Why security pros fail (and what to do about it)

You've probably heard the phrase, "Failure is the key to success." But are security professionals really learning from their mistakes? As identity theft and online risks keep growing, is our industry rising to the challenge or repeating the miscues of the past? While security technology is improving, the bad guys also have access to better tools. So are the good guys working smarter?

Conventional wisdom says we need more staff training and technical security certifications. Others say higher salaries, a better understanding of the bad guys, more executive leadership training or more top-level executive buy-in are needed. While all of these help, I've seen security staffs with all of the above fail.

Also see Lohrmann's slide presentation of this professional development material

As I've traveled the world, I've identified some common traps that cause security pros to fail. What works and what doesn't in achieving the best security results? If you call yourself a security professional, here are seven lessons you need to learn. I originally examined these lessons in a series of posts on my CSOonline.com blog, where you can find expanded thoughts on each problem and solution.

Problem #1: Security Is Thought of as a Disabler

Security professionals are often viewed as the party poopers. This threatens the credibility of every security consultant. Are you bringing problems or offering solutions? Are you viewed negatively by the business?

Take cloud computing, for example. The technology world is rushing into the cloud, but while thousands of positive articles are being written about the ROI and transformational aspects of new cloud architectures, the security world is busy printing articles about why the cloud is a bad idea.

Key #1: Become a Facilitator. So what can be done? Stop saying "no" to your customers! Offer secure solutions. Be an enabler. Tell them how you will ensure that their project is delivered on time, on budget and with the right level of security. Ask yourself whether the business sees value or roadblocks in your approach.

Also read Dunkin' Brands security focuses on making dough (Insider registration required)

Back in 2004, when I was Michigan's CISO, I was in the "no wireless" camp. I quoted many experts from the NSA and other three-letter agencies who said that wireless networks simply could not be protected. My boss at the time was Teri Takai, who's now California's CIO. She challenged me to deploy secure wireless, following examples from several companies. Teri's advice made me rethink my business approach. Over time, I became known as an enabler of new technology, and Michigan won awards for our secure wireless networks.

Problem #2: Security Offers Only One Solution

A second common mistake that security professionals make is to take a one-size-fits-all approach to cybersecurity. We see things as black and white--for example, either it's encrypted or it isn't.

The common perception is that enterprise architecture teams come up with a great design that the programmers, network guys and everyone else agrees to, only to have security come in and offer a "solution" that totally changes the architecture. They want to add firewalls, zones, restrictions, new black boxes and more--it's so much that the cost increases keep the project from moving forward. While the security staff may view providing this kind of answer as a can-do approach, others see it as creating impediments.

Key #2: Offer 'Gold, Silver and Bronze' Options. Try to offer at least three alternatives. Look for other solutions from Gartner, Forrester, tech magazines and colleagues at other companies. Check with industry associations, former coworkers and outside experts who can help come up with a range of solutions. Help the business understand the risks associated with each option, then let its members make the final selection.

One warning: Watch out for people who always pick the cheapest answer. Don't offer alternatives that won't work or that you can't live with. If the mood in the room is totally low-cost, make sure that the risks are made clear before agreeing to deploy a "bronze" approach.

You might even have to bring in an outside expert to brief everyone. If you have a bad relationship with the business people, consider allowing them to pick the expert--but make sure the person has credibility in the area being discussed.

Problem #3: Not Enough Humble Pie

No doubt, customers across the globe would prefer to work with someone who has a positive, friendly, humble, patient attitude. Unfortunately, this description doesn't fit many security professionals (except when they are talking to other security professionals). Rather, we tend to bypass processes and demand urgent action for the-sky-is-falling-level priorities.

We preach against fear, uncertainty and doubt (FUD)--but we don't practice what we preach. Why? Because (regularly updated) FUD usually works. Security staff use legal compliance, dark-side hackers, malware problems, Third World threats and identity theft as trump cards. Staff can act as if these challenges are the only problems truly worth fixing. Bottom line, we forget our place and the reason for the security team's existence.

Key #3: Display Genuine Humility with Professional Excellence. The old adage "Pride comes before a fall" needs to be at the forefront of security professionals' minds. The bad guys are always getting better. They are working harder than ever to defeat whatever you are doing to protect your enterprise. This knowledge alone will change your perspective on your job and on when you are truly done. What worked today may not work tomorrow. So be careful about the promises you make to others regarding the protections you are deploying.

Goals in this area should include good collaboration and following established project life-cycle processes that build in security. Declare an emergency only rarely, or others will think you are crying wolf. Seek to be a respected team player. Treat others as you would have them treat you. One tip: Join the office softball team or take part in some other fun company activity.

Problem #4: Believing the Customer Is Clueless

So, here you are with that annoying client. You've thought it through and concluded that the business team doesn't understand computer security. They don't realize the risks they are taking. They just want to check the box quickly and move on. They won't pay for the controls, and you're being forced to try to convince the auditors that you're in compliance.

Worse than that, you've now concluded that the business team will never get it. You've emotionally checked out. This has led to an unspoken us-versus-them mentality at project meetings. Problem is, they've got the money, influence and power to make things happen.

Key #4: Improve Customer Relations by Separating the People from the Security. One industry expert who has successfully completed dozens of major integration efforts told me this: "True, we always need to overcome people, process and technology issues, but they are not even close to being equal in difficulty. Over 90% of the problems are really people issues."

For starters, the business is made up of people. These people have families, play golf (or another game) and cheer for local sports teams. Remembering this will help you resist the urge to demonize them or write them off. More than that, it will help you separate the tough issue you're addressing from the person you disagree with. Remember that the relationship will usually last longer than the current challenge. Get to know the business, one person at a time. Build trust. If you listen to your customers over lunch, you will naturally build relationships that outlive the bad things that happen. The customer is (usually) not clueless--so figure out want you don't know that he or she does.

Problem 5: Personal Cyber Ethics: Are You An Insider Threat?

Many security pros see themselves as white-hat hackers who are exempt from the policies everyone else must follow. Does this quote from an anonymous hacker hit home?

"Cyber ethics? Hello! Most hackers I know think that phrase is an oxymoron. Rules are for kids and other people we need to keep in a box. Policies? Are you kidding me? Those rules don't apply to us&. This is war, baby. Cyberwar never sleeps. All's fair in love and war."

This perspective puts you on a slippery slope. The reality is that the smarter you are, the more you advance as a cybersecurity expert, the farther you go as a hacker, the greater your temptation becomes. As you learn what the bad guys do and how they do it, the new ways to avoid detection, the secrets of the trade and the best ways to build and get around defenses, you will face a series of crossroads. Your ethics, values and beliefs will inevitably be tested. This is similar to a cop who arrests drug lords and finds a stash of cocaine or cash. Should he or she take a bit while no one is looking?

Key #5: Seek Accountability, Find a Good Mentor and Practice Virtual Integrity. We claim to be focused on risk management, and yet I never cease to be amazed at how security pros underestimate the online risks they are taking in their personal and professional lives. They risk their jobs, reputations, marriages, families--they're even at risk for jail time. Bottom line, they think they will never be caught doing whatever they're doing in cyberspace.

Here are a few tips to avoid falling into this trap:

1) Seek advice from respected colleagues regarding practical ethical behavior. Find one or more accountability partners who share your professional values. Remember that accountability is for winners, not losers. The best musicians, artists and athletes are accountable to coaches. Everyone who strives to improve needs accountability.

2) Find a trusted industry mentor whom you admire. Make yourself accountable to this person regarding the direction of your professional career decisions.

3) Practice the seven habits of online integrity found at www.govtech.com/pcio/Seven-Habits-of-Online-Integrity.html. After identifying your core beliefs and ethical boundaries, adhere to your values.

Problem 6: Career Burnout

Most security professionals experience symptoms of burnout at some stage in their professional careers. In one poll last year, over half of the security professionals surveyed said they were unhappy in their jobs. According to an online help guide, you might be heading toward burnout if:

* Every day is a bad day.

* Caring about your work or home life seems like a total waste of energy.

* You're exhausted all the time.

* The majority of your day is spent on tasks you find either mind-numbingly dull or overwhelming.

* You feel like nothing you do makes a difference or is appreciated.

Key #6: Perseverance and Work-Life Balance. We all need to recognize that stress and potentially even burnout come with the territory. Prepare for stress like you anticipate weather changes. Look for the warning signs. Being keenly aware of the burnout possibility is a first step.

Second, take some time to step back and analyze your situation at least once a year. Schedule some time to get away, and try to disconnect for at least part of the break. If you do check in with work during vacation, put barriers around your time. Talk about how things are going at work with those you trust but who have a different perspective. Get professional help from a doctor, if needed.

Third, recognize that your career is more like a marathon than a sprint. I like this quote from preacher Charles R. Swindoll: "You're through. Finished. Burned out. Used up. You've been replaced, forgotten. That's a lie." There is always hope.

Problem 7: Career Perspective Stuck in a Box

We all need to learn the power of the Pareto principle, which states that 80% of the effect of our work comes from 20% of the causes. In John C. Maxwell's book Leadership 101: What Every Leader Needs to Know, he describes the power of the Pareto principle at work. Here are a few examples:

* 20% of your time produces 80% of your results.

* 20% of the people take up 80% of your time.

* 20% of your work gives 80% of your job satisfaction.

* 20% of the people will make 80% of the decisions.

* 20% of the presentation produces 80% of the impact.

Maxwell goes on to point out that we need to develop skills in four areas to be successful and maximize our effectiveness: attitude, relationships, equipping and leadership. But many security pros have given up trying to on improve at all, or only work on improving technical skills.

Key 7: Lead by Moving Beyond Your Position Description. So, how can we avoid this career dead end? What is outside-the-box thinking in a security context? How can all of us gain a wider perspective to help our careers and our business clients?

Here are a few pragmatic strategies:

1) First and foremost, understand that the box placed around your position is a good thing that must be respected. Always complete your stated duties, or you may be labeled as lazy and not respected.

Also see Entprise Risk Management: Get started in six simple steps

2) Volunteer for key committees or important ad hoc teams. Strive to lead, deliver and exceed expectations in these roles. Start a blog or wiki. Don't hoard knowledge; freely give it away.

3) Generate good ideas. Look for organizational needs that aren't being met. Discuss these problems and potential low-cost solutions with your management. Think partnerships--beyond your own organization. What industrywide opportunities can you take advantage of?

In conclusion, my high school football coach was the first to convince me that "you can't keep doing the same thing and expect a different result." Let's apply that truth to security.

This story, "Why security pros fail (and what to do about it)" was originally published by CSO.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies