Two years ago this summer, I became a single mum. It was a bit of a hectic time. I was pregnant with my second child, and my toddler was full of energy. I needed to quickly learn how to balance the little bit of energy I did have, to ensure both children were happy and healthy.
This year, I realised I’ve worked in technology for more than 15 years. Throughout that there have been many lessons I learnt – both smoothly and not-so-smoothly, just like being a parent honestly.
Security is often seen as a complex topic, so what better way to demystify then compare to a topic many people can relate to.
Budget
Let’s begin with the most understood topic, budgets.
Whilst throwing money at a problem may or may not work eventually, it takes an incredible amount of resources to be able to do this. As a sole income, I don’t have that endless of a budget, so I prioritise what I’m spending money on, in order to ensure the basic requirements are met before the ‘wants’ are considered. An organisation is no different, it may have more resources than I do, but the budget will never be unlimited.
At 8 months pregnant, cleaning the house sufficiently was simply not possible, neither was keeping up with all the food shopping required for myself and my toddler. I hired a cleaning service and started a food subscription service. Whilst expensive, it was required and worth the investment for my family.
When it comes to security in our environments, does your organisation retain the required skill set and/or capacity to run all services in a SOC? Or is it worth investing in a third party service, and managing that contract instead of covering all the tier 1 and/or 2 services? Can your organisation carry out appropriate red/purple team exercises, or threat hunting activities? These are expensive to hire, but worth the investment for organisations who may not be able to carry out on their own.
The goal for any organisation is to identify what their inherent risk is, level of acceptable risk to them, and controls/skills available. Knowing this, they can identify what needs to be supplemented.
Redundancy
At one point in my pregnancy, I became so unwell I was unable to get out of bed. As you can imagine, a toddler doesn’t comprehend mummy can’t move. They need to go to/from crèche, they need to eat, brush their teeth, they need to have all the normal support. As a single mum and immigrant, that became something above my ability at the time.
However, I had planned ahead and started building a community prior to this situation taking place – so thankfully I had support for my toddler while I recovered.
In an organisation, it is vital that plans are made for things like team illness, holidays, hardware failure, and outages of any kind. If you don’t plan for it, they will still happen, but end up costing more. I’m also including team burnout as a cost outcome of not appropriate planning here. A robust business continuity and disaster recovery plan can ensure an organisation continues to operate healthily, even during an outage event. The best time to implement these plans is before something happens. Along with testing and validation the plans work as expected.
Being a part of the right team makes the difference
My time is limited, highly limited. The time I spend with my littles is the most important aspect of my life, but as a sole income, I still need to work. Having a team I can both rely on, and enjoy working with allows me to keep my sanity in a hectic time.
I feel confident saying majority of people don’t leave organisations because they enjoy making huge life changes and risking going to a new environment they may not like. In fact, working in security, I know people typically hate change. People leave organisations that they don’t feel valued at, be it a poor culture, low pay, or not being listened to. People are leaving because the organisation isn’t supporting them in a way they need.
Having a safe team, creates an environment where people are able to grow, build their skill, make mistakes that teach them how to go forward. Safe teams creates environments where innovation is possible!
Organisations can support creating these inclusive environments by ensuring their hiring process is inclusive, providing both HR and hiring managers training on how to effectively interview. When I’m interviewing I ensure I ask myself what I’m looking for specifically, so I don’t ‘hire in my own image’ and base my opinions on my actual needs.
Providing people managers with effective training on how to manage a diverse team, will also enhance that culture. Top down approach is massively more effective than expecting diversity to ‘naturally’ build itself, especially in my industry.
Capacity
I used to do a lot of volunteer work, tons of speaking engagements, and mentoring. When I became a mum, I had to learn to say no. Whilst I will do additional volunteering here and there, I am simply unable to do what I used to.
Often people come in to a new role, and immediately want to change things. Often, they want to take the approach of what they’ve done before, be it a team style or technology, as they know it works… but does it?
In a new environment, you might not have the capacity or capability to align with that historic approach, you might need to adjust the new team, budget, or even company culture. Give yourself a moment to reflect and assess what the best approach is before diving in. It is also perfectly acceptable to do small improvements that are sustainable.
For organisations, their role is to ensure teams are properly supported. As a consultant I would be asked to create a Target Operating Model (TOM), this included the concept of the skills required, but also the number of team members required to carry it out. If our teams are at full capacity all day every day, that will simply lead to burn out. Teams need to be in a situation where they have the ability to innovate and investigate, whilst still getting their daily work done.
Encouraging the right behaviours
I have two wonderful and adventurous children. Something I adore about them is their independence and confidence in themselves. They will stand their ground when they think they’re right. My biggest concern, when needing to correct an action – because they’re doing something unsafe – is to remove that confidence. I don’t want them to be passive, but I do want them to listen when needed.
For organisations, we want colleagues to do their job, but not at the determent of security. As a consultant, there have been many failing projects that I was asked to review and support rollout, that didn’t consider the user requirements. When they went to deploy, a new control for example, their colleagues couldn’t get their job done and simply went around the control. Business relationships are key to this, your colleagues need to feel safe to say what they currently do, and feel like they can trust security with their best interest when changes need to be made.
It’s also worth noting, the way we measure success, our KPIs and objectives, in an organisation need to support the behaviour we want to encourage.
Conclusion
Being a parent is hard, being mindful of security can also be hard for organisations to get right. Nether have a foolproof guide on what is expected and every situation you will run into. Both require being mindful of the people you have authority over, and ensuring you focus on their needs to grow together smoothly and healthily.
Zoë Rose is a highly regarded hands-on security operations manager and single mum. She has 15 years experience within IT security, working across multiple organisations and industries, from consulting to internal roles. Zoë prioritises education and effective guidance, to ensure her clients and colleagues feel confident in their ability to keep themselves safe.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
