I posted the below on LinkedIn at the end of December 2024, actually forgot to post it on here, doh!
This year I’ve had a bunch of conversations with folks who are new to security or are already in it and want some advice / thoughts.
I did think about one of those 2024 Rewind posts but I never rewound my Blockbuster videos when I returned them (sorry, not sorry) so I’m going for a pay it Forward approach for those that might find it useful. More aimed at those new to the field.
- Networking within your organisation is going to help you achieve your objectives. Why? Because most* people will help you. If you also genuinely help folks without expecting anything in return. Nothing happens without building good relationships.
- You have to accept that some people will never accept what you propose. Why? Because this is part of organisational politics**. Though typically and not exclusively, this is based around legacy trust issues with the security department.
- Appreciate that finding where the security pain points are across your organisation and then addressing them is gold. Why? Because you need to think about minimising the burden of security for the user. People will take the path of least resistance to do their job. Think security user experience.
- Establishing a security champions network (or equivalent) is one of the cheapest*** ways to scale your security efforts. Why? Because when done properly they’ll be able to provide you with ground-up insight and help you identify those pain points.
- If you hear “users are the weakest links” said in a mocking and disparaging tone. Then odds are that the folks saying it are actually the weakest links. Why? Because weak links. There’s a difference between someone being duped by a criminal than just being a weak link, typically no one is a weak link on purpose.
- If someone is duped by a phish and it brings the network down that’s an engineering problem not a user problem. Why? Because typically the average**** member staff shouldn’t have the burden of security placed on them.
- It’s great to talk about “the why” of security but if you’re not also asking yourself “why are we still taking x approach” then your program is in status quo mode. Why? Because if you’re not introspective and adapting, you’re stagnating.
- Your internal communication / marketing team is one of your most important allies. Why? Because whatever global message you want to share across your business you should be getting their expert eye over it and asking them to fit it into their release calendar. Remember to give them plenty of notice.
- Sometimes the security culture within the security team is more of a problem than with the rest of the business. Why? Because getting people singing from the same hymn sheet is difficult. But one’s house must be sorted before you try and sort everyone else’s.
- If you’re creative enough and have the leeway you can build internal tools to test ideas before you go out to a vendor. Why? Because sometimes your internal tool is actually better than the vendor.
- Sometimes the smaller***** less known vendor is a smarter choice compared to the quadrant one. Why? Because agility and flexibility is key.
- Saying “Security is everyone’s responsibility” is easily said yet difficult to achieve. Be careful of the environmental context. Why? Because if you say this, you really need to be able to facilitate that responsibility.
- The basics / foundations of security are hard. Why? Because they compete with the basics of revenue and profit generation. We live in a ship it, sell it, make it live, make it available world. There’s always a trade off.
- Some environments where you might work will be compliance centric because of the nature of the business, this isn’t always a bad thing. Why? Because with the right mindset****** compliance can be the catalyst for innovation.
- If you say no, you should have an alternative or have a defensible and/or demonstrable reason why you are saying no. You should seek to understand the context and the other party’s perspective. Why? Because any trust you have built will be broken.
- A good exercise is to carryout a policy behaviour review. Why? Because policies have expected actions and behaviours of staff. Though typically, they aren’t highlighted in a simple and clear manner.
- Think of AI as assisting your intelligence (brainstorming, as a catalyst for learning something new) rather than the best thing since sliced bread. Why? Because there’s a lot of hype.
- Always be learning. Why? Because you can then position yourself where you want. The field is vast and you don’t have to stick to something that doesn’t interest you.
- Your wellbeing comes first. Why? Because it’s the foundation upon which everything else sits.
- Trust your self. Why? Because you usually know, your get tells you.
Be well folks, Happy New Year!
*Not everyone.
**There’s a lot of nuance around this and it would be Xmas 2050 by the time I finished.
***Your main investment here is going to be in time – Specifically relationship building and management.
****Those outside of security and technology functions.
*Some organisations will not have the appetite / capability to procure the lesser known ones.
You’ll figure out very quickly if that mindset exists or not.