Balancing act while isn’t easy, is among the most practical things to do
No one likes when his time is wasted. When creating a process, policy or procedure you must really thorougly consider if they have any chances of being implemented. By working on something that won’t get results in real life you’re not only wasting your time, but you may create a friction between you and procedures’ recipients.
In order to be effective, you need to learn how to justify your decisions and if you express yourself properly, people will be happy to do stuff that makes sense.
While it may sound obvious to many of you,tunnel vision is a real thing and we — security professionals — quite often fall in a trap of idealizing things and we leave the practical path because we’ve told ourselves that this thing makes sense for us. The key is to analyse if our requests make sense for others, because it’s one thing to setup a policy and it is a completely different story if users will comply with it.
Being practical means being tech-savvy enough to know what’s the right thing to do from risk management perspective. When you take into consideration how hackers operate, you’ll really understand why you should double your spendings on securing the basics. It does make sense to first ensure your users have strong passwords and implemented 2FA before you jump into buying $1M firewall. Just because everyone is unwisely spending their budget, it doesn’t mean you should follow their steps — especially when you’re not an overfunded startup that can afford blowing away money in a speed in which VC’s money is being recklessly burnt in SV.
Being practical also means being social-savvy enough to understand that speed of your improvements will vary depending on predispositions of individual organisation. Sometimes you must take things slowly and enforce only 1 change per year and at some organisations you can push 10 things each quarter for execution because you understand if your people will or will not feel overwhelmed by number of requests coming from you.
Allow to cut corners when necessary
Business is there to make money and must ship the product or service no matter what. Bringing value matters more than anything else and sometimes there are situations in which quality must be compromised and you can’t do anything about it.
Instead of floating with frustration and despair because of the lost battle, spend time figuring out what else can be done to cover the gaps created by the tradeoffs that were done by your business team who decided to ship the product regardless of your risk analysis.
Cut your resentment short and work on second layer protections which will provide security in case the holes in shipped product are exploited and abused.
Learn how to mitigate risk and minimize the damage that can be potentially done, because spending time reading books about risk management has bigger ROI than obsessing with how stupid your organization and insecure products are — even though sometimes indeed it’s a painful truth, you must move forward regardless.
Your workday probably has ~8 hours where you have an opportunity to make a difference and do something productive. Complaining and dramatizing is taking away from you the chance to be creative and to solve mistakes made by others, because you can’t get that time back. Once it’s gone, it’s gone forever while there is yet so much of other work to do. So learn how to prioritize the risks and drama so that your company benefits from your skillset to the maximum possible.