Are you living in a bubble?
Now you’re thinking “Bubble? You what…”
Let me explain. My experience is that a lot of the time we security types – yes, you and me – don’t actually know what the rest of the departments within the business actually do on a day-to-day basis. We know they exist and what their purpose is, but we don’t appreciate their pain points. We’ve all heard, way too many times, the quotation from Sun Tzu’s “The Art of War”: “If you know the enemy and know yourself, you need not fear the results of a hundred battles.”
I would argue that a lot of us don’t know our own organisation as well as we should, let alone the enemy.
If we consider a typical enterprise organisation, it will have departments such as HR, legal, sales, PR, marketing, accounts, IT and many others. These all have their own objectives, their own stresses and strains and targets to meet. Essentially they are in their own little bubble trying to do the best they can with what they have, and more often than not information security is the last thing on their minds. However, it is our job to help elevate their understanding of what we do and, most importantly, how we can help them to work more securely.
So if we are all in our own little bubbles, how can information security departments be effective for their businesses? As far as I’m concerned, if you work in this field and you don’t step out of your bubble from time to time, you won’t be effective in the least. (When I talk about effectiveness, I mean helping to create a positive and lasting change, that is, building a strong and permanent culture of security within your organisation.)
Yes, you may review third parties, you may assess project risks, you may get involved with pen tests and attend to incidents, but do you use these experiences to move towards building a more security-conscious work force? I guess that most of you do not. In truth, I don’t think most security departments are actually all that effective. They exist to serve compliance or some other tick-box exercise. It’s a case of “We do our jobs, and then we go home”. There’s nothing wrong with that if all we are interested in is hanging onto our jobs, but if we actually want to be effective, I mean if we want to change behaviour, then we need to change the way we approach our work or else we’ll keep going round in circles forever.
(Maybe, though, we don’t really want to change anything and deep down we think, “What difference does it make to me, ah none really….” Cynical? Or just a little too near the truth?)
In fact, effectiveness isn’t all that difficult. It means occasionally stepping out of your bubble and making an effort to appreciate the needs and wants of the business you work for. You need to listen, learn and adapt to what the business actually does on a daily basis. If you can do that, you can then begin to see new ways of working together with your colleagues, understand their difficulties, foresee problems looming ahead and do something to prevent them from happening.
Here’s a few bubble-destroying suggestions. You might have thought of some of these practices already, but if not, why not try them and see what they do for your effectiveness within your organisation?
– Create a brand for your information security team or department. Be creative, ask the marketing and PR teams for a little help.
– You should be seen and known outside your own immediate circle. When was the last time you stood up to give an information security briefing to the organization? When was the last time you actually walked around to different teams just to introduce yourself and have a little chat? Little chats can open doors to really worthwhile exchanges of information. Never think of a little chat as mere gossip or a waste of time.
– Have a mission statement. Look at the corporate mission statement and align yours to that. You could even come up with a snappy slogan. Whatever it is, it will make you more approachable, and approachability is the first step towards increasing your effectiveness within your organisation.
To conclude, I would argue that if you’re a CISO/CSO/Head of Information Security or whatever senior security position you hold, building security culture should be your strategy.
So, don’t float – stand up and pop your bubble.
By Mo Amin, Information Security Consultant, The Roer Group
Bio: Mo Amin is a London based information security consultant. He is currently working with The Roer Group on the Security Culture Framework (https://scf.roer.com/) and the associated training at learn.roer.com. He can be found on Twitter @infosecmo and also attempts to maintain his personal blog at http://www.moamin.com.