Early in my career, I realized that security often supported three common situations:
- People who always seek help addressing security concerns
- People who rarely seek help because they were capable and experienced enough in systems and technology (not always in security)
- People on the fence; uncertain if they need help or not, but when presented with credible, understandable information are able to make the right choice for their situation
15 years ago, the best way to handle this was hotly debated. It boiled down to two approaches:
- Share what you know to the benefit of all the groups - including the people who have the aptitude, but perhaps lack the experience
- Keep the knowledge to yourself and hope everyone comes to you
The debate centered around the risk of sharing. After all, if we share our knowledge, people might actually practice security… without us. To some, that was a nightmare. Especially if they got it wrong. It also was and is myopic.
Considering the rapid growth of the industry and myriad of changes, the three basic situations and two approaches are still valid.
Except the debate of approach is over. To be successful in security, share your knowledge. The more effective at sharing, the more successful you'll be.
When faced with the choice in my career, I opted to share. Sometimes that was a scary decision. Along the way, I learned that sharing and teaching others is the best way to learn.
What happens when you share with people who know more?
A little over a decade ago, I was challenged to put this philosophy to the test. I was leading a CISSP review class. We'd covered the basics of cryptography, and it was time to explore DES.
As I stood to the side of the projection screen, I advanced the presentation to a visual flow chart. There were no labels on the chart, but it depicted one of the operating modes of DES.
With a sly smile, I surveyed the room and asked, "Who knows what this is?"
The standard response was silence and the look of sheer panic as the room full of CISSP hopefuls realized they were expected to KNOW this. And they didn't.
Well, this class was for the government. With people who'd forgotten more about cryptography than I knew. A guy in the second row looked up, smirked at me, and calmly explained, "That's cipher block chaining."
At first, I was impressed. And then it hit me. I was supposed to teach some of the best in the world at cryptography about cryptography. Ironic, perhaps.
In that first class and the others that followed, I often came across experts happy to point out something I missed or got wrong. I'd always acknowledge them, offer to buy them lunch, and ask them to teach me.
My approach to share what I knew morphed into the desire to learn what I didn't know. More, it created the environment for someone else to share their knowledge and experience with me.
After they taught me, I'd spend some time making sure I could explain it to others. Then I'd run it by them, and ultimately, the entire class.
Not only did I learn and get better, everyone else did, too.
The hidden benefit of sharing
When you share what you know, sometimes the other person knows a different part. Or they actually know more. With an open mind, it's a fantastic opportunity to learn. Blending our knowledge and experience leads to more understanding and better solutions.
The practice of sharing (and learning) tends to reinforce itself, too.
People are smart. Security, especially now, is top of mind for a lot of people. Sharing our knowledge with them creates the environment for them to share what they know with us.
It's broader than teaching security courses. This same strategy works with colleagues and clients. It works in any organization, and in most situations.
The more we share, the more we learn. It surfaces new challenges, but also provides new and different solutions.
Why sharing helps everyone
When we share what we know, the people that always rely on us confirm their decision to ask for help. Over time, they get a better sense of when and how to engage. Maybe they even start to take on responsibility for what becomes more common.
The folks with the right aptitude and experience (and rarely seek help) can learn from us. This means they are more likely to make better decisions and take the right actions when it comes to security. Better, they know that if they have a question, they can ask and get an answer instead of a lecture.
The people on the fence always seek information to help them decide. We can help them make the right decision, even if that means they don't need to work with us.
By learning to share more openly and effectively, we enjoy more success. Ultimately, we learn more about the challenges we need to focus on. We free up the time and focus to address new and complex challenges.
To be successful in security, share what you know. All of it.