You did the impossible and landed a job in the high tech world of computer security. Now you have a few years in the security profession and some days security is like mission impossible. Leadership is cutting the security budget, engineering has little regard for security, compliance always takes top priority, engineers endlessly debate whether a bug is a security concern, even when they agree security bugs are a concern they are placed at the bottom of the pile. Is anyone listening to you? Does this sound like you? Wondering how to show some success and take your career to the next level? If your just getting started in security then I recommend a previous post, “So You Want to be a Security Professional”?
First thing is first, take a deep breath, now let it out, and congratulate yourself – your a security professional. Computer security is a really tough job and it does not take a computer security professional to figure that out. There’s hardly a week that passes without a new security headline in the popular media. Somewhere in the middle of all this conflict is you – trying to get some work done. I will share a few observations along the way you may find helpful in your career.
This point is somewhat a generalization of all the following points but I don’t want this important message to get muddled – be positive. Unless your selling security products, security is a business where bad news abounds. A challenge with communicating negative news is that most people have a very limited attention span for bad news. Once you cross the limit, they disengage. If news is frequently negative and delivered with copious emotion people have a natural defensive mechanism to marginalize the concerns. We all do this. The point is don’t alienate yourself since it does not help your mission. Fear is a motivator but fear mongering will get you ignored.
Don’t be overbearing
Often new security professionals learn quickly the true state of security and when they do it terrifies them. The problem is that while your security concerns for the company may be justified, if you come across continuously overbearing people will avoid you. If your continually communicating your requests by sending down lightning bolts from Mount Olympus sooner or later people stop paying attention. This takes us to the next point.
Let your words matter
When you communicate don’t communicate too many issues at once, be brief, and tightly focused. This is especially important if you communicate up ranks to superiors. It’s likely your superiors receive many more emails than you so control your communications. Don’t include any information that does not support your points. Don’t include individuals in your email distribution that are unnecessary or not supportive to your topic. Big distributions generate more opportunity for distraction and further communications that may take many follow-up emails to resolve. Extraneous communication is exhausting for you and a poor use of the time for others. Consider alternative ways to communicate if it’s faster and generates less questions, quick phone conversation, 15 min or 1/2hr face to face. Unless your communicating with colleagues of many years, don’t include emotion, humor, or irony in your communications since it’s easily misinterpreted by others. When you tightly manage your communications, communicate only your top priorities, wordsmith every word, people will start paying attention to what you say.
Often people conflate facts, hearsay, and emotion when they communicate. Part of making your words matter is that when you communicate your always right. If you make a statement, try to include facts so your managers understand your thought process. Help them arrive at your same conclusions. Interestingly, if you are wrong others will usually share why and you will learn. There’s more room for unsubstantiated personal opinion as you build your expertise but until the day when you become the expert, quoting them occasionally will not hurt you cause.
Be a good listener
When your contributing in group discussion, meeting individually, or reviewing email pay attention to ever word communicated. Then think about the information not being communicated to you. What’s missing? How is the information being communicated to you? Is the discussion evoking some passion? You can learn much about how people feel on a topic or what they know simply by being a good listener. Don’t be the one in the room that is thinking of the next thing they are going say or add to the conversation. Instead give the speaker your full attention. Similarly, if your reviewing technical documents for security approval think about the design being presented and also what may be missing. It’s often the information that is missing, purposely suppressed, or refactored into something more pleasing, that is most pertinent.
Know your place within the organization ecosystem
Your job in computer security is to defend the business as a trusted business partner. The goal is not necessarily to reduce risk to zero. Understand your threat landscape. Any unreviewed areas of software code and supporting infrastructure are a huge risk since they have not been properly quantified. You need to understand the threat landscape. Use some creative thinking, there are often ways to mitigate risk or perhaps accept the risk for a short-time while more systemic remediation is applied. Do some horse trading with IT staff. If you have “No Powers” or veto authority use them very sparingly. Keep in mind, if you use your veto authority be prepared to defend yourself to top leadership. They will think creatively so it’s better if you explore all the options prior to any escalations. If you think security’s only job is to point out all the flaws in the datacenter and applications then you have a lot to learn. Own and assume some of the risk, help others make the best decisions for the business and you will earn respect. Be a problem solver, not the problem.
Education and self-improvement
Education is somewhat like financial credit. You can’t get credit unless you have a credit history but how do you get started? Likewise, business requires employees skilled in technology areas that are applicable to the business but seldom do businesses allocate regularly scheduled technical training sessions. Companies are trying to save money everywhere and education is no exception. Conference budgets, book budgets, in-house classes are greatly curtailed and sometimes none are available at all. Often employees in the trenches, who need training most, don’t receive it.
Some of my best training comes from “brown bag” lunch sessions where employees bring a lunch, setup a projector in a conference room, and watch some training videos while everyone eats. Most of us eat every day so you would be surprised how much you can learn after a few months. I learned the basics of Java programming at brown bag lunches years ago. My advice is take some responsibility for training on your own. Dedicate at least some time each week to education and self-improvement. It’s in your best interest to invest in yourself.
If you want to be a 9am to 5pm worker there’s a place for you but it’s not a the top. The higher you climb up the corporate ladder the more dedicated you must become. Life at the top comes with privileges but you might not like what you need to do to earn those privileges. In my experience, top leaders are very dedicated and work many hours. This is especially true for people and projects that require management across global boundaries. If you see your manager skipping out of the office early at 3pm on a Friday make sure you pay attention to after hours meetings with overseas teams, mid-night calls when production servers crash, emergency off hours budget approval to get critical business accomplished, and your last minute vacation requests. If you want to be in your managers position make sure you consider all the duties of the role not only the perks before you make a choice or criticize. Being honest with yourself and understanding what is important to you will keep you happy on the job and pleasure for everyone else to work with.
Separate success of security from your personal success
I know it seems like an oxymoron but let me explain, security is like medicine and your role in security is much like a doctor. Many people smoke and lead unhealthy lifestyles. When the doctor meets these individuals they treat their conditions and encourage good health. Sometimes a condition is not always curable but doctors often make life more comfortable. The doctor never shoots the patient dead because the patient is too sick. The doctor always does their best, with a professional attitude, and encourages the patient. Doctors make good role models for security professionals. People will not remember your personal challenges or how demanding they were on you. They will remember how you treated them and addressed their concerns. Don’t let your passion for security or doing things correctly jeopardize how people feel about you. Sometimes in security there are forces in an organization that are beyond your ability to influence to a successful outcome. Do your best, and if you fail, do what doctors do, move on and save another patient since there are many.
To say security is challenging is an understatement. It’s a profession ripe with conflict and challenges. Moving beyond security professionals in the crowd requires tools to communicate with top leaders. Top leaders are creative problem solvers, accept responsibility, they know when and where to speak and to whom to speak, they choose their words carefully, they stay on top of the news and educate themselves, they are committed, and they get results. You will need to become more like your managers to enter into their ranks.
Changing your environment around you is tough but you always have the power to change yourself. I admit it’s not easy to change yourself but to the measure you do you will become more respected, well liked, and win more supporters which will only help you.