Security Is An Art Of Tradeoffs So Learn How To Manage The Risks

Balancing act while isn’t easy, is among the most practical things to do

Be practical

No one likes when his time is wasted. When creating a process, policy or procedure you must really thorougly consider if they have any chances of being implemented. By working on something that won’t get results in real life you’re not only wasting your time, but you may create a friction between you and procedures’ recipients.
In order to be effective, you need to learn how to justify your decisions and if you express yourself properly, people will be happy to do stuff that makes sense.

While it may sound obvious to many of you,tunnel vision is a real thing and we — security professionals — quite often fall in a trap of idealizing things and we leave the practical path because we’ve told ourselves that this thing makes sense for us. The key is to analyse if our requests make sense for others, because it’s one thing to setup a policy and it is a completely different story if users will comply with it.

Being practical means being tech-savvy enough to know what’s the right thing to do from risk management perspective. When you take into consideration how hackers operate, you’ll really understand why you should double your spendings on securing the basics. It does make sense to first ensure your users have strong passwords and implemented 2FA before you jump into buying $1M firewall. Just because everyone is unwisely spending their budget, it doesn’t mean you should follow their steps — especially when you’re not an overfunded startup that can afford blowing away money in a speed in which VC’s money is being recklessly burnt in SV.

Being practical also means being social-savvy enough to understand that speed of your improvements will vary depending on predispositions of individual organisation. Sometimes you must take things slowly and enforce only 1 change per year and at some organisations you can push 10 things each quarter for execution because you understand if your people will or will not feel overwhelmed by number of requests coming from you.

Allow to cut corners when necessary

Business is there to make money and must ship the product or service no matter what. Bringing value matters more than anything else and sometimes there are situations in which quality must be compromised and you can’t do anything about it.

Instead of floating with frustration and despair because of the lost battle, spend time figuring out what else can be done to cover the gaps created by the tradeoffs that were done by your business team who decided to ship the product regardless of your risk analysis.
Cut your resentment short and work on second layer protections which will provide security in case the holes in shipped product are exploited and abused.

Learn how to mitigate risk and minimize the damage that can be potentially done, because spending time reading books about risk management has bigger ROI than obsessing with how stupid your organization and insecure products are — even though sometimes indeed it’s a painful truth, you must move forward regardless.

Your workday probably has ~8 hours where you have an opportunity to make a difference and do something productive. Complaining and dramatizing is taking away from you the chance to be creative and to solve mistakes made by others, because you can’t get that time back. Once it’s gone, it’s gone forever while there is yet so much of other work to do. So learn how to prioritize the risks and drama so that your company benefits from your skillset to the maximum possible.

Each generation has their own struggles

I’m so fed up with those bullshit posts on linkedin from people talking shit and blaming millennials for everything.

You know what the ultimate tip for Millennials is?

Stop following bullshit one-liner advice posted on LinkedIn.
I wish life would be that easy but it’s not, and the reason for most of those posts is to be click-baits which bring attention & fame to the poster.
Life is all about context, the little details and the big picture perspective which one-liner has no chance of giving you.
The only thing it can give you is a tunnel vision which is crazy scary because I’ve seen too many people sleepwalking thru life just to wake up on death bed and finally figure out that they lived their lives on someone elses terms.

If you want to transform your life, then you’ve got to put in the work and learn by spending thousands of hours educating yourself from content created by tens, hundreds or even thousands of people, where every single person provides yet another perspective which you correlate with other knowledge and try to map with your life.

You Do You.
Stop wasting time on click-baitish posts which have little to 0 value and very often make more harm than not.
Being an authority comes with a huge power and even greater responsibility of ensuring we’re not putting lives of others in danger.

“The book that will change your life THE MOST is the book you write” ~  Seth Godin

Make your security training relevant and brief

Make sure that security training is periodic so people don’t forget to use that knowledge in day to day operations. Try to keep audience entertained by your show so they don’t perceive it as just one more mandatory boring corporate training aka necessary evil. Put in the work to ensure people are aware of your intentions and understand they WHY behind your training and WHY they should obey.
Meet with those people in person to show your human side and to give yourself a chance to create relationships with those people because we all know that as an empathetic creatures we tend to like more people we’ve met in person and we’d rather listen to someone we know and like.
It’s a good idea to show them the personal gains they get by learning what you’re trying to teach them, because some people care more about privacy of their Facebook chats than about safety of a corporation they work for.

Last but not least – always keep adjusting. Security programme is something that you must work on all the time and carefully customize to your organisation’s – or sometimes even individual’s – needs. One of the biggest mistakes I’ve seen was security experts settling on a security programme for their organisation and not adjusting it to the growth of that company making the security programme not only useless but very often costly workflows bottleneck.

All people are different, so if you prepare your security trainings like everyone is the same then you’re going for a huge disaster.

All goodness delivered by Dawid Bałut Security Podcast.