By setting yourself up as the defender, the solver of problems, you cast your business colleagues as hapless victims or, worse, threats. This is not a useful construct for engagement. Credit: Getty Images There’s this belief among a lot of security professionals that we are special, in that we are the defenders of our companies. We like to think we hold ourselves to a higher standard of care than our coworkers. If not for us, the thinking goes, our companies would crash and burn in horrible ways. Breaches would run rampant. Data would be stolen left and right. Cloud environments would be filled with adversaries. Enterprise systems would be locked up by ransomware. Without our heroic efforts, those things would be happening all the time! We are the defenders!Except we aren’t the defenders. We might be defenders, but we aren’t the only ones. Our DevOps teams defend reliability all the time. Our lawyers protect us from liability. Our product managers and sales teams protect our paychecks (maybe they’re the real heroes). In setting ourselves apart in our own minds, we set ourselves apart in practice. While we like the heroic feeling it gives us to be the defenders, it has a lot of downsides.In taking on the mantle of a hero, it’s necessary to project roles onto others. Some people need to become villains (that evil product manager who dares to launch a product that might not be perfect, or the negligent engineering manager that doesn’t halt their feature pipeline to patch every component they own), while others become cast as victims without agency (those woeful users who click on links, or the executives who just don’t know enough to make better risk decisions). We begin to look down on all of them, because we know so much more than they do.Nothing could be further from the truth. InfoSec professionals do tend to have deep, highly specialized knowledge. But most of us are still struggling to understand how our businesses make money. We find the marketing pipeline to be pretty opaque. The list of business functions that we don’t understand is far longer than the ones we do. And when we approach those organizations with well-meaning but brusque guidance, things don’t go well. Consider the last time you were working on a project where you were responsible. At some point, someone with no vested interest, no skin in the game, gave you some outlandish advice. On paper, in theory, that advice might have worked in some other situation, but not in yours. Well, that’s exactly how our business partners often view us: as arrogant experts who don’t have the practical experience to judge how useful their advice isn’t.Be the supportive sidekickInstead of thinking of ourselves as heroes—we aren’t Wonder Woman, or Batman, or Superman—it’s time to think of ourselves as sidekicks. On a good day, we help someone else make wiser risk choices, and those choices result in more profitable outcomes for everyone. But it is someone else who is the hero; we just hold their cape and refill their utility pouch. How do we do that? It begins with some humility. Most people in our profession work in cost centers. To the rest of the company, we are a drag on the business, and while we like to talk about business enablement, our first goal has to be removing the business impediment we’ve become.Are you responsible for product security? Engage the software architects who write the code and teach them how to do their own safety and security reviews earlier in their process. They’ll find, and fix, far more flaws than you ever would looking from outside. Embed tools in their DevOps process that empower them, rather than adding tools that focus on helping your team criticize their team.Maybe you’re focused on IT security? Recognize that phishing, as a problem, is the fault of IT, not the end users. Stop focusing on gotcha metrics like “phishing click rates” and work to improve your architecture. Why is phishing a problem? Have you not yet implemented FIDO-MFA? Is lateral admin movement so easy in your environment that you can’t afford a single machine compromise? Work on those challenges and stop wasting energy on blaming the users.No matter what part of the business you support, start learning what they need to do to get the job done. Identify opportunities where you can get out of their way first, and then look for ways to help improve their processes to be faster and safer. But stop trying to be the hero, and start celebrating their successes, even if all you did was get a little bit out of their way. Related content news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry news UK data regulator warns that data breaches put abuse victims’ lives at risk The UK Information Commissioner’s Office has reprimanded seven organizations in the past 14 months for data breaches affecting victims of domestic abuse. By Michael Hill Sep 28, 2023 3 mins Electronic Health Records Data Breach Government news EchoMark releases watermarking solution to secure private communications, detect insider threats Enterprise-grade software embeds AI-driven, forensic watermarking in emails and documents to pinpoint potential insider risks By Michael Hill Sep 28, 2023 4 mins Communications Security Threat and Vulnerability Management Security Software news SpecterOps to use in-house approximation to test for global attack variations The new offering uses atomic tests and in-house approximation in purple team assessment to test all known techniques of an attack. By Shweta Sharma Sep 28, 2023 3 mins Penetration Testing Network Security Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe