Last time I introduced the question: Why Do Security Professionals Fail? After some background, I described the first problem, which is that security professionals are stereotyped as disablers or the people who always say "no." I offered some tips and solutions to turning things around and developing a positive "can do" reputation.
Let's move on. The second common mistake that I see security professionals making is to offer a "one size fits all" approach to cyber security. Rather, I encourage a "gold, silver, bronze" approach. In complex situations, you may even add a high-end platinum or even another low cost alternative. But you also need to watch out for a few traps.
Problem #2 - Security Professionals Don't Offer Alternative Solutions
Most security staff find it easy to see things as "black and white." For example: either it's encrypted or it isn't. The common perception is that enterprise architecture team comes up with a great design that the programmers, network guys and everyone else agrees to, only to have security come in and offer their "solution" which totally changes the architecture. They want to add firewalls, zones, restrictions, new black boxes and more - to the point that the project can't move forward because of cost increases. While security staff view their answers as "can do," others see this approach as negative again.
If the majority in the department say that security offers only one size shoe, you're in trouble. Overheard: "They pull out the same answer - no matter what the topic seems to be."
At times, I can tend to act this way. Of course, there are times when being "black and white" is certainly justified. With my kids, I want to know whether they're telling me the truth or a lie, etc. However, things can become much more complex when it comes to cyber security at work.
For some more background on this problem as well cultural differences between organizations (such as NSA differences from the State of Michigan), you can read my earliest blogs from three years ago. What is absolutely clear to me is that passionate security professionals, who truly care about keeping information safe, think differently from most other technology professionals. Many security staff think "they get it" and everyone else "doesn't have a clue" when it comes to securing data. This is a serious problem that has many manifestations. More on that next time with problem #3.
Solution #2: Offer a Range of Security Solutions. I call this the: "Gold, Silver and Bronze Approach."
Teri Takai, who is now the CIO in California, once challenged me on my approach to security. She was my boss and Michigan CIO when I was the CISO. She said, "What do you mean we can't implement wireless networks? How does GM, Ford or Dow Chemical do it?" She pushed me back to the drawing board on several occasions.
So after you get over saying "no," the next challenge is to offer a few options, if possible. Some staff might respond, "I said yes, I gave them this best practice solution, but they said it was too expensive." The truth is that many businesses and governments can't afford best practices, even if it makes the security staff feel safer. You might have to go with the low cost or standard practice.
Try to offer at least three alternatives to the business. If you handle this correctly, most teams will end up picking the "silver" or middle option. The reason is that the natural inclination for most people is to balance cost with functionality and risk. More than that, they want to tell their managers that they compromised and got a "good deal" from security that won't break the bank.
Look for other solutions from Gartner, Forrester, tech magazines or colleagues at other companies. Check with industry associations, former coworkers or outside experts who can help with a range of optional solutions. Let the business select the final answer, but also help them understand the risks associated with the various options. They need to sign off in the end anyway.
One gottcha: watch out for people who always pick the cheapest answer. Don't offer alternatives that won't work or you can't live with. If the mood in the room is totally low cost, make sure that the risks are obvious before deploying a "bronze" approach. If there are no low cost options that are acceptable, you need to do more research around what is reasonable. You might even have to bring in an "expert from out of town" to brief everyone. If you have a bad relationship with the business, consider allowing them to pick the expert - but make sure the person has credibility in the area being discussed.
Bottom line on this, you want the answers to be WIN:WIN solutions. (Read Covey's Seven Habits of Highly Effective People if you need more on this topic. ) Remember that solutions must address people, process and technology alternatives, so you'll need to get everyone onboard with the final outcome.
Next time, we'll learn about the benefits of humble pie.
Any thoughts on this topic or stories you can share?