Wednesday, June 26, 2013

Philosophy on Information Security

I wanted to write down a collection of guiding principles that I've collected over my career so far, having been so privileged and having worked with many senior IT and Security folks, I can take credit for none of these revelations except for collecting them here to share with you.

These are some of the most valuable insights I've had, and the now make up the core of my guiding philosophy toward information security and compliance. Thank you to everyone who has contributed to forming these principles, and if you recognize one as your very own please feel free to take credit or email me and I'll include the credit to you. Its a compliment that these are so blended to my background and my mind that I no longer recognize the places where they originated, and not meant as any slight.

  • Security decisions are, ultimately, business decisions. The unspoken second half of that is "... and you have to be ok with that." In other words, we can provide the best information possible to our bosses and the organizations we work for about the risks, methods of mitigation and recommended strategies, but ultimately the decision they make is a business decision and includes factors we're not privy to. In fact, we don't WANT to be privy to, often times being political in nature. Your work can be amazing, perfect and flawless and the company may still decide to go a different way. It is not a reflection on you or your work. This can be translated as, "learn to let go".
  • Bring method to madness. Generally speaking, a lot of what we do as security professionals is bring a framework or method of approaching very large and complex problems. We're experts and taking things like NIST or ISO and using them as a roadmap to approaching a wide variety of IT problems. When you're faced with what seems like a uncoordinated, uncharted, and disorganized approach- find the method. Down to the basic scientific method approach to troubleshooting.
  • Learn to be humble, ask for help and never pretend you know what you're doing. Having the pleasure of working with senior folks in the field, I can tell you they do not mind if you openly admit you do not know how to do something. They may be frustrated that they do not have the time to teach you under a deadline, but that is not ire directed at you. What will get you in trouble, get you fired, is if you fail to mention what you don't know and try to guess your way through it. You break something, and then they have to spend time not only fixing what you broke but training you anyway. Admit when you do not know.
  • I know this is IT, but softskills are important too. I originally went into the field of forensics to become a medical examiner, and partway through the criminology and biology courses I discovered that whilst I had the stomach for gore, my nose was very sensitive. I wanted to be a medical examiner, not just because forensics fascinates me- but because, like many IT folks, I am happier in a less-social comfort zone. I thought computer forensics and infosec was a good choice, but I've found myself more than once asked to be "less intimidating". For someone who found themselves on the losing end of a bully's fist, this was a shock to my system. I read books on negtiation, joined something like a woman's 'toastmasters', and even found online webinars and seminars on project management, communication skills, negotiation and soft-skills. Be approachable, be open, learn consensus building.
  • Never stop learning. No REALLY. I loved school. I thought IT would be a good field because when I talked to folks currently with a successful career, the one warning that was repeated over and over was "you never stop learning". School just doesn't cut it for this. It is not just that technology is changing so quickly that you have to keep up, it is the sheer inter-connected nature of the beast. You may go into security, but you will have to beef up on networking, then eventually databases, and one day you'll find yourself needing some scripting skills. You go into networking, you better believe you need server skills, which means eventually you'll get into databases. If you're any good at either you'll be into security as well... do you see what I mean? Be prepared for two full time jobs. One where you do your job and another where you are constantly learning how to do the job you need to do tomorrow.
  •  Take a moment to smell the roses, remember to play. Sometimes we get so caught up in whatever little small political or technological hurdle we are currently facing that we forget to stop and look around and remember "How freaking cool is my job?!" Take a moment to savor your accomplishments, your efforts in learning, your ability to explore a field of science many look to with feelings of magic and mystery. You help make people's lives better. Taking time away from what is frustrating you and just playing can be powerful in many ways. Play is key to problem solving, it can rejuvenate and revive you, and it can bring clarity in ways you never thought. Just take a moment.

Well, that is all for now. I have another post brewing on interview questions every Infosec / CISSP should be asking their prospective new employer!
Stay tuned.

No comments:

Post a Comment