I’ve spent a while in this business and have been doing time on planet Earth in a variety of roles in the security field; I’ve been a consumer, a CISO, a reseller, a service provider, and a vendor, so I think I have a good sense of shared empathy across the various perspectives that make up the industry's collective experience.
I get to spend my time traveling around the world speaking to very smart people; overworked, tired, cynical, devoted, and fanatical security folks who are all trying to do the right thing within the context of the service they provide their respective businesses and customers.
A lot of them are walking around in a trance however, locked into the perpetual hamster wheel of misery that many will have you believe is all security can ever be. That’s bullshit. I love my job; I’ve loved every one of them in this space. They have all had their ups and downs, but I know that I’ve made a positive difference in every one because I believe in what I’m doing and more importantly I believe in how I’m doing it. If you want to manifest misery, then you will. If you want to change the way security is perceived, you will.
Most of the people I speak to all have the identical set of problems and for some reason seem to be stuck in the same pattern and not doing much about trying to solve them. Now, I’m not going to try and get all preachy, but when I hear the same thing over and over, up and down the stack from the Ops trenches to the CSO and nobody seems to be able to gain traction towards a solution, I’m puzzled as to whether it’s the problem or the answer people are seeking.
In many cases, people feel the need to solve problems themselves. It's the classic "Dad won't pull into the gas station to ask directions when he's lost" syndrome. Bad form. Let's just pull over for a second and see if we can laugh this thing off and then get back on the road with a map.
I thought that I’d summarize what I've heard and articulate it with my top ten things that anyone who is responsible for architecting, deploying, managing and supporting an information security program should think about as they go about their jobs. This isn’t meant to compete with Rothman’s Pragmatic CSO book, but if you want to send me, say, half the money you would have sent him, I’m cool with that.
These are not in any specific order:
1. Measure Something
I don’t care whether you believe in calling this “metrics” or not. If you’ve got a pulse and a brain (OK, you probably need both for this) then you need to recognize that the axiom “you can’t manage what you don’t measure” is actually true, and the output – no matter what you call it – is vitally important if you expect to be taken seriously.Accountants have P&L statements because they operate around practices that allow them to measure the operational integrity and fiscal sustainability of a business. Since security is functional service mechanism of the business, you should manage what you do as a business.
I’m not saying you need to demonstrate ROI, ROSI, or RROI, but for God’s sake, in order to gauge the efficiency, efficacy and investment-worthiness of what you’re doing, you need to understand what to focus on and what to get around to when you can spare cycles. Be transparent about what you’re doing and why to management. If you have successes, celebrate them. If you have failures, provide a lessons-learned and move on.
You don't need a degree in statistics, either. If you want some good clue as to what you can easily do to start off measuring and reporting, please buy this. Andy Jaquith, while stunningly handsome and yet quaintly modest (did I say that correctly, Andy?) knows his shizzle.
2. Budget Isn’t Important
That’s right, budget isn’t important, it’s absolutely everything. If you don’t manage your function like it is a business burning your own cash then you won’t survive over the long term. Running a business takes money. If you don't have any, well... As my first angel investor, Charles Ying taught me, “Cash is King.” I only wish I learned this and applied it earlier.If you lead a group, a team or a department and you come to the second budget cycle (the first you probably had no control over since you inherited it) under your watch and you open the magic envelope to discover that you don’t have the budget to execute on the initiatives in your security program that align to the initiatives of supporting the business, then quit.
You should quit because it’s your fault. It means you didn’t do your job. It means you're not treating things seriously as a set of business concerns.
Whether you’re in a downcycle budget-cutting environment or not, it’s your job to provide the justification and business-aligned focus to get the money you need to execute. That may mean outsourcing. That may mean you do more with less. That may mean that you actually realize that there tradeoffs that you need to illustrate which indicate risk, reward and investment strategies and let someone else make the business decision to fund them or not.
Demonstrate what you can offer the business from your security portfolio and why it’s worth investing in. You won't be able to do everything. Learn to stack the deck and play the game. Anyone who tells you that a budget cycle isn't a game is (1) a lousy liar, (2) someone who doesn't have any budget and (3) nobody you need to listen to.
3. Don’t Be a Technology Crack-Whore
If you continue to focus on technology to solve the security “problem” without the underlying business process improvement, automation and management & measurement planes in place to demonstrate what, why and how you’re doing things, then you’re doomed. I'm not going to re-hash the ole "People, Process and Technology" rant as that's overplayed.Learn to optimize. Learn to manage your security technology investments as a portfolio of services that can be cross-functionally leveraged across lines of business and operationalized and cost-allocated across IT.
Learn to recognize trends and invest your time and energy in understanding what, if anything, technology can do for you and make smart decisions on where to invest; sometimes that’s with big companies, sometimes that’s with emerging start-ups.
Quantify the risk vs. return and be able to highlight the lifecycle of what you expect from a product. Understand amortization and depreciation schedules and how they affect your spend cycles and synch this to your key vendor’s roadmaps.
If your solutions deliver, demonstrate it. If they fail, don’t try to CYA, but refer back to the justification, see where it blew a gasket and gracefully move on. See #1 above.
4. Understand Risk
Please take the time to understand the word “risk” and it’s meaning(s). If you continue to overuse and abuse the term in conversation with people who actually have to make business decisions and you don’t communicate “risk” using the same lexicon and vocabulary as the people who write the checks, you’re doing yourself a disservice and you’re insulting their intelligence.If you don’t understand or perform business impact analyses and only talk about risk within the context of threats and vulnerabilities, you’re going to look like the FUD-spewing technology crack-whore in #3 above.
This will surely be concluded because you sound like all you want is more money (see #2) because you clearly can’t communicate and speak the language that demonstrates you actually understand what and how what you do unequivocally contributes to the business; probably because you haven’t measured anything (see #1)
If you want to learn more about how to understand risk, please read this. Alex Hutton is one wise MoFo.
5. Network
That’s a noun and a verb. Please don’t hunker in your bunker. Get out and talk to your constituents and treat them as valued customers. Learn to take criticism (see #6) and ask how you’re doing. By doing that, you can also measure impact directly (see #1.) You should also network with your peers in the security industry; whether at local events, conferences or professional gatherings, experiencing and participating in the shared collective is critical.I, myself, like the format of the various "CitySec" get-togethers. BeanSec is an event that I help to host in Boston. You can find your closest event by going here.
The other point here is that as budget swings towards the network folks who seem to be able to do a better job at communicating how investing in their portfolio is a good idea (see #1 and #2) you better learn to play nice. You also better understand their problems (see #6) and the technology they manage. If you expect to plug into or displace what they do with more kit that plugs into “their” network, you better be competent in their space. If they’re not in yours, all the better for you.
6. Shut-up and Listen
Talk with one hole, listen with two.If I have to explain this point, you’ve probably already dismissed the other five and are off reading your Yahoo stock page and the latest sports scores. God bless and call me when you start your landscaping business…I need my hedges trimmed.
7. Paint a Picture
Please get your plans out of your head and written down! Articulate your strategy and long-term plan for how your efforts will align to the business and evolve over time to mature and provide service to the business. Keep it short, concise, in “English” and make sure it has pretty pictures. Circulate it for commentary. Produce a mantra and show pride in what you do and the value you add to the business. It’s a business plan. Sell it and support it like it is. Demonstrate value (see #1) and you’ll get budget (#2) because it shows that you understand you make business decisions, not technology knee-jerks.This means that you keep pulse with what technology can offer, how that maps to trends in your business, and what you’re going to do about them with the most efficient and effective use of your portfolio.
Most of this stuff is common sense and you can see what’s coming down the pike quite early if you pay attention. If you craft your business plan and evolution in stages over time, you’ll look like a freaking prescient genius. You'll end up solving problems before they become one. Demonstrate that sort of track record and you'll have more runway to do what you want as well as what you need.
8. Go buy a Car
User or new, it doesn’t matter. Why? Because the guys and gals who sell cars for a living have to deal with schmucks like you all day long and yet they still make six-figures and go home at the end of the day after an 8-10 hour shift and get to ignore the office. They know how to sell. They listen (#6,) determine what you have to spend (#2) and then tell you how good you look in that ’84 Sentra and still manage to up-sell you to a BMW M3 with the paddle shifters and undercoating.You need to learn to sell and market like a car salesman – not the kind that makes you feel sticky, but the kind that you want to invite over to your BBQ because he had your car washed while you waited, brought you coffee and called you back the day after to make sure everything was OK.
Seriously. Why do you think that most CEO's were salesmen? You're the CEO of the security organization. Act like it.
9. Learn to Say “Yes” by saying “No” and vice-versa
Ah, no one word with so few letters inspires such wretched responses from those who hear it. And Security folks just LOVE to say it. We say it with such a sense of entitlement and overwhelming omnipotence. too. We say it and then giggle to ourselves whilst we strike the Dr. Evil pinky pose wearing the schwag-shirt we scored from the $5000 security conference we attended to learn how to more effectively security the business by promoting security as an enabler.It’s OK to say no, just think about how, why and when to say it. Better yet, get someone else to say it, preferably the person who’s trying to get you to say yes. Use the Jedi mind-trick. Learn to sell – or unsell. This is tricky security ninja skills and takes a while to master.
Having someone justify the business reason, risk and rewards for doing something – like you should be doing – is the best way to have someone talk themselves out of having you do something foolish in the first place. You won’t win every battle, but the war will amass less casualties because you’re not running over every hill lobbing grenades at every request.
10. Break the Rules
Security isn’t black and white. Why? Because despite the fact that we have binary compute systems enforcing the rules, those who push the limits use fuzzy logic and don’t concern themselves with the constraints of 1 and 0. You shouldn’t, either.Think different. Be creative. Manage risk and don’t be averse to it because if you’re running your program as a business, you make solid decisions based on assessments that include the potential of failure.
Don’t gauge success by thinking that unless you’ve reached 100% that 80% represents failure. Incremental improvement over time – even when it’s not overtly dramatic – does make a difference. If you measure it, by the way, it’s clearly demonstrable.
Challenge the status quo and do so with the vision of fighting the good fight – the right one for the right reasons – and seek to improve the health, survivability, and sustainability of the business.
Sometimes this means making exceptions and being human about things. Sometimes it means getting somebody fired and cleared out of their cube. Sometimes it means carrot, sometimes stick.
If you want to be a security guard, fine, but don’t be surprised when you get treated like one. Likewise, don’t think that you’re entitled to a seat at the executive table just because you wear a tie, play golf with the CFO, or do the things on this list.
Value is demonstrated and trust is earned. Learn to be adaptive, flexible and fair -- dare I say pragmatic, and you'll demonstrate your value and you'll earn the trust and confidence of those around you.
So there you go. One Venti-Iced-Americano inspired "Hoff's giving back" rant. Preachy, somewhat cocky and self-serving? Probably. Useful and proven in battle? Absolutely. If anyone tells you any different, please ask them why they're reading this post in the first place.
Think about this stuff. It's not rocket science. Never has been. Most of the greatest business people, strategists, military leaders, and politicians are nothing more than good listeners who can sell, aren't afraid of making mistakes, learn from the ones they make and speak in a language all can relate to and understand. They demonstrate value and think outside of the box; solving classes of problems rather and taking the parochial and pedestrian approach that we mostly see.
You can be great, too. If you feel you can't, then you're in the wrong line of work.
/Hoff