Implementing a sustainably effective security strategy is complex and challenging for even the most advanced organization. Organizations don’t operate in a vacuum. They rely on information and intelligence from others in the industry, including vendors, media reporting, government agencies, and their organizational peers. This expanded information ecosystem is a powerful benefit to organizations, extending their horizon and aiding them in meeting today's security challenges while bolstering defenses against those marching over the digital hill toward them.

As new ideas and ways of thinking about security emerge, navigating information sources and clarifying complex problems to maintain a strong comprehension is becoming increasingly challenging. Amplifying this challenge will be trusting the information’s source. Understanding the content and context, including any nuances, and interpreting how the topic pertains to your individual situation is fundamental to forming an opinion.

However, just because something is being said does not necessarily mean it is accurate and should be accepted at face value. To develop an informed opinion, information from a variety of sources must be considered, and appropriate weighting should be applied before a conclusion is reached. Similar to trust is influence. When a source is influential, it is often inferred that it is trustworthy. However, just because a level of influence exists does not always make that so.

“Trust, but verify,” a Russian proverb taught by Suzanne Massie to former US President Ronald Reagan, who emphasized it continually during nuclear disarmament discussions with the Soviet Union, applies well to our conversation. With so much security information available across so many different mediums, we each develop our own go-to sources to help build awareness and understanding quickly. We develop a level of trust that builds over time for these sources, accelerated by the level of influence and reputation it possesses.

While it is right to develop these trusted sources, continuously evaluating if this trust remains appropriate remains important to avoid potential bias. Taking a critical view of information from multiple viewpoints, including the media sharing leading-edge content, vendor and threat researcher analysis, and security industry organization advisories, will help generate more comprehensive opinions and increase confidence in any decisions made based on them.

Developing and balancing trust and influence

The elements of comprehension, trust, and influence must be balanced differently depending on whom you're communicating with and each party's role in the discussion. For example, the discussion between a SOC Manager and the CISO would be considerably different from the conversation between the CISO and the CEO. The contextual understanding would allow the SOC manager and the CISO to discuss in more specific detail a risk that exists and the technical controls that could be used to mitigate it. When discussing the same risk with the CEO, the CISO would be better served by describing the outcome of risk mitigation activities in less technical terms and instead focusing on the business impacts of any residual risk.

In both conversations, trust will play a central role. As the relationships are established between each of these people, the level of trust will also develop. At the beginning of the relationship, the level of trust will be lower and, over time, will increase based on many dynamics, including past performance, efficacy,personality, and reputation. As trust in the relationship builds, confidence and weighting of their opinions will too. In our previous example, as trust between the SOC Manager and the CISO increases, confidence builds in each person that the other is working with them toward the same goal. With a new mutually trusting partnership, each side can feel more comfortable discussing more complex and sensitive topics with less hesitation and more optimistic expectations.

Along this journey of building trust is the adjacent development of influence. Without influence, trust will only motivate action so far. This is especially true when communicating across departments and specializations. To affect more significant change, being trusted while wielding strong influencing abilities can allow action beyond your station. Like trust, though, the ability to influence is established over time and must be earned. As these elements are being developed, effectively communicating with honesty, integrity, courage, and respectful boldness will still empower you to raise issues. Continuing with our example, the discussion between the CISO and CEO, once a level of trust is established, can benefit further from increased influence, such as if a larger budget is needed. With the CEO trusting the CISO is effectively working toward reducing the company’s security risk, the CISO can positively (and ethically) influence the CEO to increase budget allocations for security initiatives recommended by the SOC Manager.

Unfortunately, change may not always occur as fast as you may hope. This is where your challenge arises. Everyone develops trust in others at their own pace, which must be respected even when frustrating. The onus is on each of us to continue proving that we deserve trust, and even when we have it, not to take offense when questioned but to actively engage in critical analysis in the everlasting drive toward well-informed and considered opinions and decisions.

As we collectively move toward a more effective approach to security, developing and expanding knowledge through continuous education and critically consuming information on new challenges and approaches will serve each of us well. By remaining well-informed, it becomes easier to evaluate security plans, including the effectiveness of solutions and controls in place and any new product evaluations. This leads to decreased waste and complexity attributed to ineffective or inappropriate tools and a stronger, more resilient posture.

