Problem #3 for Security Professionals: Not Enough Humble Pie

I’m continuing our series on why security professionals fail.  My first post on this topic focused on the widely held perception that security professionals are disablers. The second post on this topic moved on to address the problem that security answers are too often offered as an “all of nothing” approach. We need to offer more options and develop a menu. Now we move on to the third problem. Let’s tackle that great characteristic that everyone deals with in every office: attitude.

No matter the activity, attitude makes a huge difference in relationships at both home and work. Have you ever seen someone hired mainly for their attitude? I have. One executive said, “I’d rather have an employee with a good attitude and average skills than an employee with great skills and a poor attitude.” 

No doubt, customers across the globe will agree that they would rather work with someone who has a positive, friendly, humble, patient attitude.  Unfortunately, this description does not fit many security professionals – except when they are talking to other security professionals. Rather, we tend to demand   urgent action from our customers for “sky is falling” security priorities. We preach against fear, uncertainty and doubt (FUD) – but we don’t practice what we preach. Why? Because (regularly updated) FUD usually works.

Not only do we believe that legal compliance, dark side hackers, malware problems, third-world threats and identity theft are serious top business risks that must be addressed, we act as if they are the only problems truly worth fixing. Worse than that, we proudly demand immediate action with threats of new 911s if we don’t get our way. We stomp around the enterprise with recent headlines that prove our point. We come off as arrogant. Bottom line, we forget our place and the reason for our actual existence.      

OK, maybe I exaggerated a bit. I wanted to get your attention in this area. Nevertheless, it is true that this is how most security professionals are perceived by everyone else. And yes, perception is reality.

Problem #3:  Security Professionals Often Come Across as either Unusually Proud or Overconfident    

 Now don’t get me wrong here. I’m not saying that security professionals never smile or tell jokes. Some of us are extroverts and some are introverts. Some people can “spin” with the best sales staff in the company, while others stand in the corner with arms folded. That’s not what I’m talking about.

I’m referring to a tendency to be above everyone else and/or have a secret trump card. Over time, security professionals can obtain a reputation for not having to go through the same processes and procedures as everyone else in the enterprise for funding or project approvals. We may not offer a return on investment but demand “crisis intervention.”

Security decisions may also seem mysterious to other technology professionals, since the reasons behind certain key decisions may be held in confidence – often for good reasons. For example, a personnel matter that can’t be shared may precipitate a change in background checks for everyone. This “out of the blue” exec reaction may be viewed negatively by others in the office.

Going further, when security projects don’t work or can’t stop the bad guys as expected, the rules seem to be applied differently for security professionals as everyone else. Overheard: “If my project went like that, I would be fired or my project canceled. The security guy was given more funding. That (bleep) always over-commits and under-delivers.”

Even when projects do work well, the results don’t seem to satisfy the original objectives or solve tomorrow’s problems. OK, perhaps malware has changed and gotten worse, but others point back to promises made two years ago and perceive these proud statements made as arrogant. Overheard two years ago: “If we do this xyz project, we will be the safest company on the globe with the most secure internal network that can’t be penetrated by anyone.”  

Beyond internal relationships, security staff can, somewhat surprisingly, feel that their tactics and practices are better than they actually are. An external penetration test will often show staff how far they truly have to go.

Solution #3  Display Genuine Humility with Professional Excellence

The Biblical wisdom “pride comes before a fall” needs to be foremost in the minds of security professionals. There are several aspects to this truth, but it starts with believing it is true. For one, the bad guys are always getting better and trying to get in. They are working harder than ever to defeat whatever you are doing to protect your enterprise. This knowledge alone will change your perspective on your job and when you are “done.” What worked today may not work tomorrow. In this light, be careful about the promises you make to others regarding security and the protections you are deploying.

Second, treat others as you would have them treat you. Gaining a different perspective on your infrastructure can help in this regard. As Michigan’s current CTO and Director of Infrastructure, I definitely see the “other side” to hundreds of technology situations and issues. It is natural to think your reasoning is balanced, but is it really? While I am still a security advocate, my perspective on security professionals changed when I switched roles. I was able to see many of my previous blind spots. No doubt, I now have new blind spots – and humility can help that.

To illustrate this point think of someone who watches a few TV shows or reads a few articles online about living in Europe. Afterward, they immediately go around the office and act as if they are the experts on all things European. The fact that others lived in Europe for many years and disagree with many of the pronouncements doesn’t seem to impact this person’s behavior. In the same way, system administrators, networking engineers and others feel as if security professionals are a fish out of water – unless the security professionals can approach them humbly and with tact.

Lastly on this point, get different perspectives. Good security involves trust and positive relationships with business staff and other technology professionals company-wide. Do lunch, get together and bowl, play on the company softball team. These experiences will make you a more effective, well-rounded professional.

I could go on further, but there are many books on this topic. If interested, read Covey’s Seven Habits of Highly Effective People as a start. It is true that the need for this character trait is relevant for all of society, but I have seen more security professionals fail in this area when compared to other technology professionals.

Next time, do you understand (or care) about the business? Really?

What are your thoughts about attitude and humility amongst security professionals?