At the end, it’s all about protecting the money making machine

Make each action purpose and data driven

Both in personal and professional life, trust is hard to earn and unbelievably hard to regain. Every step you take in any new relationship should be carefully planned.
When you’re joining a new company, for the first couple of months — or as long as it takes you to prove yourself — you must pay extra attention to the things you do, because you don’t want to create any negativity around your name. If within the first couple of months you get to have any negative word standing in the same sentence as your name, you’ll have hard time getting rid of that label.

Take special care of security initiatives that may impact productivity of your coworkers. The last thing you want to happen is to make a decision which will be then pointed out as reckless and myopic.
We all make mistakes, but it’s really important to not fail your new coworkers, even at the cost of your own productivity.

By rolling out the big guns without learning the corporate context first you’re setting yourself for a big drama. More mistakes you make over time, less interested people will be in your future initiatives, because they’ll be afraid of you screwing their work again.

Walking on toes will eat up significant amount of your time and make you less productive, but will create solid foundations for future long-term endeavors.

Adapt, adjust and execute

Every single one of us made a plenty of mistakes in early days of our careers, but that’s completely fine as long as you recognize it and aim to improve. What really matters is to always seek feedback and recognize when you’re not making progress and to not put yourself down because you made a bad judgement. It happens to all of us so stop pondering and just move on.

Keep evolving, adapt to events happening in the industry and adjust your activities to the context of your organization’s, team’s or even particular person’s needs.
There is no shame in acknowledging your mistake. It’s actually a great leadership quality which shows you’re strong enough to admit that you’re not a know-it-all person.

In my experience it all boils down to leadership, ownership and using empathy to understand motives of each one of the employees and to inspire them to care about security.
Social skills and the grit for the win!

Securing the money making machine is the prime objective

If the job is good we want to work just for the sake of working, because for many of us it’s a burning passion. For some of us, hacking & defending is our prime need at the bottom of Maslov’s pyramind which comes before oxyge.
In real life however, you must focus on protecting the critical infrastructure which generates the revenue.

If you love your work and it’s your obsession — then needless to say — there are always ~16 awake hours in 24hours long day and there certainly is a time to have fun and enjoy yourself doing the great things with technology you wanted to do.

But in places where there are people relying on you being a professional, you must put first things first. It sounds obvious but you probably don’t realize how often you go sideways instead of focusing on things that matter.

We all love to do fancy stuff, but the thing is that most business owners don’t care how much fun you’re having as long as their money-making machine is holding up good with low risk of that state changing to worse.

There are execs fasctinated by technology and excited about you delivering more than expected, but in general, security is just to ensure
business keeps running and generates money, not to satisfy InfoSec passionate’s fascination.

What I mean by all these is — you must accept that often you’ll be required to do very not exciting work. It’s far more important to investigate on why Joe from HR so often fails at phishing tests, than it is to deploy yet another security tool released yesterday. Focus on people who actually make the money. If you hear that your sales person has problems with accessing their account, it is a critical issue you should address at the earliest.

There is a difference between important and urgent which you should obviously know in order to be effective. But some things are both urgent and important, so don’t allow yourself to ignore urgent requests because you believe that working on “important strategic project” is where you should be spending your time at the given moment.
If you delay your coding for a few hours, likely not much is going to change. But if you delay helping sales person, your company may have just lost a thousands of dollars on a deal that could’ve been made if you had enabled the salesman to do their work.

Business context matters. A lot.

How can you manage the risks — which is what all InfoSec is about — without knowing the risks of a given business? Surely there is plenty of things that span thru most of organisations, but you can’t make mature decision without knowing the business objectives though and through.

Let’s take an example of a Nessus’ scan which printed out severity
10/10 for that unpatched server. It doesn’t mean you must drop everything else and fix it immediately — altho you should — because that server can be in the deep internal network without any external exposure and hosting no sensitive data whatsoever.
Why would you spend time and change priorities because of unrealistic ratings like that? Differentiating between important and urgent is incredibly undervalued skill.
But make no mistake, I’ve seen Nessus reporting bugs with a rate of 1/10 which chained with a few other low severity bugs could put a business in tragic situation. So analyse all data thoroughly and always keep in back of your head that context matters.
You may think that’s easy but let me be brutally honest here — you probably don’t realize how many things you let slip thru because you’ve forgotten the value of big picture perspective. I don’t blame you, because you can’t eliminate it entirely. All you can do is minimize number of mistakes, so work on it the way I do and allow yourself to see through your past.

If you focus on tailoring your security program to needs of your organisation you can take your security culture on a much higher level. Every little thing separately has potential to make a difference, though all connected will create clear vision of corporate security culture.
Actions compound the same way knowledge does. It builds upon itself allowing you to achieve greater things. So don’t feel overwhelmed with the long path and focus on the value small things can bring to you and your business.

Once you truly realize that all big achievements are nothing but a result of many small steps taken, you’ll enable yourself for more successful and less stressful career. Try that, it’s worth it and if you don’t like it, you can always get back to stressful and overwhelming way of looking at things.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.