The hardest part of mountaineering is descending from the summit

The current mindset and methodology around information security focuses around climbing the mountain and reaching the summit.  There is hardly any focus on how you descend from the summit, go back to the valley, and plan for the next ascent and descent.  Those are the most difficult parts.

The project-based methodology that has permeated information security, and IT in general, focuses on aiming toward a “go-live”/summit, i.e. a point where the system is fully live and we are at the top.  There is little focus in maintaining systems or keeping them maintained after go-live, i.e. the descent.  This is an area that we need to change if we are to improve.  One of the best ways to do it is through a focused and dynamic team.

One of the major challenges in staffing your Information Security organization is finding the right people.  Owing to the changes in Information Security over the past few years, organizations have evolved from having a purely technical security team to being part of the business.  This means that the team members you need also need to have an awareness and understanding of this. 

The risks have not changed.  The marketing around them has.  The reason we have many of the issues we do today isn’t because of NSA-quality hackers exploiting vulnerabilities that only they knew about.  It’s because we treat Information Security initiatives like projects.  We do what we need to go-live, have the party and cake, and move on to the next one, forgetting what’s needed to descend from the summit and plan for the next trip, i.e. plan to maintain the system and operate it through a lifecycle while continuing to identify and mitigate risks and vulnerabilities.  This puts us in a dangerous spot and opens our organizations to unnecessary risks.

While there still will be NSA-quality hackers in every nation, especially North Korea, China, Russia, Israel, and our coalition partners, the majority of data breaches and hacks don’t require that level of skill.  They require a lot less, and not paying attention during the descent, after go-live, exacerbates small problems and makes them very large.  The recent case of Equifax having a large data breach because, in part, of an easily patchable flaw is the perfect example of this.

What do we need to change?

What we need to change here is how to build a team that can educate the rest of the organization in what they need to do to not only reach the summit, but how to descend and move on to the next challenge.  Our internal customers understand the risks.  However, they need partners to work with them and guide them through the process, like climbing and descending from a mountain or cliff.  These partners include our third-party vendors and suppliers, who we now expect a lot more from as we set expectations of partnership and an ongoing relationship with them as a prerequisite.  Most importantly, they include the Information Security team, which will interface with them daily.

We’re going to discuss this in several areas.  First, we will look at how the role has changed.  Next, we will go into the role characteristics.  We will then go into why these changes have occurred.  Then, we will discuss how this changes the role.  Finally, we will discuss employee engagement and retention, and how this plays into keeping your team.

What we hope to accomplish is to a greater understanding of how you can build and staff a great team that can effect change across an organization.  We also want to educate not just ourselves.  We want to educate our partners in Human Resources, staffing, and the business.

A key item to keep in mind is that the current mindset and methodology focuses around climbing the mountain, disbanding the team, and then moving on to the next item.  The sales/marketing cycle doesn’t help us with constant alarms and vague threats about what happens when you don’t use their products.  There are a lot of organizations that buy into this approach.  However, it doesn’t work for a true risk-based approach.  What it does is it buys a feel-good message to allay the fears of a few managers, but truly does not address root causes.

Risk-based is the approach that we need to have as part of the change of the security role.  Information Security, at its onset, was about working within infrastructure to configure systems to be more secure.  This was before the onset of additional regulations such as the Health Insurance Portability and Accountability Act, better known as HIPAA, or Sarbanes-Oxley. 

HIPAA, in particular, requires that organizations not only undergo a risk assessment at least yearly, but they also need a plan to address and correct any issues discovered, while continually monitoring for and addressing them.  It also covers three key areas in the Privacy and Security Rules, which are Administrative, Technical, and Physical.  The need to cover technical and non-technical issues in concert with a wide variety of staff started the transformation of the role.  Requiring the Risk Assessment as part of attesting to Meaningful Use of Electronic Medical Records as part of the HITECH Act of 2009, and basing an organization’s ability to receive incentive payments for it also helped transform the role into a true multi-dimensional one in the healthcare space.

What are the new role characteristics for team members?

Based on the additional responsibilities, there are new additional role characteristics that Information Security professionals need.  We are looking for strong communicators and presenters, on the level of a junior executive or recent Top 50 MBA graduate.  We want these people to have empathy, and excellent customer service skills.  We value active listeners who have great collaborative communication skills.  We also want people with business knowledge, and who can learn how the business operates.  They also need exposure to risk, accounting, and especially Audit.  They also need to know project management.

The most important item of all is that they need to learn constantly and pick up new areas constantly.  A major part of security, and technology in general is continual evolution.  Team members need to be willing to commit to this.  They are the sherpas that work with organizations to imbue them with continual risk management, as opposed to people that just drop in every few months.  Continuity is key to addressing risk.

This changes the role in one very important way.  When you examine the root causes of some of the largest data breaches in history, specifically OPM, Equifax, JP Morgan, and several others, almost every single one was preventable through good systems maintenance, and keeping components, operating systems, and applications up to date with supported versions and security patches.

A major cause of these issues is that the business does not understand or is not equipped to deal with maintaining systems past go-live.  A number of businesses, during the capital budgeting processes, will cut out maintenance and upgrades as part of overall systems cost to increase the Return on Investment, and the probability that their entries will be picked.  Software and hardware vendors who claim no IT involvement are also guilty.  This lulls the business into a false sense of security, while the applications and systems that support them get old and unmaintained, putting the organization at risk. 

This turns security into a business issue, as businesses as a whole do not understand what needs to be done to properly maintain and secure systems.  There is a lot of confusion out there over how to take a risk-based approach.  The plethora of products and snake oil being sold to C-suites across the world shows that the business side of the house does not understand this.

How do we address security issues in the business using this?

To address this, we need teams that can integrate with the business and explain and communicate these items to them.  Communication has seldom been a strong suit of Information Security professionals.  Those who can explain it are in very high demand.  Those who are empathetic, trusted, and have excellent customer service skills are not only going to be able to explain these issues, they will be trusted by people outside of InfoSec to work with them.  We need to keep and retain these people as long as we can to maintain continuity.

People aren’t going to give accurate information on where risks really are to someone who they cannot build rapport with, know well, or be assured that their job is in jeopardy for reporting issues to.  They’re going to work with people who can work with them and who empathize with their situation.  They do not respond well to Fear, Uncertainty, and Doubt, big egos, or their corresponding big attitudes.  What they respond to are results, empathy, and a willingness to see the situation through their eyes to come up with solutions that work and are willing to work side by side to see these resolutions through.

Customer Service and Communication change the role, not reminding everyone what an OCR fine is and potential liability.  Information Security professionals need to be fully integrated into the business, not just off in an area where no one sees them.  We need to educate, understand, actively listen, and collaborate at all levels of an organization.  While there are parts of our business that we cannot disclose, especially investigations and confidential business development, we can open up about everything else.  If we keep keeping secrets or not explaining why we make the decisions we do, we will be worked around.  Shadow IT is a symptom of this. 

We need team members that want to work to find evidence-based root causes, and who can articulate them to their stakeholders, so they understand.

Most importantly, we need people who can help guide others down the mountain to effect change.  We are asking people to change how they do business.  To improve security using a risk-based approach, we need people who can communicate and address real root causes well.

How does employee engagement fit in?

These team members are not common.  Employee Engagement, which has been undervalued previously, needs to be a primary focus.  If you do not do this well, someone else will with your team members.  You need to directly address issues at the onset.  You need to make sure that you communicate well with your team, and be laser focused on comments, survey scores, and issues.  It’s about knowing what the environment is and actively working to build a better one constantly that aligns with the business goals. 

Part of this involves constantly developing the team and their skills.  You have to stay current and understand the security environment very well.  You also need to understand what they are all doing and why.  You have to find opportunities for them to learn more.  Don’t restrict yourself to opportunities within just IS or Security.  Look for leadership development opportunities within your organization where team members from different areas can collaborate.  You also want to strongly encourage presentations and interactions with outside peer groups and organizations such as ISSA, local universities, the CISO Executive Network (if your city has one), local security groups, (ISC)^2, and your local BSides organizations as part of your educational and development plans.

One of the best areas that you can use to develop employee engagement is to include it in part of the security plan.  A good enterprise security plan will address communication, education, and resource planning.  It will help you in making sure that your team members are on the right projects and right educational plan to help them move forward, and that they are on projects that will move them forward.  

It will also make sure that they are interfacing with the right people to gain exposure to the organization and industry.  A good plan helps you understand the peaks and valleys and show that you are not only dedicated to completing projects, but also planning out paths for your team that move them upward.  You want your team to climb and descend many mountains and demonstrate that you are planning to do so with them.  If you think of your team members on a project by project basis, they will not be as engaged and will leave for better opportunities.  If you build a team that focuses on the long term, you will get a team that learns the business, stays longer, and wants to grow and develop together.

Conclusion – It’s about the ascent and descent

Climbing mountains is not a one-time occurrence.  You have to both summit the mountain and descend to plan the next ascent.  While there is a thrill to reaching the top, you need to think about how you’re going to get down safely, maintain the systems, and plan for the next trip.  Organizations need Sherpas, i.e. the Information Security team, to help them through that process.  Current thinking in IS is mainly project-based.  If you think of this as a continual process and think it all through at the same time, you will be in a better position.  However, to do so, you need to have the right team members interacting and communicating with your organization.  You need to develop a different set of skills than traditional teams had in the past and integrate them more with the business.  The goal is to have a team climbing to new goals and being able to descend safely and securely.

[This blog post was inspired by a sermon from Rev. Rob Fuquay, Senior Pastor at St. Luke Presbyterian Church, Indianapolis, Indiana on Sunday, March 18, 2018.]