Second week in a row I find myself laughing out loud and referencing Seth's blog. It's a good thing I only follow one marketing blog. I recommend every security professional add a marketing site to your RSS reader. For how much vendor marketing can be a royal pain in FUD and distraction, internal marketing is obviously a critical skill.
I really like the concept of turning the table on negative cliches and using them for good. If I was back in a corporate shop I might even consider spinning up an intranet site listing the negative cliches of security and show how we rage against them.
Perhaps I'll do a post on security vendor cliches and show how we rage against them!
Here's a quick primer, feel free to share your own or shoot me an email.
The "No" group: We've all heard this one. I prefer to turn the tables by saying "yes" to every request that comes into the security queue. Of course every yes comes with the caveat balancing security, money, and ease of use (the other security triad and "pick any two"). "Yes, you can allow non-employees access to the corporate intranet. We just need [the following list of controls]. Yes, you can use social networking with [the following list of controls] and acceptance of the [list of potential impacts.] etc.
"Security doesn't understand the business." That's why you meet regularly with line of business leads to review their strategic initiatives, understand how they're measured, their needs, and align your services and initiatives to support them. (show them examples)
"We've never had a bad incident." If you haven't, great opportunity to reinforce your controls, processes, and continued need to manage risk. If you have had business impacting incidents, let folks know you're learning from them and you can't always disclose the details. Perhaps you can share anecdotes with business leaders in your one:one quarterly meetings.
"The Security folks are chicken littles:" Assert your risk scenarios are based on fact and evidence, not FUD. Acknowledge and define security FUD for your business. They have their own world of FUD and will relate.
"Security is a bunch of IT cops:" I hate this one. Yes, part of your job may be monitoring for acceptable use. However the rules are business driven and supported by your business leaders. Show how you're promoting positive use of technology and be sure to explain "why" every user-impacting control is deployed. E.g. why you may not allow peripheral storage, don't allow iPhones on corp wifi, personal machines on the network, access to certain classes of websites, etc.
And don't forget to challenge your own biases and stereotypes:
"Users are idiots:" Empathy works both ways. Their job is to make money. Your job is to help them make money while managing risk.
"Security is our job:" Actually security is part of everyone's job. Your mission is to help the business understand and manage risk.
"We own [this security decision]:" Again, you probably don't. Unless someone is about to break the law or regulation, it's a business decision.
"We're too busy" or "We don't have enough resources": Maybe but if you define what you do and measure your capacity, resourcing is a business decision. Heroics are not a business as usual expectation. "Sorry, we're too busy and will get to that by xx time." Just explain why and be sure to measure over-capacity so the business can allocate resources appropriately.
"Internal Audits are a waste of time:" This is a larger topic... The quick is to not be a victim. If audits seem random - work with the team to pre-schedule. If audits take too much time - find the root cause or measure capacity to support them and communicate the opportunity cost.
Wow, I thought this would be a quick little post but I seem to have struck a nerve. I feel better now :)
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!