\u00a0Have you ever spontaneously started ranting about project progress \u2013 or lack thereof? Or maybe you\u2019ve heard colleagues voice their very vocal complaints. Does this sound familiar? \u201cThose (bleeps) just don\u2019t get it! I seriously doubt if (a certain customer-side manager) ever graduated from high school. I\u2019m going to hack into that (such and such) university database just to prove that he never graduated from college. His degree must be from a diploma mill\u2026.\u201d (yada, yada, yada) Well, perhaps you are right. You may be at the mercy of someone who is lacking brain cells, incompetent, or worse, a team of complete frauds. Then again, if you think this description seems to fit the majority of your customers both past and present, you might want to read on and reconsider a few things. That is, at least part of the real problem may have more to do with yours truly. First, for context, this is the fourth installment of seven blogs answering the central question: why do security professionals fail?\u00a0I am attempting to address some of the softer-side issues that I have seen hurt or even paralyze security careers over the past twenty-five years. Beyond gaining CISSP certifications, attending RSA conferences,\u00a0developing hands-on experience with black boxes or piling up resume credentials, how can we be more well-rounded security pros?Blog #2 asked if the virtual show fits - meaning we need to offer multiple options, if possible, and not force a single approach on everyone. Blog #3 offered up a portion of humble pie that we all need to eat every so often. The reality is that prides comes before a fall in security as in most areas of life. I also answered questions last time in a related blog which offered my definition of a security pro. So, here we are with that annoying client. Perhaps you think this person is an idiot, but you\u2019d never say that in public. OK, maybe you would. You\u2019ve thought it through, and you\u2019ve concluded that the business team doesn\u2019t understand computer security. They don\u2019t realize the risks they are taking. They just want to check the box quickly and move on. They won\u2019t pay for the controls they need, and you\u2019re being forced to try and convince the auditors to believe that you\u2019re complying with regulations, policies and laws.\u00a0Worse than that, you\u2019ve now concluded that the business team will never get it. You\u2019ve emotionally checked out of this project. This has led to a non-spoken \u201cus versus them mentality\u201d at most meetings. Problem is, they\u2019ve got the money, influence and power to make things happen. You\u2019re tempted to go back to FUD\u00a0and scare the heck out of them. You feel like punching the next person who tells you that you \u201clack customer focus.\u201d You realized long ago that this client has major blind spots. There are huge holes that need to be plugged \u2013 fast. But no one seems to be listening to you. Frustration is a kind way to describe your darker feelings.\u00a0The formal competency that relates to this situation could be a lack of business acumen. \u00a0But a more simple description might be: \u00a0Problem #4 for Security Pros \u2013 The Customer is Clueless \u2013 Not! \u00a0Truth be told, most professionals can relate to these feelings at some point in their career. I certainly can. The struggle between security and other parts of the business can even be compared to the right- left divide in politics. Whether you agree or disagree with Gerard Alexander\u2019s viewpoint, he illustrates a perceived lack of respect from the other side. While I\u2019m staying out of those politics, I want to point to the similar tension that is often the real elephant in the room during project meetings. \u00a0Of course, this same customer relationship challenge applies to more than just security professionals. I recently had a meeting with a major software provider in which we discussed impediments to getting large email migration projects completed. This expert, who has successful finished dozens of major integration efforts, said something rather profound. \u201cYes, we always need to overcome people, process and technology issues, but they are not even close to being equal in difficulty. Over ninety percent of our project integration problems are really people issues.\u201d\u00a0\u00a0\u00a0\u00a0 WOW. That\u2019s an awfully big percentage. He was including training, culture and a whole bunch of attitude and other customer-service issues into that number, but I would place the percentage slightly lower for security.\u00a0Still, that\u2019s where the adage \u201cperception is reality\u201d comes from.Before I go on, I want to address doubters. Some readers will probably disagree with me and say that there should be no \u201cthem\u201d at all. We are all one team and working projects together. Security should be so integrated into the business that we never have these thoughts or feelings. After all, isn\u2019t the customer always right?My response is that this is not reality. That is akin to a one-party political system with no Republicans and Democrats fighting it out or discussion with contrasting ideas\/perspectives within political parties.\u00a0\u00a0 More to the point, CSOs and their teams are usually not part of the business but report to the CIO, CFO or some other separate business unit. Security is usually a separate office or practice in most large companies. In smaller organizations, security professionals may be viewed as the \u201cexpert from out of town\u201d or worse outer space.\u00a0In either case, we need to be creating and implementing policies and procedures to balance security controls with business needs.So how do we get out of this negative spiral? The answer is to really know the business. Understand what makes them profitable and how they define success. Really understand their risks. Learn the good, bad and ugly. All of this is well documented. Many security pros can even speak the local business lingo with the best bankers, health professionals, accountants or whatever business they are trying to protect. This expertise takes time and energy to build properly.But I want to focus in on one particular aspect of business relationships. Yes, this skill is hard to find, but it doesn\u2019t take an MBA or a decade of industry-specific experience to get it.\u00a0More than that, I am confident that security professionals can develop this ability without new (formal) classes if we are willing to change and do what it takes to constantly evolve and adapt with the business. What I am I talking about?\u00a0Solution #4: Improve Customer Relations by Separating the People from the Security Issue(s)For starters, the business is made up of people. These people have families, play golf (or another game), follow local sports teams, believe in God (or not) and go to the movies. Remembering this will help when you want to demonize them or write them off. More than that, you will separate the tough issue from the person who disagrees with you.\u00a0Remember that the relationship will usually last longer than the challenge you\u2019re dealing with on a particular project or incident. For example, in Michigan government over the past 12+ years, I have played a variety of roles and been in hundreds of meetings on various technology and security issues, events, incidents, vendor selections, new policy discussions, budget problems, cyber attacks and more. Throughout this period, I have worked with largely the same group of technology and business professionals on\u00a0a variety of\u00a0different topics. Have there been disagreements. You betcha! Sometimes, you need to stand your ground and not compromise on important principles. But I try to not hold grudges or build unnecessary walls if final decisions don\u2019t go my way. Yes, we try to build WIN\/WIN solutions with customers, but if I win a tough (WIN\/LOSE) argument, I\u00a0attempt to immediately go out of my way to mend fences and strengthen the partnership with the customer involved. It always helps, since there is usually a \u201cnext time.\u201d \u00a0If you get together and listen to your customers over lunch, you will naturally build relationships that will outlive bad things that happen like a denial of service attack, arguments over changes to the password policy or embarrassing audit findings. What should be our personal goals through these encounters? A few include:\u00a0building mutual respect, developing a positive, approachable reputation, being known as customer-focused and gaining an understanding of the business needs. Far too often, I see security staff win the battle but lose the war. They get their way on some important control, but anger everyone in the process. They think they are in a sprint, not a marathon.\u00a0Later, they don\u2019t understand why they lose influence and respect. One sure sign of this problem for security staff is if nothing happens without bringing in the \u201cbig guns.\u201d If you regularly need help from someone way up the management chain to fight security battles with your customer\u2019s senior management, you\u00a0probably\u00a0have customer-relationship opportunities to improve. You need to adjust your approach and\/or\u00a0you are not as influential as you need to be. \u00a0Of course, background checks that go bad or other security violations that are particular to one individual need to be addressed. That is a separate topic altogether. But my central point is this: the customer is (usually) not clueless \u2013 so figure out want you don\u2019t know that he\/she does. Get to know the business - one person at a time. Next time, Cyber ethics\u00a0are for security professionals too.