Why do security professionals fail? As Michigan’s current CTO and Director of Infrastructure Services, I’m very interested in this question. As the former CISO for almost seven years, I’ve also been studying this question for quite a long time. I’ve been observing those who succeed and those who often seem to fail to achieve their goals from various perspectives. I’ve managed individuals who sell and/or implement security solutions as well as IT staff who rebel when the security experts show up. I’ve chronicled the good, the bad and the ugly.
So what works and what doesn’t seem to make much difference in getting consistently positive results? My answers will probably surprise you.
I’m not the first person to ask this question. Conventional wisdom says we need more training and staff with more security certifications. Others say we need to pay Information Assurance (IA) staff better, gain a better understanding of the bad guys, provide more executive leadership training or get more top-level executive buy-in. Of course, I support all of these items – who can argue against more executive buy-in?
Nevertheless, I’ve seen security staff around the country with all of the right boxes checked, and others with none of the above, be successful. For example, some people are able to obtain the executive buy-in for security when they don’t initially have it, while others who initially have significant executive buy-in either lose that support or can’t seem to use this advantage to get closure on key security projects.
The corollary is also true. I’ve seen security professionals with all of these positive attributes fail miserably. The reality is that most of these items are outside of your control when you show up and become a member of a security team. Yes, you can choose where to work and decide if a company offers the right training, pay or other opportunities. But in today’s tough job market where salaries and benefits are being cut, your choices may be limited.
CSOs often joke that they want the job right after a major breach and the loss of millions of dollars. The last guy gets fired and you come in with all of the leverage and resources to get the job done right. However, this is a rare situation, and most security staff find themselves with a mixture of good and bad in their current situation.
So what can you do? What character traits matter most in determining successful security professionals? What practical steps make a positive difference? Over the next several months, I’d like to offer you seven “can do” solutions. In this initial post, I will focus on the first and perhaps most important item in my view.
Before I give my list of reasons I think professionals fail, I want to list a few caveats. I am presuming that you have certain basic skills and a professional resume. You call truly call yourself a security professional. If you don’t know the difference between an encrypted laptop and SSL, you’d better go back to the basics. And yet, my guess is that most people reading this article already know plenty of cyber facts. The Internet is full of thousands of articles on training, certifications, information assurance careers, and the like. I am attempting to move on to “the rest of the story.”
Problem #1 - Security Professionals Are Known as Disablers
What’s the problem? Security professionals are often viewed as the “party poopers.” This problem is very serious and actually threatens the credibility of every security consultant. Are you bringing problems or solutions? Are you viewed negatively?
An industry example of this involves cloud computing. Most of the technology world is rushing into cloud computing. While thousands of positive articles are being written about the ROI, cost-saving opportunities and transformational aspects of new cloud architectures, the security world is busy printing articles about why cloud computing either won’t work, is a bad idea, or will lead to more identity theft, security problems, and richer, fatter bad guys. But can our cyber security situation actually get much worse than it is now?
What’s worse is that security professionals only read the bad news online while the rest of the technology community reads the good aspects of cloud computing. Most security experts are feeding themselves the wrong intellectual food. (Tip 1, read more about the positives associated with new technologies and not just how it easy it is to hack.)
Solution #1 - Be Known as an Enabler
So what can be done? Stop saying “no” to your customers. Offer secure solutions. Be an enabler. Answer the question: how can we ensure that this new project is delivered on time, on budget, and with the right level of security? Be known as a “can do” person, not a “Puddleglum” (read C.S. Lewis if you don’t know this character.)
At one level, this advice seems obvious. But I challenge you to do lunch with a customer who will talk openly and honestly with you about your professional image. Ask them these types of questions: how I am perceived? Why doesn’t “xyz” (fill in the blank with a business client who doesn’t get along with you) like me? Why doesn’t “abc” (fill in the blank with someone else who is well-regarded but avoids you) respect me? Ask probing questions. Get different perspectives.
Your goal is to find out how well-balanced you are. You want to be known as an enabler. Hopefully you agree that you want to be characterized as someone who is fair and well-respected by the majority. In my experience, security personnel are often discounted as too pessimistic and negative. If, on the other hand, you find that you are viewed as an enabler, ask about your security organization and others around you. Help those who need to change this aspect of their security approach, since the organizational image also impacts your career.
No doubt, successful security programs result from successful people, processes, and technology. There are many aspects of our jobs that we cannot control. But I suggest taking a hard look at what you can control and make any necessary changes to your approach as a first step. Be an enabler, and you’ll deliver better security.
What are your thoughts on characteristics of successful security professionals? Why do security professionals fail to achieve their desired professional goals?