InfoSec as an enabler
Of one thing I’m certainly sure — there is no place for a NO person in security department.
Long time ago already I’ve stopped counting how much time and effort I had to put to convince my coworkers that not all security people are rude bots whining about insecurities of everything and trying to keep the comfortable status quo instead of learning the new technology to allow others do their work efficiently.
All those default-deny-people — which luckily are becoming less common and becoming an artefact of the past — made it very tough for social-savvy security pros to create good corporate culture and healthy relations with engineers and other employees in general.
Saying no is easy, being creative and looking for innovative solutions is challenging and as a hackers striving to solve challenging problems should be part of our DNA. If you’re not creative, people will find creative ways to bypass your NO and it’s all for nothing.
Your goal is to show people that you aim to help them and enable their workflow instead of being gruffy because they haven’t been studying security for the last 10 years like you had and don’t know all the risks involved with what they want to do.
We’re the heroes hired to help build robust security solutions and we need to use all of our greatness to solve the challenges and secure the organization.
Listen and execute behind the scenes
To be a great leader and enabler you should master listening and working on stuff even and/or especially when noone is watching.
Delivering the work no one asked you for, just to improve life of your co-workers will be appreciated and will build the image of yourself as an outgoing person who’s out there willing to help others — the capable leader and problem solver. Our industry desperately needs such people and other employees always seek for someone who’ll inspire them and they secretly want someone to look up to.
If you give people a lot which will outweight what they’re giving you — 51>49- they’ll feel emotionally obligated to give something back and the ROI can be their eagerness to do security stuff for you.
Provide as much value and help as possible, and you’ll see empathetic magic happen because people can’t stand if they’ve received lots of help without offering as much in return.
Sometimes we just need to step out and do take things in your own hands for better future of you and your organisation. Even if it happens, that you need to fix some code and configs yourself and that’s perfectly fine as long as it’s an exception, not a rule as I had explained in the post “Embrace DevSecOps”, where the key message was that you must learn how to balance things if you want to be effective.
You must ensure that you’re doing whatever possible to show people your determination, competence and passion, but be wary of taking too much of little things — like code fixes — on your shoulders which will make it impossible to do the actually important tasks which are only within your skillset.
Dawid Bałut 