Last time I\u00a0introduced \u00a0the question: Why Do Security Professionals Fail?\u00a0After some background, I described the first problem, which is that security professionals are stereotyped as disablers or the people who always say "no." I offered some tips and solutions to turning things around and developing a positive "can do" reputation.\u00a0\u00a0Let's move on. The second common mistake that I see security professionals making is to offer a "one size fits all" approach to cyber security. Rather, I encourage a "gold, silver, bronze" approach. In complex situations, you may even add a high-end platinum or even another low cost alternative. But you also need to watch out for\u00a0a few\u00a0traps.\u00a0\u00a0\u00a0\u00a0 Problem #2 - Security Professionals Don't Offer Alternative Solutions Most security staff find it\u00a0easy to see things as "black and white." For example: either it's encrypted or it isn't.\u00a0 The common perception is that enterprise architecture team comes up with a great design that the programmers, network guys and\u00a0everyone else\u00a0agrees to, only to have security come in and offer their "solution" which totally changes the architecture. They want to add firewalls, zones, restrictions, new black boxes and more - to the point that the project can't move forward because\u00a0of cost increases. While security staff view their answers as "can do," others see this approach as negative again. If the majority\u00a0in the department say that\u00a0security offers only one size shoe, you're in trouble. Overheard:\u00a0"They pull out the same answer - no matter what the topic seems to be."At times, I\u00a0can\u00a0tend\u00a0to act\u00a0this way. Of course, there are times when being "black and white" is\u00a0certainly justified. With my kids, I want to know whether they're telling me the truth or a lie, etc.\u00a0\u00a0However, things can become much more complex when it comes to cyber security at work. \u00a0\u00a0\u00a0For some more background on this\u00a0problem as well cultural differences between organizations (such as NSA\u00a0differences from the\u00a0State of Michigan), you can read my earliest blogs from three years ago. What is absolutely clear to me is that passionate security professionals, who truly care about keeping information safe,\u00a0think differently from most other technology professionals. Many security staff think "they get it" and everyone else "doesn't have a clue" when it comes to securing\u00a0data.\u00a0This is a serious problem that has many manifestations. More on that next time with problem #3.\u00a0Solution #2: Offer a Range of Security Solutions.\u00a0I\u00a0call this the:\u00a0"Gold, Silver and Bronze Approach."\u00a0Teri Takai, who is now the CIO in California, once challenged me on my approach to security.\u00a0She was my boss and Michigan CIO when I was the CISO. She said, "What do you mean we can't\u00a0implement wireless\u00a0networks? How does GM, Ford or Dow Chemical do it?"\u00a0She pushed me back to the drawing board on several occasions.So after you get over saying "no," the next challenge is to offer a few options, if possible.\u00a0Some staff\u00a0might\u00a0respond, "I said yes, I gave them this best practice solution, but they said it was too expensive." The truth is that many businesses and governments can't afford best practices, even if it makes the security staff feel safer. You might have to go with the low cost or standard practice. Try to offer at least three alternatives to the business. If you handle this correctly, most teams will end up picking the "silver" or middle option. The reason is that the natural inclination for most people is to balance cost with functionality and risk. More than that, they want to tell their managers that they compromised and got a "good deal" from security that won't break the bank. \u00a0Look for other solutions from Gartner, Forrester, tech magazines or colleagues at other companies. Check with industry associations, former coworkers or\u00a0outside experts\u00a0who can help with a range of optional solutions. Let the business\u00a0select the final answer, but also help them understand the risks associated with the various options. They need to sign off in the end anyway.One gottcha: watch out for\u00a0people who always pick the cheapest answer. Don't offer alternatives that won't work or you can't live with. If the mood in the room is totally low cost, make sure that the risks are obvious before deploying a\u00a0"bronze" approach. If there are no low cost options that are acceptable, you need to do more research around what is reasonable.\u00a0You might even have to bring in an "expert from out of town" to brief everyone.\u00a0If you have a bad relationship with the business, consider allowing them to pick the expert - but make sure the person\u00a0has credibility in the area being discussed.\u00a0\u00a0Bottom line on this, you want the answers to be WIN:WIN solutions. (Read Covey's Seven Habits of Highly Effective People if you need more on this topic. ) Remember that solutions must address people, process and technology alternatives, so you'll need to get everyone onboard with the final outcome. Next time, we'll learn about the benefits of humble pie. Any thoughts on this topic or stories you can share?