I have spent almost 25 years in various roles of the
Information Security profession, and over those years I have noted that as the
years go by, there is a maturity that develops in InfoSec professionals.
In my early years, I was given the nickname in my office
" the Security Czar ".
Now, early on, my belief in this nickname was one of great pride, it must have meant that I was all knowing. I was always right. I was brilliant. As I learned years later, the nickname came primarily because i was authoritative in my ability to say NO, to pretty much any request that I could justify with my limited set of argument tools: FUD. Now for those of you that are InfoSec professionals understand FUD. Fear, Uncertainty, and Doubt.
Now, early on, my belief in this nickname was one of great pride, it must have meant that I was all knowing. I was always right. I was brilliant. As I learned years later, the nickname came primarily because i was authoritative in my ability to say NO, to pretty much any request that I could justify with my limited set of argument tools: FUD. Now for those of you that are InfoSec professionals understand FUD. Fear, Uncertainty, and Doubt.
As I look back in retrospect, FUD has a place. However it is typically used primarily by
younger InfoSec professionals who do not have the breadth of experience to
justify, or educate their consumers.
As the years went on and I learned through good managers to
do my homework and identify true risks.
This did not necessarily change my Czar focus however, I just got a bit
better at having good, defined reasons for saying no. I was in my Job as the only Security
Professional for a small IT Consulting firm HQ that things changed for me. This was the first time I had ever been hired
to a Security job, when the company expected me to be the all knowing,
thoughtful security guy. I had a dual
role at the time. Clearly I was the de-facto
CSO and more importantly ... about every
3 months I was transferred to the CFO and became the IT Auditor. Now, as I
would learn shortly this is a relatively large conflict of interest, it irrelevant
to the story. Over this relatively short period I learned an incredible
valuable lesson from the finance team. Everything
is about enabling the business under appropriate risk.
This fundamental view change, from unable to enable, happened
almost instantly when acting as the IT Auditor.
I had never done "Audit".
So I read books, blogs, thought about the job from the consumer of the
audit, and most importantly thought, "if I were an executive, what would I
want to know?"
Since that time, I moved on as a Security Consultant,
Architect, Program Manager, Strategist, and Business Unit Leader. This journey .. to me ... led me to
inevitable InfoSec Professional reality.
Tell the truth, to ENABLE your clients, partners, and executives, to
perform their mission with a real understanding of their RISKS. Try to understand, quantify, and demonstrate
risk reduction with FACTS.
I see in young InfoSec Professionals the same early Czar
tendencies I had. I teach them about the
ideas of basing your ideas, recommendations, and guidance on Risk, clearly laid
out through fact driven conversations, gauge your customer RISK APPETITE, and
ENABLE their success. Years of
experience will teach these young professionals to get to this point. Be their voice of reflection reverberating in
their head. That's how you get from
Unable to Enable
No comments:
Post a Comment