Anger. Frustration. Despondency. Hopelessness. Capitulation.
These are typical feelings experienced by infosec pros, as they deal with careless end users, impatient executives, emerging technology, budget constraints and understaffing.
“It’s tough out there,” said Mike Rothman, president of Securosis, an information security and analysis firm.
At the beginning, infosec pros worked mostly in obscurity, but the opposite is now true, he said during his keynote “Only the STRONG Survive” at the Qualys Security Conference in Las Vegas.
The spotlight is shining brightly on them, as C-level executives and board members worry about hackers and the fallout from a major data breach. This means that infosec pros must be able to understand their organization’s business goals and strategies, and communicate with business leaders.
“You do security but you’re a business person,” Rothman said.
Most important, however, is for infosec pros to learn how to be leaders, and that involves focusing on 6 core areas: Success, Team, Response, Operations Excellence, Innovation and Graceful Actions (STRONG).
A key to the first core area, success, is to be clear about how success is defined not just for the individual, but also for the infosec team, and more broadly for the company.
“You need a vision for what winning looks like for the organization,” he said. For the security team, this translates into understanding why they’re protecting the IT environment. “Remember who you work for,” he said.
The company leaders care about growing revenue, increasing profits, boosting shareholder value and keeping their jobs. Infosec pros need to figure out how security plays into that and map critical business objectives to security. They need to get out of their cubicles and offices and go talk to folks on the business side. They need to read their company’s annual report.
“Understand what’s important to your business and map that to how security has to execute to achieve those goals,” he said. “Understand the ‘why’ of the way you’re doing things.”
Infosec pros also need to get better at building their teams, and a big part of that is making sure their staff has a sense of purpose.
If they feel that what they do is unimportant, and lack a sense of mission, the staff will be disengaged and suffer from lack of motivation and turnover.
An important part of this is playing to people’s strengths and putting them in a position to succeed, instead of focusing on trying to fix their weaknesses.
The third area, response, refers not to literal incident response, but to workflow – how infosec pros handle the torrent of work coming at them, and how they establish priorities so that they get the important stuff done and don’t get sidetracked by trivial requests.
“Do you constantly get pushed and pulled into possibly unrelated tasks and have no way to weigh the opportunity cost of diversions?,” Rothman asked.
Having the proper response ties back to the success focus and understanding of the goals of the company, so that short-term needs don’t drown out longer-term objectives, he said.
Operational excellence touches on determining, often via granular metrics, how well your infosec team is performing relative to their specific operational responsibilities, he said.
It’s key for infosec teams to understand how tactical objectives build up to achieve longer-term strategic goals. “How well does your team execute against both short-term and long-term objectives?,” Rothman said.
A challenge here is documenting and tracking the progress, and choosing which metrics are presented to the executives and the board.
“There’s no good answer,” Rothman said. The important thing is to make sure you tie the operational metrics to the company’s objectives.
Innovation, the “N” in Rothman’s acrostic, speaks to the opportunity infosec teams should give themselves to periodically – once a year, for example – completely revise and rethink their game plans, strategies, processes and the like, to consider ways they can optimize them and be faster, more effective and efficient.
“Ask ‘If we were starting today, what would it look like?’” Rothman said.
Finally, there’s grace, which in Rothman’s proposal is all about practicing virtues – kindness, honesty, empathy, compassion – and having a work-life balance in which you make time for hobbies, downtime, personal relationships and laughter.
“Security isn’t fun most of the time,” he said, so infosec pros must proactively seek opportunities to live joyfully.
“You’ve got to enjoy the ride,” he said.