Chapter 4. Step 1: Cultivate Relationships
Now that you’ve had a peek at the seven steps to building an InfoSec program, I want to dive into the details of each step. Step 1 focuses on building good working relationships. Keep in mind that relationships, although the focus of this step, are at the core of each of the seven steps. As you move through each step, your effectiveness will largely result from a continual focus on relationships.
As you start to work through the steps, I suggest you adopt the mindset to put others and their interests above your own. This may seem counterintuitive and career ending, but it’s not. It’s about playing “long ball” and understanding that others will embrace security to the extent you honor and respect them as colleagues. I’ve said it many times and will say it again here: your job begins and ends with relationships.
For every brick I lay building the InfoSec program, I want the names of others etched into them. I want to give others credit as much as possible. I don’t need my name on any of them. Amplify the contributions of others. Diminish your own. This is the beginning of good working relationships.
Focusing on relationships isn’t about giving up control, or selling out the program or the company. Quite the contrary. You’re in a way recruiting and quietly deputizing others into your “extended security team.” They don’t realize it, but you are. You’re aligning your actions with your belief that the only way to secure the company’s information assets is to have everyone involved and doing their part. Without others involved, you don’t stand a chance. As I’ve said, I call this the neighborhood watch, and it all begins and ends with relationships.
Caution: The Nature of Our Work
Every InfoSec leader must be careful about how they go about executing their duties. I’ve learned over the years that it’s not only the work that InfoSec does, but how we go about doing it, that can create friction between our team and others.
InfoSec, by the very nature of its work, discovers “stuff” that is often incriminating to someone in IT or engineering. The findings often shed light on someone’s failure to do their job properly.
When InfoSec gets its hands on information of this nature, it must be handled delicately. If not, InfoSec can be put in the position of “professional finger-pointing.” When this happens, InfoSec bears the responsibility for professionally shaming other groups, and possibly creating a foe for life. Be careful. Nothing will cause more damage to your working relationships than to expose the poor security practices of your colleagues.
Take, for example, what happens when our InfoSec team scans the network for vulnerabilities. Although this is valuable information for the security of the organization, the way we present the findings will make or break our relationship with the network services team. Usually, the InfoSec team reports its findings to the network services team and its leadership. The findings are received and viewed by the network services team as “bad news,” and a subtle and quietly antagonistic relationship has been planted. The findings expose the fact, in front of network services management, that the network engineers aren’t maintaining their systems in accordance with company security policy.
You talk about a way to endear yourself with other teams. Try this a couple of times. You’ll quickly find you have no friends at all.
It’s a vicious cycle. System owners will refer to the scanning procedure conducted by InfoSec as “friendly fire,” and view the InfoSec team as threatening their professional capabilities. InfoSec team members, on the other hand, are just trying to do their job and secure company assets.
To solve this situation, I suggest that your team administer the vulnerability management service but require, through policy, that the system owners (in this case, network services) scan their own systems and do with the results as they see appropriate. I suggest you and your team get out of the business of scanning other people’s systems and code, except during a time of crisis, such as a security incident. Let the system owners have full control over managing the vulnerabilities impacting their systems. As the service owner, you can always see their progress via the tool you administer.
Get out of the business of bringing forth data on other teams. It can only lead to tension and animosity. And it’s not good for building solid working relationships.
I’ve seen the all-too-familiar scenario of InfoSec team members working in an atmosphere of animosity with others in the organization, especially their IT and engineering brethren, because the InfoSec team failed to keep relationships as the top priority of its agenda. When this happens, the organization begins to develop “antibodies” against the InfoSec team, and if the trend isn’t quickly dealt with, your days can be numbered.
Most, if not all, InfoSec teams carry out their duties with the best of intentions. But it’s the nature of our work and the way we go about delivering our findings that often sets us up for failure. I’ve referred to our positions as “radiologists” since we see everything happening in our environment, and it is our job to hold up the x-ray for the patient to see their “state of health.” Our job produces the x-ray, and we should offer an opinion or recommendation if asked to do so. When I bring the x-ray forward and present it, I provide the patient with good data and let them decide how they want to respond to what the x-ray shows. Usually it shows that someone hasn’t done their job properly, and if you’re not careful, you run the risk of alienating a colleague forever.
The InfoSec team operates in this natural conundrum: being the group that should help the company protect its most valuable assets while also being the group that sees everything happening “on the wire.” Harmony between InfoSec and its client groups in IT and engineering can be elusive, especially if you don’t keep relationships a top priority for you and your team.
Creating a foundation of solid relationships is at the core of achieving real InfoSec. Without good working relationships, none of the other steps for building a security program will be effective, and most will be next to impossible to achieve. Relationships centered on listening and valuing the contributions of others will reap security rewards beyond any investment in technology or staff. In fact, establishing and maintaining good working relationships, whatever the cost, is the most important achievement that a security group can accomplish. Without them, you’re doomed to failure. You may for a while run under “the cover” of your executive, but without these relationships, a reckoning will come.
Making Relationships a Top Priority
Among the InfoSec teams I’ve managed, I always maintain a team goal that we spend 25% of our time devoted to activities that establish and maintain good working relationships. That’s right, 25% of our time. It’s that important to me, and the payoff is that great.
I make it a habit to meet with the other InfoSec teams in my local business area over hosted two-hour lunches. I invite the CISO and their direct reports to meet and discuss leading practices. We do this to learn from others and compare our program against theirs. We seldom meet other teams that give much time to building relationships. These InfoSec teams from other companies assume that their colleagues share their views on security. My experience is that others don’t. For this reason, we formalize relationship building, and place it at the top of our priority list and staff goals each year. I cannot overemphasize the importance of making relationships the bedrock of your security group.
Over the years, some of my team members have initially resisted placing so much emphasis on relationship building. They argue it’s a waste of time and takes them away from the meaningful work of InfoSec engineering. Their experience and education taught them that security was the result of deploying good technologies, and not hosting lunches.
I’ve heard all the excuses over the years, but none hold up in the court of reason and experience. It doesn’t take long for the complaining to subside. Staff members who stick around for a few months see the benefits almost immediately. The arguments against relationship building stop quickly, and it becomes a self-propagating process as team members sell its value to other team members.
Today, no one I work with questions its value. Everyone sees it as a top priority. In fact, I could probably leave it off staff members’ goals, and the team members would still perform the relationship-building activities out of habit. It’s also interesting that the senior people on the team realize that good working relationships make their jobs and the jobs of others on the team much easier. Relationships are that important, and they’ve become part of our team’s DNA.
Your Program Will Be Only as Good as Your Relationships
Relationships are birthed and matured by spending time with people. I’ve learned that no one will willingly move in the direction of security without being led to do so. To move the organization toward improved security, the InfoSec team must take the initiative and connect with other teams. As a result of this focus, don’t be surprised if you have 30 to 45 recurring meetings with individuals or groups across the company. This is a good practice.
These meetings vary in content and frequency, but they provide a forum for ongoing communication and security education. Almost always, our introductory meeting is over lunch, and typically limited to 10 to 12 people. If the group is much larger, you lose the intimacy you need to get to know people. We always have opening questions teed up as icebreakers to get the conversation started. However, rule number one for this first meeting is that we’re not allowed to initiate anything about security unless they do. We stick with the “just get to know them” approach.
One of the groups we meet with regularly is the legal team. So much of InfoSec’s work supports the legal team that rarely does a week go by that we don’t come together. Staff investigations, for example, are often a topic. We present the status of our current findings and allow them to ask questions about our forensic activities. This involves dialogue about next steps and what can be done in the investigation. These meetings don’t always stay on the topic of investigations, but inevitably will shift to other security topics.
In our relationship with the legal team members, we’ve often gone beyond our normal services to make them aware of what our department can do to remedy certain situations they confront. For example, the attorneys were told by their IT support team that severance packages were stored in a “secure location” so that only a handful of attorneys could read them. After learning this, we offered to verify that this was, in fact, the case. With their approval, we crawled some network file shares, and voila, we emailed them some of the recently issued severance packages. All in cleartext. Needless to say, the files were simply in a hidden file share, with no password protections or encryption. The attorneys were shocked at our findings.
The good news was that our team offered solutions that were an easy remedy to their situation. Letting departments know where their vulnerabilities lie and what your team can do to help can be tricky. But if you’re not on a witch hunt, and bring the issues up collaboratively and respectfully, then you’re almost always guaranteed to succeed. In my experience, the prior relationships I developed through my meetings made the process go smoothly in these cases. And it takes only a couple of these types of events for your customer groups to become valuable supporters of your team’s efforts.
Relationships Aren’t Sexy
One of the difficulties InfoSec leaders face in prioritizing the value of relationships is that, among security types, relationships just aren’t as sexy as engineering work. No one is talking about relationships at conferences. Understanding social interactions isn’t the work that draws IT security people into their fields, or techies into the IT field.
Building relationships involves connecting with people where they’re at, establishing a working rapport, and finding common ground. It means understanding the workload of the people you serve and being sensitive to their concerns around the systems and data they support and protect. This is not the work that comes naturally to someone who has spent their education and career immersed in understanding technology. So as you look to add people to your team, it would help to have people skills at the top of the list.
Hiring Staff with Relationships in Mind
Ask yourself: how highly does your InfoSec team value relationships? When you think about the kind of candidates you hire, what characteristics do you look for? I screen for very technical candidates with engineering degrees. That being said, a close second is interpersonal skills. I look for people who are self-aware and express an understanding of the value of good working relationships. I value these skills more than any certification, accomplishment, experience, or credential that illustrates a candidate’s ability as an engineer.
Some time ago, I noticed that all our interview efforts targeted technically competent candidates. These candidates were passionate about securing systems and believed that security was doing a great service for the company. But many of the candidates lacked good interpersonal skills. Communication and interpersonal skills weren’t on the list of requirements for the position. This was an oversight. We needed team members with the ability to communicate well, and who would value maintaining good working relationships while they worked through the issues of solving security problems.
My belief was solidified time and again when I saw friction between my team and other teams. Differences and disputes over InfoSec solutions that end in ill feelings aren’t worth the price of good relationships. Avoid them.
Often the security requirements placed on projects are too difficult for the project team to implement, or there are too many to fit into the project timeline. The security requirements can involve technologies and processes that IT people are unfamiliar with, which can often leave an IT professional feeling threatened or with a belief that their project will be late. Without the relational skills to navigate this exchange, our InfoSec staff began what seemed like an endless pushing and shoving match. Our staff needed to be willing to compromise on their demands for security while building an environment of trust and mutual respect. After all, the sky is not falling, most systems are not being “owned,” and data isn’t walking out the door the way the security technology vendors would lead you to believe.
I suggest avoiding a contentious environment at all costs. Its price is far too high and will debilitate any healthy organization. Once relationships have been ruined, they’re difficult to restore. Once respect is lost and animosity seeps in, the inevitable downhill cycle sets in. This cycle is hard to break and is the beginning of the end for most InfoSec leaders. The seven-step process for building an InfoSec program is based upon relationships.
Building Strong Relationships: It Takes a Plan
Building strong working relationships doesn’t come easy. It doesn’t happen naturally and requires deliberate steps to achieve, especially because most members of your team are probably a bit asocial. Good working relationships take a long time to cultivate, so when you get started, don’t assume that one lap around the relationship track will get you in top physical shape. It’s a marathon, not a race. Stay the course. Apply pressure to your team to stay with it. If they elect not to, then they’ve opted out. They’ve made the choice to not be a part of something new.
I suggest you get started with weekly lunches with other technology groups. These are cheap and easy, and food provides a great setting for casual conversations. Try to keep the gatherings to fewer than 15 people. Don’t set an agenda. Allow for introductions and everyone to share their favorite movie, Netflix series, hobby, or weekend activity they enjoy. By the time the second person shares, others will be chiming in, and now you’re off.
Once this happens, the meeting will take on a whole new life. If the meeting comes around the table and reaches you, the leader, I suggest you share your favorite Netflix series as well, but also take a moment to highlight some of the dumb things you and the team have done. Be transparent. We’re all human and prone to mistakes, so be the first to admit that and watch how others will follow.
Don’t stop at lunches. I’ve taken groups bowling over lunch or to movies after lunch. Getting people away from work to get to know each other will go a long way to building bridges between your team and other departments.
Understanding the Value of Listening
In meetings you have with other groups, it’s important that you and your staff listen first. I try to hire good communicators and then coach them on the value of listening to others. To be a good communicator, you must be a good listener.
I approach most of our meetings with the intent of not saying much, and preferably nothing at all. In fact, I’ve found that just showing up to a meeting makes others in the room think about security more than they would have otherwise. Many times when I’ve participated in meetings, someone will look down the table at me and say to the group, “Oh yeah, we also have to think about the security of this system.” And I haven’t said a word.
It’s important that you model good listening skills and conversation practices for your staff—simple things, such as never interrupt and never complete another’s sentence. Let others talk as long as they want. Ask a lot of questions and listen to the answers. Listen to staff members’ suggested solutions. Try to understand. Everyone wants to be respected, so respect their contributions. Don’t be a know-it-all.
It’s also important to remember that most of us work among people who are just like us: they long to be valued, to be accepted, and to be validated by their contribution at work. No one wakes up in the morning and looks in the mirror and says, “I think I’ll go to work today and screw everything up.” Quite the contrary—everyone wants to be successful. A little patience and kindness goes a long way. Try listening first before you speak. You’ll be amazed at how it works.
Reaping the Benefits of Relationships: Teamwork
One of the outcomes of building strong relationships among the InfoSec staff and other IT staff is the sense of teamwork it provides. No longer is InfoSec the department everyone despises or fears. If you keep relationships at the core of your program, by the time you work through the steps I’ve outlined, your InfoSec department will have the reputation for being a collaborative partner and a team others can trust. The benefits that come from being a team player will be surprising.
Nowhere was this more telling than the process I followed for our first penetration test (pentest). Typically, these exercises can be equated to an attack on the network services team. That team owns the network, and one portion of the pentest is focused on discovering the vulnerabilities in these systems. Knowing this, the network services team waits in fearful anticipation of the findings, often delivered in front of their management.
If you follow the normal process, the process considered a best practice, it’s a no-win game for everyone. The InfoSec team delivers “bad” news in the form of the assessment findings. Because the performance of the network services team is scrutinized, that team finds itself in a defensive mode. After surviving the assessment/audit, they spend a good deal of time plotting their retaliation against the InfoSec team. At a minimum, they certainly aren’t going to cooperate with InfoSec going forward.
To avoid this situation, I decided to conduct a pentest that kept relationship building as its central focus, above the actual results of the test itself. If you build good relationships early on, you’ll find that future pentests are performed by the network services team in a manner more aggressive than I ever would have imagined. So on this first test, I decided we would turn over the findings to the network services team as they were discovered, and not wait until the end of the audit and present them in a public forum. I also decided that the assessment process would be done in collaboration with the network services team, from the creation of the statement of work (SoW) through to final report and presentation.
At every step in the process, the network services team was at the table participating in the decisions and daily updates. Nothing took place in the audit that the team wasn’t a part of. The outcome of approaching the audit in this fashion was that most of the findings were remediated before the final report was issued. When the final results were presented to management, it was little more than a formality, and the InfoSec team was all too happy to report that the network services team had already remediated all of the findings. Win-win.
My goal was to make that final presentation good news, by making sure it did not contain any unremediated findings. The report needed to reflect the discoveries, and the fact that the network services team immediately worked to fix any exposures that were found. I believed this process would create a win for everyone.
When we tried it, it was hugely successful. The CIO even noticed the change. When the final report was delivered, not one single finding was in need of remediation. The network services team members were ecstatic as well. We hadn’t thrown mud on their faces, and they wondered what kind of evil we must be plotting to have let this audit opportunity go. But there was no evil intent, just a desire to do the right thing, improve the security of the environment, and build relationships in the process.
One of the unintended outcomes of following this process surfaced the next time we conducted a pentest. The network services team learned that we had limited the audit findings to only one high-risk item, and asked that we perform a more comprehensive look. Not a bad turnaround.
We still follow this protocol for our pentests today. And what makes it so successful is that we keep relationships at the core of the process. We conduct the test as if we were members of the network services team, doing to them what we’d want done to us. We also have to keep in mind that there will be many more pentests and interactions with the network services teams.
Contention won’t foster the relationships needed to work together and will be counterproductive to getting the work done. An InfoSec department that values and pursues relationships in all its work gains trust from other departments by the value and respect it extends to its colleagues.
As you will learn in the next chapter, security is never about implementing security controls that meet our expectations. Let’s be honest: most groups will fall short of the level of security you and your team would like to see. The victory for the company is that today they’re implementing their own security controls. Hopefully, tomorrow they’ll revisit them and increase their security posture.
We strive for incremental progress, while supporting the business. We invest in relationships because, ultimately, we need to rely on others to implement security controls on the systems they maintain and manage. My advice to you is to quit being the bad guy in your company, the feared colleague whom people give in to because they are terrified of what you might do. Instead, be the person others trust and value, the righthand person with the savvy and skills to make others look good as they move security forward. Ultimately, you will be acknowledged and valued for what you add to the company.
Fostering Special Relationships
The last items I’ll cover are special relationships your team will have with other groups outside IT and engineering, including legal, corporate audit, corporate security, and HR groups. These departments often have interactions with your InfoSec group that are not purely about protecting information assets. When these relationships are built on mutual respect and an interest in providing value to the company, these customer groups can become lifelines for your InfoSec team when things get tough. They’ll be the ones most vocal about your value.
Let’s face it: few IT groups will ever sing your praises openly. They don’t operate like that, and it’s not in their interest, they believe, to do so. If you’re honest about it, most security folks are much more technical than their IT counterparts. Our jobs require that we have the ability to go “anywhere” within the company. So continue to sing the praises of others who contribute to and make improvements in security. You’ll find you enjoy long-lasting relationships with those who traditionally were fearful of working with InfoSec.
The corporate group that becomes the strongest defender and supporter of the InfoSec team is most often the legal department. Many times over the years, our InfoSec team has done the computer detective work to support the legal department’s litigation efforts. Computer forensics are part of the InfoSec resume. But how thoroughly and how quickly the information is received and how useful it is can make all the difference for their case. Make sure this support function is done timely and flawlessly.
We had a case that involved a staff lawsuit in which the employee had sued the company for several million dollars in damages. The case floundered, and the rumor was we were on the verge of losing. One of our team members who wasn’t involved in the case jumped in to help. As they did more digging and playing with the technologies, it became apparent that our forensic work hadn’t been quite what it should have been. We found that the systems in question did keep sufficient logs of their activity but we had evidence that the employee hadn’t connected to the network as often as they claimed. Slowly the attorneys assigned to the case became more encouraged, and more time was given to us to dig deeper into the systems and log analysis to re-create events involving this staff member. After a few more days, and many hours of log analysis, it was evident that this ex-staff member had fabricated their entire claim. They weren’t terminated wrongfully, and the company won the case. The amount of political capital that came our way was tremendous.
The corporate audit team is another group where good relationships can help to further the InfoSec program within the company. If leveraged effectively, the audit team can be useful to your cause of protecting information assets, and for targeting those systems that lag from a security perspective. If the relationship with the audit department is poor, the InfoSec process itself suffers, and the company as a whole loses.
One of my predecessors used the audit department as a stick, wielding it to promote their own interests and obtain more resources, control, and power. There’s a reason they aren’t isn’t with the company anymore. This is not the proper relationship. Nor is it a good idea to use the audit staff to beat your fellow IT teammates. In my relational model of InfoSec, I continually develop my relationships with customer groups by meeting, listening, and providing what they need to be effective in the work they do, all in the hope of inserting a little more security within their processes.
Most IT auditors don’t know that much about InfoSec. They’re auditors first and usually have limited knowledge of the InfoSec space, other than what they’ve gleaned from an ISACA website. Even those who have worked in IT previously have a working knowledge of IT that is rudimentary at best. The good ones acknowledge this.
Throughout my years, I’ve met only one IT auditor who knew how to work with InfoSec. Before the annual audit plan was finalized, they would make it a habit to ask me to identify those areas of IT to be audited in the coming year. This gave our team the opportunity to steer the auditor toward areas of IT that weren’t pulling their weight with regards to security controls. I found this to be hugely beneficial for the InfoSec process, because the audit department has special powers to influence people and change.
If you ever get to this type of relationship with the corporate audit team, you’ve arrived. I write more about the audit team in Chapter 12, as I focus on an audit gone wrong, run the wrong way, with the wrong focus. In these cases, an audit tends to do more harm than good and can be a complete waste of time.
Corporate security is another customer group that can pay big dividends for InfoSec. Prior police officers or ex-military types often lead this group. They usually own some systems that control the badge systems, or the surveillance cameras around the facilities. Sometimes corporate investigations are managed from this group. So, they often rely on the computer forensic capabilities that lie within the InfoSec team. An InfoSec team would be wise to ensure that this relationship is sound. These folks tend to be vocal for good or bad.
If the support they get from the InfoSec team is lousy, they’ll let everyone know. If it’s good, they’ll be equally vocal advocates as well. So, treat this group well. Make sure they get all they need. I’d even devote some of your staff to this group so that when the need arrives, resources are standing by.
Human resources is another internal client that should be kept close. This is usually a large group across the company. I’ve found that one way to build the relationship is through staff presentations. Good dialogue between HR and your team will spring from presenting good data useful to the HR team members. They have difficult jobs.
Assisting them with navigating the InfoSec rules and how they apply to staff members can be a big help to them. For example, when does use of the internet become a policy violation? How much use of corporate email for personal reasons is excessive? What are the risks of instant messenger tools? When does the equipment provided for home office use get used in ways that are a violation of policy? What are the steps to be taken for the staff member who continually fails our phishing tests? This information can be helpful to them, and your group benefits as well. A well-trained HR person is worth their weight in gold.
One activity I found to be extremely useful with all these special groups was something I modeled after ESPN’s SportsCenter “Did You Know” segment. I would invite members from these various groups to join me for lunch, and during the lunch I’d present the latest end-user trends in computing and their associated risks. So items like the use of Slack by staff members, trends in Facebook, malicious use of iPhones, web-based email, and the Dark Net would be topics for presentation and discussion. The first time, I was amazed at the response of those who attended. I had hoped to do it again in a few months, but they demanded we meet monthly. I wasn’t sure whether the information benefited them at work, or at home with their families. In either case, I was educating my customers, and the company benefited. This was all I cared about.
The goal to building good working relationships is to have allies throughout the company who contribute to the InfoSec process and begin to own the security of their systems and data. If done sincerely and maintained as an annual goal on your road map, everyone wins, and you, as an InfoSec leader, will be fulfilling the purpose for which you were hired. Word will get out that you’re not seeking your own praise but quietly working with others to move the needle on security. Over time, respect and value will come your way. Put the interests of others first and see if it doesn’t work as I’ve found it does.