Chris Clymer, SecureState - Not so long ago while flipping through channels on the TV I happened upon a documentary of the United States Army's Special Forces, also known as the Green Berets. Never having served myself, my perception of this group was always based more on movies like Rambo where the Green Beret is an unstoppable one-man army who takes on the bad guys singlehandedly. In the real world, of course, this turns out not to be the case.
The Green Berets have many different groups and many different missions. And while like Rambo they are expected to have exceptional and specialized combat skills, what was fascinating to me was the focus on "soft skills." One of their missions is to build insurgent and counter-insurgent groups from whatever groups of people they have available. They need to be able to communicate with natives of foreign countries, train them in the use of weapons and tactics, and lead them into battle. A single 12-man "A-Team" is expected to be capable of building and leading a 200 member guerrilla force! Within the military this is called a "Force Multiplier" and it's a very powerful concept.
In Information Security we have a lot of Rambos. We're used to being looked to for answers, and we're also used to being in the minority. There will always be more users, more IT staff...more "natives" who do not speak our language and who do not have a strong understanding of information security. We often see these natives as the enemy, only interested in preventing us from reaching our own security goals. We all want to be the hero and it's easy to throw a 50-cal over your shoulder and attack the natives, fully believing that you're doing what's really best for your organization. And while you're busy firing all those bullets, it's difficult to find the time to step back and assess whether you have actually hit your targets.
What we need in our field is more Green Berets. Rather than shouldering all the responsibility and trying to push entire organizations along on our own we need to partner with them. Identify the individuals and groups within your organization which are necessary to successfully implement security policy. Learn how to speak the native "language" for that business unit or individual. Learn what their goals and objectives are, and help them to meet those goals whenever possible. Establish yourself as a trusted partner within security who is in the same fight that they are. And teach them as much as they are willing to learn about security tools, techniques, and tactics.
No matter how big your security organization becomes, you will never have enough staff to handle every security task for the organization on your own. By partnering closely with other business units and considering them part of your "guerrilla army" you can build a much more effective security program. Or you can tie that red bandanna around your head and go it alone with nothing more than your trusty hunting knife. You may have some great success in the short term, but eventually you will become outnumbered, overwhelmed, and ultimately fail to fully secure your organization.
Chris Clymer CISSP CISA GPEN GWAPT, is a senior consultant with Secure State, a Cleveland based security consultancy, and a co-host of the Security Justice podcast. With a background in both technical security and risk management he strives to bridge the gap between both worlds.
See more security tips from SecureState:
Simple steps for smartphone security
PCI DSS: 4 things to expect in the new version
Best time to perform PCI compliance activities
15 must-listen podcasts for security pros