(Post 12 of the 12-week Information Security Management blog series)
Information security is unlike other information technology disciplines. Most others require the professional to be proficient and knowledgeable in their area of expertise, whether that be software development, networking, databases, server administration, client administration, or one of a plethora of other niche specialties. For the typical IT pro, it is perfectly acceptable to be socially awkward and unable to effectively communicate with other human beings. It is also completely acceptable for most IT pros to have little understanding of how their organization operates beyond the technical systems they are responsible for managing.
The Master
For those of us who work in cybersecurity, the standard is completely different. Firstly, it is critical that security professionals are more than familiar with every aspect of technology. Even if the information security managers don’t know a great deal about various technologies, the expectation exists that they know them at least as well as those who specialize in each area of IT. They must understand how everything works; how software and hardware interact with each other. Cybersecurity professionals must understand how machines communicate with each other and how those communications flow through a network. It is very difficult to understand threats to a technology if that technology is not first clearly understood. Because security involves all IT that an organization uses or could potentially use, cybersecurity professionals must strive to continually learn each and every existing and emerging technology available.
The Teacher
Information security managers have the unique challenge of advising business leaders in how to address risk with their organizations. My experience has shown me that people like to believe they are safe already, even other IT professionals. Cybersecurity professionals can easily gain a reputation for simply being paranoid. My peers and I call this a “red pill job”, in reference to the 1999 Wachowski brothers’ movie, The Matrix. One could also paraphrase a common theme of the 1961 Joseph Heller novel, Catch-22 to describe what we do: if I didn’t know it to be true, I wouldn’t believe it either. While it may be partially true that when one spends all their time analyzing threats and vulnerabilities they can become less willing to accept risk, cybersecurity operates in known, well researched facts and solid statistical data, much like the insurance industry, not on speculation and paranoia.
The burden falls on the information security managers to educate their senior leadership on all things security. To do this the information security manager must have a clear understanding of what makes their own organization tick. They must understand the business structure, the organization’s priorities, be familiar with their assets and business dependencies, and have the trust of their senior leaders. Cybersecurity professionals must be able to clearly communicate with business leaders in terms that those leaders understand. A security manager is charged with protecting information, information systems, critical resources, and the organization’s ability to survive disaster. They cannot do this effectively without being able to articulate what they understand about risk and its potential impacts on the business to business leaders and use that knowledge to convince leaders to make decisions in the best interest of security and the organization.
Just Your Friendly Neighborhood Security Manager
Having worked in the government sector and knowing how hard it is to help leaders embrace security who are required to do so by federal law, I recognize that it can be even more challenging to educate and help those for whom security is entirely optional. My entire purpose for writing this series, and actually keeping and managing this entire site is to simply educate local businesses and try to make all of our communities just a little safer.
Throughout this blog series, I introduced the concept of cybersecurity and how it benefits over-all business security, risk concepts, specific threats to small business, a tool for managing security, how to use project management with security, options for addressing risk, and the importance of leadership support for security. While this is not an all-inclusive, or even very detailed guide to starting and managing an information security program, my hope is that it is enough to help some leaders better understand their own need for cybersecurity and that it is not out of their grasp simply because their budget might be tight.
