will give as much back as you put in, there are no shortcuts.

[If you liked this article, please share! Want more like it, subscribe!]

Don't Hate the Salesperson

Don’t Hate Salespeople, Hate the Person

[OK, so you shouldn’t hate anyone, but; “Don’t Have Significant Issues With…” is nowhere near as catchy.]

In an otherwise spot-on article by Peter Smith; “Why do we hate (our own) sales people?“, he made what I believe is a fundamental error. Especially given his premise.

He says of salespeople that they are the “…life blood of the company…”, that; “If they don’t sell, the rest of the company doesn’t work.“, and finally that “These are your top performers.“. It’s that many salespeople actually see themselves this way that causes a lot of the resentment or even hatred.

There is absolutely no questions that sales is a critical function in any organisation, but it’s not the most important. There is no such thing as a most important department. It’s like saying the heart is the most important organ in body, just try living without your liver.

Who makes the products or services they sell? Who delivers them? Who arranges all the financing etc? Who ensures the contracts are in order? Without any one of these things no company can survive. A real salesperson is only ever as good as the things they sell, and the teams around them.

I say a ‘real’ salesperson because they are the ones with both the integrity to only sell what the client needs (not asks for), and to use his/her entire support team in the process to ensure mutual benefit.

From my experience, the majority of my issues with salespeople fall into three main categories:

  1. Lack of Product/Service Knowledge: We’ve all met salespeople like this, all smiles and no substance. This is not a salesperson, this is a clown, a real salesperson is extremely well versed in his/her wares. They may not be an expert in the overarching subject (cybersecurity for example), but they know who is, and whom to bring to the table when required to answer the prospect’s questions. The best salespeople I’ve worked with are facilitator who piece together solutions by putting the right people in front of each other.
    o
  2. Selling to Their Quota: I use the word hate way too often, but I REALLY hate the American way of selling. The quota system is ridiculous, and forces salespeople into a never ending spiral of price compression and end-of-quarter discounts. You sell my time as a consultant for half what it’s worth just to reach your target and we’ll having a very short conversation. Words like ‘fired’ and ‘incompetent’ will be used liberally.
    o
  3. Selling Outside of Their Skill-Set: To me there are two types of salesperson:
    o
    Hunters
     – Very aggressive, easily bored, hates detail, DESPISES paperwork. Basically, these folks want to get in, get the deal signed, and move on to the next ‘battle’.
    o
    Growers – Less aggressive, and tend to prefer to relate to the client on a more personal level. These are the folks who will take the initial sale and turn it into years of up-sells / cross-sells though their deepening understanding of a) the client’s business b) the client’s people, and c) the state of their security program.
    o
    Selling outside of your skill-set is a sure way to mess the whole thing up for everyone.

A real  salesperson does none of these things, and I have met some truly exceptional salespeople whom I am also honoured to call friends.

So if you hate salespeople, you either have a company full of bad ones, or you have no idea what they do. Selling is difficult, VERY difficult, and a good salesperson has a skill-set most of us cannot even hope to duplicate. As an introvert, the very thought of doing what they do every day gives me the willies. And that is just the tip of the iceberg. From research on prospective customers, to getting the first meeting lined up, to pitching an appropriate statement of work, the amount of work that goes into a sale is enormous.

From the other side, and as Peter Smith said very eloquently; “If a person is worried about having sales in their job title, then they probably do not have the right DNA.“.

Salespeople are necessary, they are NOT a necessary evil. But if you think you have what it takes to be one, try it for 6 months, 99% of you will beg for your old job back.

I know I would.

From Corporate, to Start-Up, and Back Again

In 2013 I was made redundant from a company where I had worked for the previous 12.5 years. I had grown with the company from the 14th person to join (as a firewall admin) to a position leading 28 people across 14 time zones in a company of over 1,000.

I subsequently discovered that I was basically unhirable, so I started my own consulting practice, which I thoroughly enjoyed. I then joined a very small start-up for a year, which I thoroughly enjoyed, and went back to my own practice.

I swore up and down that I would never go corporate, ever again. I convinced myself that there was never enough freedom, or room for innovation, or ability to make a difference in a large organisation to EVER go back. Not that ‘corporate’ would ever have me back.

Now here I am, at the end of my 3rd week at an organisation that is bigger by far than any I have ever worked for previously.

…and I’m thoroughly enjoying it.

Many times in the course of my blogs I have expounded on the need for self-reflection, on being honest with yourself enough to know when something was entirely your fault, and to adjust your career choices accordingly. Well clearly I had mistaken ‘corporate’ for my own inability to effectively create the change needed to stop me from being made “redundant”.

While I’m not saying I now have that ability, as I will always have a big mouth, when you’re in an organisation who ALL seem to want the change you’ve craved your whole career, it’s a feeling unlike I’ve ever experienced at work. I’ve never needed, or even particularly wanted, to be part of a team growing up, I now find myself in one.

…and I like it.

Frankly I’m not even sure why I’m writing this blog, except perhaps as a tip for those who find themselves in a position where they cannot decide on what’s the right place for them to work. Corporate, start-up, self-employed, or somewhere in between. Every one of my jobs had its benefits, and had its downsides, and I’m under no illusion that this one will be the same. The only difference this time, is that I have now seen both sides of the fence.

It’s not the fence that matters, your skills and talents have no fences.

The only reason I think that corporate fails to attract the truly entrepreneurial is that they are still very attached to job titles and descriptions, effectively pigeon-holing a person into a role that will always limit them. It’s the organisations that go looking for talents to fill known functional gaps, but then get out of the person’s way, that will attract the game changers.

Not saying I’m a game changer, but my title was only assigned to complete a field in the HR system, and my job description was a run-down of the challenges my new organisation was facing. And in just 3 weeks I have not only learned more than I did in the last 6 months, I have a learning curve ahead of me for which I can see no end.

I loved running my own business, and have no regrets about the start-up, but this little adventure is a revelation that has me very excited for the future. And the lesson I learned from all this?;

Don’t limit where you look for your next job, just ask the right questions.