Do the work behind the scenes and don’t be a workflow bottleneck
InfoSec as an enabler
If I were to choose only one thing to share with you, it would be that there is no place for a naysayer in a security department.
It’s unbelievable how many of us kept doing the wrong things for so long. It’s tough, because the impact we’ve had on IT societies is something that’s chasing us till this day. I’ve had to spend a lot of energy on working out healthy relationships with my peers by convincing them that not all security people are rude and negative. I don’t want to point fingers at anybody, because I’ve made those mistakes as well, however, we – as an industry – must acknowledge an elephant in the room and recognize how many cultural mistakes we’ve made in our careers. We must confront that our strategy of whining about insecurities of everything and desperate attempts to slow down innovation turned out impractical. We’ve tried hard to keep the comfortable status quo instead of learning the new technology and figuring out how to allow others to do their work more efficiently. We had good intentions, however, people couldn’t follow our incompetent lead and always found a way to bypass our restrictions.
I know it’s getting better and there are fewer infosec specialists who default to denial and rejection. Yet, I feel like it’s worth emphasizing that our ghosts of the past made it tough for social-savvy security pros to create healthy relationships with engineers and other employees.
Saying no is easy, being creative and looking for innovative solutions is challenging and for us, hackers, we should strive to solve challenging problems as that’s part of our DNA. If you’re not creative enough, people will find creative ways to bypass your negligence and it’s all for nothing.
Your mission is to enable your coworker’s workflows and demonstrate that you actually have an honest intent and willingness to help them address challenges of their day to day struggle. Don’t romanticize the path you had to follow in order to be where you are today. Just because they haven’t been studying security for the last 10 years like you had and they aren’t aware of the risks involved with the technology they want to use, doesn’t entitle you to have an attitude and razz them for it. You’re there to help them, that’s why you are a security specialist, and you’re ought to use your skillset to support them, no matter what.
If you want to be a rock star, then earn that status, because the status is something that’s provided to us by a society, not something we tell ourselves. We can say as many blank statements as we want, but if our actions don’t back it up, we’re just being delusional. We’re hired to build robust products other people can use, and must use our greatness to solve the challenges. Even though it’s uncomfortable and it may be something you don’t want to do, it’s still the right thing to do.
So make sure you revisit your attitude, because even though your competence may be fantastic, your attitude must be in check as well to enable yours and your team’s productivity.
Listen and execute behind the scenes
Those who aspire to be great leaders must master one skill before others, because this skill alone can take them far and enable their growth in other areas. It’s listening and execution. Execution, especially when no-one is watching and expecting it.
Delivering the work no one asked you for, just to improve the life of your co-workers, is something that people know how to appreciate. So whenever you feel like doing something for the community, just do it, and the satisfaction will come to you sooner or later. Going the extra mile, is something that can help you build the image of yourself as an outgoing leader and problem solver. Our world needs people who identify problems and try to solve them on their own, without waiting for someone else to pick up the fight. People always seek someone to lead them. Someone who’ll inspire them and someone to whom they’ll be able to secretly look up to. Be that person, or at least give it a shot because there nothing you can potentially lose by doing the good work.
If you provide upfront a lot of value, people will feel emotionally obligated to give something back, because we can’t stand the feeling that someone gave us so much, and we haven’t even attempted to return some of it. It doesn’t need to be tangibles, the ROI can be their eagerness to work on security improvements for you. We’re all in human business, and technology comes second, so if you have good relationships with people, they’ll do something for you, even if it’s something they won’t be acknowledged for by the business. It’s in their human nature, and that’s all it takes.
Obviously, like for everything I’ve shared with you so far, there will be exceptions and you’ll face totally ungrateful people, but just because of those few individuals, you shouldn’t abandon the whole society of great people who’d love to work with you side by side.
Sometimes we just need to step out and take things in your own hands. Even if you think like there is no tangible incentive to do so, the feeling of doing something for better future of your coworkers is wonderful and justifies the sweat equity.
You must ensure that you’re doing whatever possible to show people your determination, competence, and passion, but be wary of taking too many little things — like code fixes — on your shoulders, because it may lead to cognitive and time overload. You can’t take so much on yourself that it’ll become impossible to do the actually important tasks that only you can do because of your skillset.
If it happens that you need to fix some code or tweak configs, then that’s perfectly fine as long as it’s an exception, not a rule. The key is the balance.
The concept of purple teaming is something I fell in love with, many years ago when I was experimenting with a variety of ways to make myself more productive. Everything has changed for better when I started embracing a culture of collaboration, where attackers and defenders work together to find the best approach of securing the products.
Although it’s great to focus on your narrow specialization and be an expert, it’s not the actual reason we’re getting paid. We’re getting paid to improve the safety of our organization, not just do the work for sake of doing the work. To be truly productive, I really recommend to at least try collaborating with all stakeholders across the organization.
Being a pwn-all-the-things rockstar will take you only this far. It’s overrated and while fun in short-term, gives terrible results long-term. I must remark tho, that there are great people out there, who provide immense value to the industry by doing only the thing they love but those are exceptions. It’s much easier to achieve success and long-term satisfaction if you learn how to work with others.
Become a member of each department
Having an independent security department is expensive and hard to scale. What worked for me, was working side by side with people who ship the products. This is a good thing to focus on, especially in small organizations where security culture isn’t yet established and people don’t realize they should inform you about some matters. While it is obvious to you and you expect them to use you as a consultant, people just often don’t have it on their mind if they weren’t ever required to do it before.
As a third party consultancy entity, you’ll be often late to the party, because people either forget, don’t have enough time for proper communication or are afraid that you’ll introduce additional burden to their existing workflow.
Becoming a team member will make everyone more socially comfortable with your presence and role, which enables you to cover more things with your security expertise. Some of us, painfully learned that approach “we VS developers” doesn’t really work if the goal is to create a healthy and friendly environment. If you introduce that competitiveness, it often creates a toxic atmosphere where people do their best to hide stuff from you instead of collaborating on convenient solutions
Join one team for a few weeks and then jump into another to create a well-intentioned relationship with your peers. Don’t just sit in your cubicle waiting for someone to call you for help, because that’s not going to happen.
Delegate instead of trying to fix everything yourself
To maximize your impact, you should learn how to delegate some of your workloads, because you don’t want to become a bottleneck for security improvements which is completely contrary to your goal. Except for time management and the fact you can’t always be a one-man army, there is an important educational purpose of tasks delegation.
By relaying work to a person who wrote or deployed the code/service, you help them understand mistakes they’ve made so they know how to do it better in the future. If you fix everything yourself behind the scenes, people will keep making the same mistakes over and over again. They may not be even aware that they did something wrong as no one ever raised any concerns in regards to their code quality.
Apply the same approach in all aspects of the business and educate people on how to improve the security of their day to day execution. You can, for example, teach internal QA teams on how to do basic security testing, thanks to which you’ll have additional eyes looking at the products from a different perspective.
Use your exceptional skill set to focus on things that matter and leave rest of stuff to others who’re more capable or who’re actually supposed to do given type of work.
If you’re great web pentester and good software engineer you surely can fix the bug you’ve found, but is it the smartest thing to do? If you’re the only security expert while there are 50 software engineers in the company you’re better off delegating the fix to others, so you can focus on execution within your domain of expertise.
Internal security training and awareness awards
Conduct recurring security training
Videos and online presentations are good, but nothing can really replace quality in-person meetups. Show as many demos as possible and don’t stick to overwhelming PowerPoint presentations which put people to sleep.
It’s fine to share raw technical details as a recap material, but while starting out you must make people excited about the subject, otherwise, it’ll be just another corporate training which they’ve attended only because it’s obligatory.
Don’t shy away from showing off your skills to non-techy people. It makes sense to show some real-life exploitation to impress them to build a great human relation and gain their respect for your skills even if they haven’t understood all of the things you’ve just shown them.
I personally like to show real-life testing, including very first steps from setting up Burp through vulnerability assessment, exploitation to data extraction. When you go step by step and show how you find a specific type of vulnerability — how you exploit it and how it can be fixed/prevented — people get the big picture perspective which is understanding the business risks. When they actually realize how code quality affects business longevity, they’ll pay much more attention to it.
There is plenty of Open Source resources that come handy in such exercises so squeeze the max out of them to create enjoyable and valuable security training.
Guiding them through detailed flow is practical, because while you’re doing the hacking part, the participants have a chance to directly and comfortably ask you many (un)related questions. Interactive meetings are the greatest, as they’re much better memorized than a blunt slide deck and they give you an opportunity to show the human part of yourself. Standing in front of people, gives you an invaluable opportunity to cultivate the relationships I’ve mentioned earlier.
The same concepts apply to physical and personal security and the key message is that training should be engaging, exciting and relevant. They should also be periodic so people are constantly reminded about the importance of security.
Popularize internal Bug Bounties and awareness recognitions
Bug Bounty programs are great and I’ve been a solid advocate of it for the past decade, but before you jump into spending crazy amounts of money on external BB, you should give it a try internally.
It’s smart to start with internal initiatives first and give your peers an opportunity to learn new skills and get some fancy rewards for their efforts. Consider hackathon-alike efforts where engineers can work on complex security issues they consider interesting, or just do some internal bug hunting with you.
While the BB is mostly a vehicle to create a security culture, there is actually a real chance of finding a few security issues because each person has a different perspective and a developer may find a bug in a place you’ve never thought of.
Make it fun and offer rewards like a few additional PTO days or gift cards for individuals who’ve found security issues in the specified timeframe or if they came up with great security tool during the hackathon. Except for the fact that everyone likes awards and rewards, people get excited when they’ve been publicly recognized as security aware. At most organizations, people remind being razzed for security, rather than being appreciated, so you’ve got a chance to use it in your favor. Don’t forget to properly acknowledge the effort of all those who’ve also tried but weren’t as successful, because you want everyone to feel engaged and appreciated. You can use the Bug Bounty concept for non-technical people as well to show your appreciation e.g. if they report you a physical security incident. The key is that you need to cover the whole organization with the awareness because the security is as strong as its weakest link.
Initiatives like this help shaping a culture where being security aware is appreciated and rewarded and after a while, it can become employees’ habit to take care of company safety. Besides all security benefits, it’s simply a great team building exercise that organizations so you should employ on regular basis.
“Tell me and I forget; teach me and I may remember; involve me and I will learn.”