Align strategy with business stakeholders first
Who’s actually responsible for investments in security?
Security issues don’t pop up out of nowhere. Code, products, infrastructure and business quality is always a responsibility of a human being. So why don’t we treat it as such, and we seem to be always obsessing about technology rather than going after the root cause, which happen to be the people?
However, while talking about the “responsible person”, I rarely think about a software engineer who writes code, but about company’s management layer. Because it’s up to business leaders to decide on all investments. Including how much time employees will be allowed to devote to security and quality in their day to day work. If software engineers are expected to produce inhuman amounts of code, they can not afford focusing on security best practices. Managers who reward software engineers based only on amount of produced features, are the ones truly responsible for insecure products.
Just ten years ago I used to religiously believe that the responsibility for insecure code is all on programmers. After many years working with businesses all over the world, I’ve learnt that my perception couldn’t had been more wrong.
It rarely happens that engineers don’t want to build high quality products, but at the end of the day what they want vs what they’re ought to be doing, may be a two completely different things.
Most software engineers I’ve met were actually very interested in concepts related to application security, infrastructure security and the whole hacking theater. It’s fancy, it’s all over the place, people want to be a part of it, but their fantastic attitude doesn’t matter if we keep blocking them from joining the tribe.
The challenge is that more often than not, middle management isn’t held responsible enough for products’ safety. They’re usually rewarded just for shipping feature-rich and functional product on time, and the ‘security-thing’ is somewhere at the bottom of a software release checklist.
It’s also up to the executives, how much time and money they invest in employees education. If you expect your employees to learn about security in their personal time, that’s called being delusional, not visionaire. Because if a software engineer wants to spend time after hours learning something, then most likely they’ll be looking into some new programming library or framework, rather than stressing about complex concepts such as application security they have had unfriendly experience with at work.
It all goes top to bottom, the culture and tone set by execs is a real thing
There is a long and rough path ahead of us, till secure software engineering will be considered a part of basic quality assurance processes. It takes a lot of time and effort to make everyone conscious of potential consequences of security negligence, which means the earlier you start educating them, is better.
If execs don’t incentivize middle management to keep an eye on security, then middle management won’t incentivize software engineers to write code securely. If you don’t start from the top of an organization’s hierarchy you’ll have a hard time succeeding with your security initiatives.
Engineers, like most other human beings, generally don’t like to step out and do things their managers don’t want them to spend time on. And that’s for a good reason. In a healthy corporate culture, you want engineers that trust their leaders and focus on bringing value to the organisation. You want people who’re don’t raise a riot against policies set by business leaders, unless there have some good reasons to do so. Many, many people work in IT just to provide for their families, so being anxious that not all of them are questioning the status quo, is just ludicrous. Let others live the lives they want to live, because it’s not for any of us, to judge anyone else. If you want something to change, then focus all your energy on helping yourself drive a change, rather than oppressing people to follow your lead. If you start something that’s worthwhile and sensible, I promise you that there will be people willing to follow.
So if you notice someone stepping up to raise software engineering standards, you can’t miss such rare opportunity to convert it into a long-term partnership. Show your appreciation on the spot, because if someone is risking something for you, you better watch their back.
If you want to push people a bit so they leave their comfort zones, you must be very clear about your expectations and also provide them with some incentives. It doesn’t need to be tangible, just make sure you express your appreciation for an employee going an extra mile and paying attention to code quality. If you want to create a tribe that follows your lead and steps up, then you need to decrease the discomfort as much as possible. Essentially, you must make people comfortable in the discomfort they’re about to experience. You achieve that, by making them (feel) safe with your leadership.
I’m telling you all these, because I’ve seen a handful of my friends burning out. They had no support from the TOP so they’ve tried to take a lead alone, and incompetently enforce their narrative on regular employees. Which then led to toxic atmosphere, very aggressive tone and broken relationships. So be careful, because no matter how big your mission is, office politics apply to every single one of us.
Set common goals with management and executives
Senior management must be advocates of healthy security culture, otherwise it’s a Sisyphean task to do all the things from the bottom up. Without healthy leadership of an executive team, it’s very problematic to achieve tangible security improvements without huge costs without compromising quality of your personal life.
So before you start bothering engineers with your requests, make sure you have official support from executives, because engineers need clear and integral guidance coming from the top. Don’t confuse them more than they’re already by their other duties.
A good way to achieve effectiveness of your security program, is try to learn as much as you can about the high-level business objectives of your company and what are the points of focus for people sitting in management roles. Understand their perspective and gain the leverage.
It’s hard and dangerous to provide you with a generic recommendations, because each organization and each executive is different. It’s all in your hands to learn and feel how to approach them on individual basis.
Settle down on authority at earliest possible
Security is an executive level issue so it would be really useful if you were in a position to influence all stakeholders at the organization. You shouldn’t be wasting your time on back and forth discussions on why something must be done, or why it must be done this way or another. In a healthy corporate culture it would be enough if you just had a security role and everyone should follow your lead from the day one with a credit of trust. But such organisations don’t really exist. Every single organisation is dysfunctional to some extent, and sometimes you’ll face people which you can not lead as a servant-leader and you’re forced to use your authority in order to execute.
I’ve seen it many times that security professional had great intentions, attitude and leadership skills but they couldn’t complete their tasks, because there is always that one person in a company whom you must approach differently.
It’s CEO’s job to create a culture, where every employee trust new coworkers and respect them with a friendly attitude. Executives should make it clear to the middle-management that you are a serious business stakeholder, no different than any one of them, and they should respect your guidance.
If managers are only penalized and rewarded for shipping working product on time, they won’t want to invest in security which in most organisations almost always slows down software development process to some extent. So execs must make it clear that products security is a part of quality and should be treated as a regular, acceptable software development cost.
Thanks to that you may not need to waste time arguing with people why their teams needs to invest in security and all that stuff. You should be able to focus on effective execution rather than discussions caused by dysfunctional corporate culture and lack of proper communication. Being at the lowest of an organization chart, you’ll likely to have hard time working with non-security savvy management who has no interest in focusing on security. That’s how business works, if there are no incentives then why would anyone want to listen to you, especially when you’re a fresh-hire?
Deciding on those bureaucratic matters at the earliest, can save you a lot of anxiety and frustration. I realize that plenty of us want to act like big boys and girls, who can obviously handle everything without anyone having your back, but that isn’t smart. Cost of maintaining your ego really isn’t worth all those bad consequences that may come if you push too hard.
By consequences I not only think of toxic corporate atmosphere but also about your professional burnout and health issues that may arise when you’re too stressed and anxious for a long periods of time.
With power comes great responsibility so always aim to be empathetic to your people and don’t fall into the trap of taking advantage of your authority just because you can. Use this leverage only in exceptional situations when you’ve tried everything else and it failed.
You want to be in power but you should hope that you will never face a situation when you need to use it.
Build credibility and learn the language of business
Stay away from spreading confusion and FUD
Credibility is something you ought to be building from the day one of your career and tender till the very last day, when you say the final goodbye. What I’m trying to say here, is that the way of doing things really matters. We’re often so goal focused that we don’t pay too much attention to the byproducts of our actions. Sometimes, those byproducts bite back in the future.
Even if you achieved expected outcome, you must consider if you’ve used the best tools for the job, meaning have you persuaded people to do something thanks to your leadership status, or have you spread fear, uncertainty and doubt(FUD)? If the second is the case, then you may expect it to haunt you in the future.
If you’re a renowned expert in your field, you still must remain humble. You still need to build your internal reputation from the ground up by working nicely with people in your organization. You coworkers expect you to comply with their code and aren’t easily impressed by your status outside of the company. So if you’re a rockstar that’s perfect, and you should leverage it to make your life easier, however you should be aware of its shortcomings.
I’ve seen plenty of folks who ended up disappointed, because they believed that everyone will know their reputation and they’ll be treated differently because of their prior achievements. And when we think we’re THE ONES, we tend to forget about the need to play nicely with others. No matter what your perception of yourself is, I promise you that others have it completely different.
Learning how to weigh your words, so that people understand your intentions well, will ease a lot of interactions. Security field is very special, because we often tend to be the ones who worry more than managers and executives, because they simply don’t realize the true nature of security risks. However, if you complain too often, people may start labeling you as a frustrated person, who doesn’t understand that business is an art of tradeoffs. They may become afraid that all you care about is building a fortress and slowing down the business growth.
We have our reasons, but our good motives don’t matter much if others don’t know about it. You must work out a relationships in which people understand that you’re trying to help them do their work safely, that you’re the enabler and troubleshooter, not the troublemaker.
So you really want to be perceived by business people and other coworkers like someone who has it all under control. When discussing severe security issues you’ve had discovered, you must be careful, so your language and tone aren’t unclear, negative or overwhelming. As an InfoSec Pro myself, I know why you’re using certain jargon, but everyone else outside of our little echo chamber have no idea what’s going on. Don’t be too simple in your speech, just be impossible to be misunderstood.
While it may sound counter-intuitive, sometimes it actually makes sense to slightly underrate the issue you’re reporting, so they accept it without anxiety and you can make a progress. Small progress always trumps no progress, and good now is better than ideal never.
Because of the negative tone, we had set for all-things-security in the past few decades, people overreact when you have even a little aggressive tone. Security folks who too-passionately want to secure companies they work for, often don’t comply with a corporate communication code. Overreaction may ultimately lead to them ignoring you, which is one of the biggest challenges to overcome after the damage had been done.
The most practical advice I can give you is that we must learn how do adapt at the fast pace. Yes, it does mean that you won’t get as much technical work done at the beginnings, but building credibility and foundations really pays off in the long run. Because once you’ve built credibility as a “smart security leader who knows business, risk management and knows how to work with people”, you can progressively start expressing your thoughts more in-depth.
So be careful about all that and once you’ve figured it out for yourself, stick to it. Different things work for different people and organisations, so keep doing what works for you. You do you, keep that in mind thru the whole book and life actually. If being passionate and verbose works for you and everything is good, then I’m happy for you! Keep doing what you’re doing, but revisit often so you don’t fall into the trap of being too romantic about your past approach. Effectiveness and practicality trumps attachment every single time, so stay alert and don’t let your ego blindfold you.
“Make it till you make it” is much better strategy than “Fake it till you make it”
If you feel that what you’re doing is right, then you shouldn’t let anyone who doesn’t know you influence your point of view. But bear in mind, that when you act a certain way and don’t listen to suggestions from others, you gotta take it all on your shoulders when stuff goes sideways.
If you act overly confident to the extent that it may be perceived as narcissistic cockiness, yet you make too many mistakes, people will lose respect to you very quickly. Humility is a huge tool you should use, to give yourself a space for making mistakes.
For example, if someone asks you for help but you aren’t sure of the answer, be honest about it and tell that person that you’re going to figure it out for them, but you need to do your homework first to make sure you provide quality advice.
Then do the homework digilitently, and get back to that person with all the details they needed.
Never let your ego try to make things up, because people are smarter than you think. If you fake too much, they’ll figure you out and you may end up forever labeled like an incompetent imposter.
Fake it till you make it, doesn’t really work and I much more prefer a version “Make it till you make it”. Learn stuff, be humble, reiterate till you’re pretty good at things you do. Competence inspires confidence, so till you have serious body of work to backup your words, just do stuff in silence and don’t try to overdo it.
Everyone is a target these days, but are they truly aware of it?
Vast majority of startups and SMBs – especially outside of tech world – tend to have this dangerous believe, that they’re too small to become a target for malicious hackers.
When you look at the statistics and reverse engineer hacker’s mindset you can figure out why it’s actually the opposite way around. Hackers, cyber thieves, script kiddies and other malicious actors, come after the easiest targets not only because of the instant reward that stimulates their brains, but because hacking is these days is more of a business than it is a hobby.
Thieves seek quick wins, because like most business owners, they realize that time is their most precious resource. So they’re more likely to attack organizations with weak security posture, because in a week they can hack dozen of them, rather than spending a month without certainty that there will be any return of investment.
It’s not to say, there aren’t hacking groups that go for the big brands, it’s just there are far more average skilled hackers than there are sophisticated and well funded hacking groups. And that leads to a very important point. As an owner of a small business consider your investments as something that is supposed to stop those lone wolfs, rather than trying to spend a lot of money on trying to protect yourself against gangs or state sponsored attackers.
Management needs to understand that while big organizations can often survive a security breach, small ones can’t afford it, often because of its impact on their public image. If business providing enterprise solutions has stable position on the market and great product, most customers will stay because it’s expensive to transit whole enterprise to another vendor. But if you’re a small startup that has been compromised, you’ll have hard time preserving your customers. Not only that, because in this era, breaches get overblown on social medias and PR/marketing-wise you’re finished even in terms of new, potential customers. This is really important thing to mention here, because recently I’ve seen many article saying that “it’s cheaper to get hacked than secure an organization” which are nonsense and are doing a lot of harm to us who work on executives’ security awareness.
Basic security isn’t that expensive and articles like that make more bad than good, so ensure everyone understands business risk management including dangers coming from social media scandals and get the solid perspective on why security breaches bring different results to different organizations.
You can earn some love from your marketing and sales people if they learn that you’re protecting the business to make their job easier, so they won’t need to explain to each prospect why you were hacked and convincing them that the company is in much better shape nowadays.
Be smart and unite people from various departments to help you achieve your goals.