• United States



Offer Security Options: Does the Virtual Shoe Fit?

Dec 05, 20095 mins
IT Leadership

Last time I introduced  the question: Why Do Security Professionals Fail? After some background, I described the first problem, which is that security professionals are stereotyped as disablers or the people who always say “no.” I offered some tips and solutions to turning things around and developing a positive “can do” reputation.  

Let’s move on. The second common mistake that I see security professionals making is to offer a “one size fits all” approach to cyber security. Rather, I encourage a “gold, silver, bronze” approach. In complex situations, you may even add a high-end platinum or even another low cost alternative. But you also need to watch out for a few traps.    

Problem #2 – Security Professionals Don’t Offer Alternative Solutions

Most security staff find it easy to see things as “black and white.” For example: either it’s encrypted or it isn’t.  The common perception is that enterprise architecture team comes up with a great design that the programmers, network guys and everyone else agrees to, only to have security come in and offer their “solution” which totally changes the architecture. They want to add firewalls, zones, restrictions, new black boxes and more – to the point that the project can’t move forward because of cost increases. While security staff view their answers as “can do,” others see this approach as negative again.

If the majority in the department say that security offers only one size shoe, you’re in trouble. Overheard: “They pull out the same answer – no matter what the topic seems to be.”

At times, I can tend to act this way. Of course, there are times when being “black and white” is certainly justified. With my kids, I want to know whether they’re telling me the truth or a lie, etc.  However, things can become much more complex when it comes to cyber security at work.   

 For some more background on this problem as well cultural differences between organizations (such as NSA differences from the State of Michigan), you can read my earliest blogs from three years ago. What is absolutely clear to me is that passionate security professionals, who truly care about keeping information safe, think differently from most other technology professionals. Many security staff think “they get it” and everyone else “doesn’t have a clue” when it comes to securing data. This is a serious problem that has many manifestations. More on that next time with problem #3.

 Solution #2: Offer a Range of Security Solutions. I call this the: “Gold, Silver and Bronze Approach.”

 Teri Takai, who is now the CIO in California, once challenged me on my approach to security. She was my boss and Michigan CIO when I was the CISO. She said, “What do you mean we can’t implement wireless networks? How does GM, Ford or Dow Chemical do it?” She pushed me back to the drawing board on several occasions.

So after you get over saying “no,” the next challenge is to offer a few options, if possible. Some staff might respond, “I said yes, I gave them this best practice solution, but they said it was too expensive.” The truth is that many businesses and governments can’t afford best practices, even if it makes the security staff feel safer. You might have to go with the low cost or standard practice.

Try to offer at least three alternatives to the business. If you handle this correctly, most teams will end up picking the “silver” or middle option. The reason is that the natural inclination for most people is to balance cost with functionality and risk. More than that, they want to tell their managers that they compromised and got a “good deal” from security that won’t break the bank.

 Look for other solutions from Gartner, Forrester, tech magazines or colleagues at other companies. Check with industry associations, former coworkers or outside experts who can help with a range of optional solutions. Let the business select the final answer, but also help them understand the risks associated with the various options. They need to sign off in the end anyway.

One gottcha: watch out for people who always pick the cheapest answer. Don’t offer alternatives that won’t work or you can’t live with. If the mood in the room is totally low cost, make sure that the risks are obvious before deploying a “bronze” approach. If there are no low cost options that are acceptable, you need to do more research around what is reasonable. You might even have to bring in an “expert from out of town” to brief everyone. If you have a bad relationship with the business, consider allowing them to pick the expert – but make sure the person has credibility in the area being discussed.  

Bottom line on this, you want the answers to be WIN:WIN solutions. (Read Covey’s Seven Habits of Highly Effective People if you need more on this topic. ) Remember that solutions must address people, process and technology alternatives, so you’ll need to get everyone onboard with the final outcome.

Next time, we’ll learn about the benefits of humble pie.

Any thoughts on this topic or stories you can share?


Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist and author. During his distinguished career, Dan has served global organizations in the public and private sectors in a variety of executive leadership capacities, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan State Government. Dan was named: "CSO of the Year," "Public Official of the Year," and a Computerworld "Premier 100 IT Leader." Dan is the co-author of the Wiley book, “Cyber Mayday and the Day After: A Leader’s Guide to Preparing, Managing and Recovering From Inevitable Business Disruptions.” Dan Lohrmann joined Presidio in November 2021 as an advisory CISO supporting mainly public sector clients. He formerly served as the Chief Strategist and Chief Security Officer for Security Mentor, Inc. Dan started his career at the National Security Agency (NSA). He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US / UK military facility. Lohrmann is on the advisory board for four university information assurance (IA) programs, including Norwich University, University of Detroit Mercy (UDM), Valparaiso University and Walsh College. Earlier in his career he authored two books - Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD For You: The Guide to Bring Your Own Device to Work. Mr. Lohrmann holds a Master's Degree in Computer Science (CS) from Johns Hopkins University in Baltimore, Maryland, and a Bachelor's Degree in CS from Valparaiso University in Indiana.

More from this author