Caution: The Nature of Our Work

Every InfoSec leader must be careful about how they go about executing their duties. I’ve learned over the years that it’s not only the work that InfoSec does, but how we go about doing it, that can create friction between our team and others.

InfoSec, by the very nature of its work, discovers “stuff” that is often incriminating to someone in IT or engineering. The findings often shed light on someone’s failure to do their job properly.

When InfoSec gets its hands on information of this nature, it must be handled delicately. If not, InfoSec can be put in the position of “professional finger-pointing.” When this happens, InfoSec bears the responsibility for professionally shaming other groups, and possibly creating a foe for life. Be careful. Nothing will cause more damage to your working relationships than to expose the poor security practices of your colleagues.

Take, for example, what happens when our InfoSec team scans the network for vulnerabilities. Although this is valuable information for the security of the organization, the way we present the findings will make or break our relationship with the network services team. Usually, the InfoSec team reports its findings to the network services team and its leadership. The findings are received and viewed by the network services team as “bad news,” and a subtle and quietly antagonistic relationship has been planted. The findings expose the fact, in front of network services management, that the network engineers aren’t maintaining their systems in accordance with company security policy.

You talk about a way to endear yourself with other teams. Try this a couple of times. You’ll quickly find you have no friends at all.

It’s a vicious cycle. System owners will refer to the scanning procedure conducted by InfoSec as “friendly fire,” and view the InfoSec team as threatening their professional capabilities. InfoSec team members, on the other hand, are just trying to do their job and secure company assets.

To solve this situation, I suggest that your team administer the vulnerability management service but require, through policy, that the system owners (in this case, network services) scan their own systems and do with the results as they see appropriate. I suggest you and your team get out of the business of scanning other people’s systems and code, except during a time of crisis, such as a security incident. Let the system owners have full control over managing the vulnerabilities impacting their systems. As the service owner, you can always see their progress via the tool you administer.

Get out of the business of bringing forth data on other teams. It can only lead to tension and animosity. And it’s not good for building solid working relationships.

I’ve seen the all-too-familiar scenario of InfoSec team members working in an atmosphere of animosity with others in the organization, especially their IT and engineering brethren, because the InfoSec team failed to keep relationships as the top priority of its agenda. When this happens, the organization begins to develop “antibodies” against the InfoSec team, and if the trend isn’t quickly dealt with, your days can be numbered.

Most, if not all, InfoSec teams carry out their duties with the best of intentions. But it’s the nature of our work and the way we go about delivering our findings that often sets us up for failure. I’ve referred to our positions as “radiologists” since we see everything happening in our environment, and it is our job to hold up the x-ray for the patient to see their “state of health.” Our job produces the x-ray, and we should offer an opinion or recommendation if asked to do so. When I bring the x-ray forward and present it, I provide the patient with good data and let them decide how they want to respond to what the x-ray shows. Usually it shows that someone hasn’t done their job properly, and if you’re not careful, you run the risk of alienating a colleague forever.

The InfoSec team operates in this natural conundrum: being the group that should help the company protect its most valuable assets while also being the group that sees everything happening “on the wire.” Harmony between InfoSec and its client groups in IT and engineering can be elusive, especially if you don’t keep relationships a top priority for you and your team.

Creating a foundation of solid relationships is at the core of achieving real InfoSec. Without good working relationships, none of the other steps for building a security program will be effective, and most will be next to impossible to achieve. Relationships centered on listening and valuing the contributions of others will reap security rewards beyond any investment in technology or staff. In fact, establishing and maintaining good working relationships, whatever the cost, is the most important achievement that a security group can accomplish. Without them, you’re doomed to failure. You may for a while run under “the cover” of your executive, but without these relationships, a reckoning will come.

Making Relationships a Top Priority

Among the InfoSec teams I’ve managed, I always maintain a team goal that we spend 25% of our time devoted to activities that establish and maintain good working relationships. That’s right, 25% of our time. It’s that important to me, and the payoff is that great.

I make it a habit to meet with the other InfoSec teams in my local business area over hosted two-hour lunches. I invite the CISO and their direct reports to meet and discuss leading practices. We do this to learn from others and compare our program against theirs. We seldom meet other teams that give much time to building relationships. These InfoSec teams from other companies assume that their colleagues share their views on security. My experience is that others don’t. For this reason, we formalize relationship building, and place it at the top of our priority list and staff goals each year. I cannot overemphasize the importance of making relationships the bedrock of your security group.

Over the years, some of my team members have initially resisted placing so much emphasis on relationship building. They argue it’s a waste of time and takes them away from the meaningful work of InfoSec engineering. Their experience and education taught them that security was the result of deploying good technologies, and not hosting lunches.

I’ve heard all the excuses over the years, but none hold up in the court of reason and experience. It doesn’t take long for the complaining to subside. Staff members who stick around for a few months see the benefits almost immediately. The arguments against relationship building stop quickly, and it becomes a self-propagating process as team members sell its value to other team members.

Today, no one I work with questions its value. Everyone sees it as a top priority. In fact, I could probably leave it off staff members’ goals, and the team members would still perform the relationship-building activities out of habit. It’s also interesting that the senior people on the team realize that good working relationships make their jobs and the jobs of others on the team much easier. Relationships are that important, and they’ve become part of our team’s DNA.

Your Program Will Be Only as Good as Your Relationships

Relationships are birthed and matured by spending time with people. I’ve learned that no one will willingly move in the direction of security without being led to do so. To move the organization toward improved security, the InfoSec team must take the initiative and connect with other teams. As a result of this focus, don’t be surprised if you have 30 to 45 recurring meetings with individuals or groups across the company. This is a good practice.

These meetings vary in content and frequency, but they provide a forum for ongoing communication and security education. Almost always, our introductory meeting is over lunch, and typically limited to 10 to 12 people. If the group is much larger, you lose the intimacy you need to get to know people. We always have opening questions teed up as icebreakers to get the conversation started. However, rule number one for this first meeting is that we’re not allowed to initiate anything about security unless they do. We stick with the “just get to know them” approach.

One of the groups we meet with regularly is the legal team. So much of InfoSec’s work supports the legal team that rarely does a week go by that we don’t come together. Staff investigations, for example, are often a topic. We present the status of our current findings and allow them to ask questions about our forensic activities. This involves dialogue about next steps and what can be done in the investigation. These meetings don’t always stay on the topic of investigations, but inevitably will shift to other security topics.

In our relationship with the legal team members, we’ve often gone beyond our normal services to make them aware of what our department can do to remedy certain situations they confront. For example, the attorneys were told by their IT support team that severance packages were stored in a “secure location” so that only a handful of attorneys could read them. After learning this, we offered to verify that this was, in fact, the case. With their approval, we crawled some network file shares, and voila, we emailed them some of the recently issued severance packages. All in cleartext. Needless to say, the files were simply in a hidden file share, with no password protections or encryption. The attorneys were shocked at our findings.

The good news was that our team offered solutions that were an easy remedy to their situation. Letting departments know where their vulnerabilities lie and what your team can do to help can be tricky. But if you’re not on a witch hunt, and bring the issues up collaboratively and respectfully, then you’re almost always guaranteed to succeed. In my experience, the prior relationships I developed through my meetings made the process go smoothly in these cases. And it takes only a couple of these types of events for your customer groups to become valuable supporters of your team’s efforts.

Relationships Aren’t Sexy

One of the difficulties InfoSec leaders face in prioritizing the value of relationships is that, among security types, relationships just aren’t as sexy as engineering work. No one is talking about relationships at conferences. Understanding social interactions isn’t the work that draws IT security people into their fields, or techies into the IT field.

Building relationships involves connecting with people where they’re at, establishing a working rapport, and finding common ground. It means understanding the workload of the people you serve and being sensitive to their concerns around the systems and data they support and protect. This is not the work that comes naturally to someone who has spent their education and career immersed in understanding technology. So as you look to add people to your team, it would help to have people skills at the top of the list.

Hiring Staff with Relationships in Mind

Ask yourself: how highly does your InfoSec team value relationships? When you think about the kind of candidates you hire, what characteristics do you look for? I screen for very technical candidates with engineering degrees. That being said, a close second is interpersonal skills. I look for people who are self-aware and express an understanding of the value of good working relationships. I value these skills more than any certification, accomplishment, experience, or credential that illustrates a candidate’s ability as an engineer.

Some time ago, I noticed that all our interview efforts targeted technically competent candidates. These candidates were passionate about securing systems and believed that security was doing a great service for the company. But many of the candidates lacked good interpersonal skills. Communication and interpersonal skills weren’t on the list of requirements for the position. This was an oversight. We needed team members with the ability to communicate well, and who would value maintaining good working relationships while they worked through the issues of solving security problems.

My belief was solidified time and again when I saw friction between my team and other teams. Differences and disputes over InfoSec solutions that end in ill feelings aren’t worth the price of good relationships. Avoid them.

Often the security requirements placed on projects are too difficult for the project team to implement, or there are too many to fit into the project timeline. The security requirements can involve technologies and processes that IT people are unfamiliar with, which can often leave an IT professional feeling threatened or with a belief that their project will be late. Without the relational skills to navigate this exchange, our InfoSec staff began what seemed like an endless pushing and shoving match. Our staff needed to be willing to compromise on their demands for security while building an environment of trust and mutual respect. After all, the sky is not falling, most systems are not being “owned,” and data isn’t walking out the door the way the security technology vendors would lead you to believe.

I suggest avoiding a contentious environment at all costs. Its price is far too high and will debilitate any healthy organization. Once relationships have been ruined, they’re difficult to restore. Once respect is lost and animosity seeps in, the inevitable downhill cycle sets in. This cycle is hard to break and is the beginning of the end for most InfoSec leaders. The seven-step process for building an InfoSec program is based upon relationships.

Building Strong Relationships: It Takes a Plan

Building strong working relationships doesn’t come easy. It doesn’t happen naturally and requires deliberate steps to achieve, especially because most members of your team are probably a bit asocial. Good working relationships take a long time to cultivate, so when you get started, don’t assume that one lap around the relationship track will get you in top physical shape. It’s a marathon, not a race. Stay the course. Apply pressure to your team to stay with it. If they elect not to, then they’ve opted out. They’ve made the choice to not be a part of something new.

I suggest you get started with weekly lunches with other technology groups. These are cheap and easy, and food provides a great setting for casual conversations. Try to keep the gatherings to fewer than 15 people. Don’t set an agenda. Allow for introductions and everyone to share their favorite movie, Netflix series, hobby, or weekend activity they enjoy. By the time the second person shares, others will be chiming in, and now you’re off.

Once this happens, the meeting will take on a whole new life. If the meeting comes around the table and reaches you, the leader, I suggest you share your favorite Netflix series as well, but also take a moment to highlight some of the dumb things you and the team have done. Be transparent. We’re all human and prone to mistakes, so be the first to admit that and watch how others will follow.

Don’t stop at lunches. I’ve taken groups bowling over lunch or to movies after lunch. Getting people away from work to get to know each other will go a long way to building bridges between your team and other departments.

Understanding the Value of Listening

In meetings you have with other groups, it’s important that you and your staff listen first. I try to hire good communicators and then coach them on the value of listening to others. To be a good communicator, you must be a good listener.

I approach most of our meetings with the intent of not saying much, and preferably nothing at all. In fact, I’ve found that just showing up to a meeting makes others in the room think about security more than they would have otherwise. Many times when I’ve participated in meetings, someone will look down the table at me and say to the group, “Oh yeah, we also have to think about the security of this system.” And I haven’t said a word.

It’s important that you model good listening skills and conversation practices for your staff—simple things, such as never interrupt and never complete another’s sentence. Let others talk as long as they want. Ask a lot of questions and listen to the answers. Listen to staff members’ suggested solutions. Try to understand. Everyone wants to be respected, so respect their contributions. Don’t be a know-it-all.

It’s also important to remember that most of us work among people who are just like us: they long to be valued, to be accepted, and to be validated by their contribution at work. No one wakes up in the morning and looks in the mirror and says, “I think I’ll go to work today and screw everything up.” Quite the contrary—everyone wants to be successful. A little patience and kindness goes a long way. Try listening first before you speak. You’ll be amazed at how it works.

Reaping the Benefits of Relationships: Teamwork

One of the outcomes of building strong relationships among the InfoSec staff and other IT staff is the sense of teamwork it provides. No longer is InfoSec the department everyone despises or fears. If you keep relationships at the core of your program, by the time you work through the steps I’ve outlined, your InfoSec department will have the reputation for being a collaborative partner and a team others can trust. The benefits that come from being a team player will be surprising.

Nowhere was this more telling than the process I followed for our first penetration test (pentest). Typically, these exercises can be equated to an attack on the network services team. That team owns the network, and one portion of the pentest is focused on discovering the vulnerabilities in these systems. Knowing this, the network services team waits in fearful anticipation of the findings, often delivered in front of their management.

If you follow the normal process, the process considered a best practice, it’s a no-win game for everyone. The InfoSec team delivers “bad” news in the form of the assessment findings. Because the performance of the network services team is scrutinized, that team finds itself in a defensive mode. After surviving the assessment/audit, they spend a good deal of time plotting their retaliation against the InfoSec team. At a minimum, they certainly aren’t going to cooperate with InfoSec going forward.

To avoid this situation, I decided to conduct a pentest that kept relationship building as its central focus, above the actual results of the test itself. If you build good relationships early on, you’ll find that future pentests are performed by the network services team in a manner more aggressive than I ever would have imagined. So on this first test, I decided we would turn over the findings to the network services team as they were discovered, and not wait until the end of the audit and present them in a public forum. I also decided that the assessment process would be done in collaboration with the network services team, from the creation of the statement of work (SoW) through to final report and presentation.

At every step in the process, the network services team was at the table participating in the decisions and daily updates. Nothing took place in the audit that the team wasn’t a part of. The outcome of approaching the audit in this fashion was that most of the findings were remediated before the final report was issued. When the final results were presented to management, it was little more than a formality, and the InfoSec team was all too happy to report that the network services team had already remediated all of the findings. Win-win.

My goal was to make that final presentation good news, by making sure it did not contain any unremediated findings. The report needed to reflect the discoveries, and the fact that the network services team immediately worked to fix any exposures that were found. I believed this process would create a win for everyone.

When we tried it, it was hugely successful. The CIO even noticed the change. When the final report was delivered, not one single finding was in need of remediation. The network services team members were ecstatic as well. We hadn’t thrown mud on their faces, and they wondered what kind of evil we must be plotting to have let this audit opportunity go. But there was no evil intent, just a desire to do the right thing, improve the security of the environment, and build relationships in the process.

One of the unintended outcomes of following this process surfaced the next time we conducted a pentest. The network services team learned that we had limited the audit findings to only one high-risk item, and asked that we perform a more comprehensive look. Not a bad turnaround.

We still follow this protocol for our pentests today. And what makes it so successful is that we keep relationships at the core of the process. We conduct the test as if we were members of the network services team, doing to them what we’d want done to us. We also have to keep in mind that there will be many more pentests and interactions with the network services teams.

Contention won’t foster the relationships needed to work together and will be counterproductive to getting the work done. An InfoSec department that values and pursues relationships in all its work gains trust from other departments by the value and respect it extends to its colleagues.

As you will learn in the next chapter, security is never about implementing security controls that meet our expectations. Let’s be honest: most groups will fall short of the level of security you and your team would like to see. The victory for the company is that today they’re implementing their own security controls. Hopefully, tomorrow they’ll revisit them and increase their security posture.

We strive for incremental progress, while supporting the business. We invest in relationships because, ultimately, we need to rely on others to implement security controls on the systems they maintain and manage. My advice to you is to quit being the bad guy in your company, the feared colleague whom people give in to because they are terrified of what you might do. Instead, be the person others trust and value, the righthand person with the savvy and skills to make others look good as they move security forward. Ultimately, you will be acknowledged and valued for what you add to the company.

Fostering Special Relationships

The last items I’ll cover are special relationships your team will have with other groups outside IT and engineering, including legal, corporate audit, corporate security, and HR groups. These departments often have interactions with your InfoSec group that are not purely about protecting information assets. When these relationships are built on mutual respect and an interest in providing value to the company, these customer groups can become lifelines for your InfoSec team when things get tough. They’ll be the ones most vocal about your value.

Let’s face it: few IT groups will ever sing your praises openly. They don’t operate like that, and it’s not in their interest, they believe, to do so. If you’re honest about it, most security folks are much more technical than their IT counterparts. Our jobs require that we have the ability to go “anywhere” within the company. So continue to sing the praises of others who contribute to and make improvements in security. You’ll find you enjoy long-lasting relationships with those who traditionally were fearful of working with InfoSec.

Conclusion

The goal to building good working relationships is to have allies throughout the company who contribute to the InfoSec process and begin to own the security of their systems and data. If done sincerely and maintained as an annual goal on your road map, everyone wins, and you, as an InfoSec leader, will be fulfilling the purpose for which you were hired. Word will get out that you’re not seeking your own praise but quietly working with others to move the needle on security. Over time, respect and value will come your way. Put the interests of others first and see if it doesn’t work as I’ve found it does.