Why security pros fail (and what to do about it)
Dan Lohrmann identifies 7 common security career challenges and how to solve each one
By Dan Lohrmann, CTO, State of Michigan
December 06, 2010 — CSO —
You've probably heard the phrase, "Failure is the key to success." But are security professionals really learning from their mistakes? As identity theft and online risks keep growing, is our industry rising to the challenge or repeating the miscues of the past? While security technology is improving, the bad guys also have access to better tools. So are the good guys working smarter?
Conventional wisdom says we need more staff training and technical security certifications. Others say higher salaries, a better understanding of the bad guys, more executive leadership training or more top-level executive buy-in are needed. While all of these help, I've seen security staffs with all of the above fail.
As I've traveled the world, I've identified some common traps that cause security pros to fail. What works and what doesn't in achieving the best security results? If you call yourself a security professional, here are seven lessons you need to learn. I originally examined these lessons in a series of posts on my CSOonline.com blog, where you can find expanded thoughts on each problem and solution..
Problem #1: Security Is Thought of as a DisablerSecurity professionals are often viewed as the party poopers. This threatens the credibility of every security consultant. Are you bringing problems or offering solutions? Are you viewed negatively by the business?
Take cloud computing, for example. The technology world is rushing into the cloud, but while thousands of positive articles are being written about the ROI and transformational aspects of new cloud architectures, the security world is busy printing articles about why the cloud is a bad idea.Key #1: Become a Facilitator. So what can be done? Stop saying "no" to your customers! Offer secure solutions. Be an enabler. Tell them how you will ensure that their project is delivered on time, on budget and with the right level of security. Ask yourself whether the business sees value or roadblocks in your approach.
Also read Dunkin' Brands security focuses on making dough (Insider registration required)
Back in 2004, when I was Michigan's CISO, I was in the "no wireless" camp. I quoted many experts from the NSA and other three-letter agencies who said that wireless networks simply could not be protected. My boss at the time was Teri Takai, who's now California's CIO. She challenged me to deploy secure wireless, following examples from several companies. Teri's advice made me rethink my business approach. Over time, I became known as an enabler of new technology, and Michigan won awards for our secure wireless networks.
Problem #2: Security Offers Only One SolutionA second common mistake that security professionals make is to take a one-size-fits-all approach to cybersecurity. We see things as black and white—for example, either it's encrypted or it isn't.
The common perception is that enterprise architecture teams come up with a great design that the programmers, network guys and everyone else agrees to, only to have security come in and offer a "solution" that totally changes the architecture. They want to add firewalls, zones, restrictions, new black boxes and more—it's so much that the cost increases keep the project from moving forward. While the security staff may view providing this kind of answer as a can-do approach, others see it as creating impediments.
Key #2: Offer 'Gold, Silver and Bronze' Options. Try to offer at least three alternatives. Look for other solutions from Gartner, Forrester, tech magazines and colleagues at other companies. Check with industry associations, former coworkers and outside experts who can help come up with a range of solutions. Help the business understand the risks associated with each option, then let its members make the final selection.
One warning: Watch out for people who always pick the cheapest answer. Don't offer alternatives that won't work or that you can't live with. If the mood in the room is totally low-cost, make sure that the risks are made clear before agreeing to deploy a "bronze" approach.
You might even have to bring in an outside expert to brief everyone. If you have a bad relationship with the business people, consider allowing them to pick the expert—but make sure the person has credibility in the area being discussed.