Security professionals do a lot of things right. They gain any number of certifications to prove they know what they know, and can do what they can do. They can assess, plan, and implement any number of security technologies as part of the mission to protect networks and information. But they are by no means perfect.
Security pros make mistakes just like everyone else. But they aren’t necessarily technical. Instead, they often lie in how they interact, communicate, and observe the actions of others and interpret them within the context of their own mindsets.
Perhaps the security community could learn a thing or two from their own healthcare providers and consider approaching security through a wellness model. According to the National Wellness Institute, “wellness is multidimensional and holistic, encompassing lifestyle, mental and spiritual well-being, and the environment.” The model surrounding wellness is essentially a conscious effort to help an individual become self-directed to achieve their healthiest state, based on awareness and choice.
Wellness programs at the workplace can include lunchtime walk teams or heart healthy cooking classes. As a result of active participation you may expect to take fewer medications, see the doctor less often, and even avoid the operating room down the road. In this respect the same holds true in security. If you are security-aware, that’s half the battle. Security pros are glad to keep you safe and self-governed. And they won’t complain if that requires less of their time and budget.
Let the wellness model trickle in to your daily work life and you may very well find you understand your customers and constituents better. You may also make fewer mistakes, like these four in particular:
#1 You underestimate complexity.
A wellness model is about making incremental changes to your lifestyle that are by and large agreeable to you. If you have high cholesterol, sure, we can throw medication at the problem but we should probably deal with it first by analyzing what you eat and consider some appealing options to make some changes stick.
As a security pro, you see a large number employees casually clicking on links within phishing emails. It’s second nature to apply controls like strong authentication to stop the problem. But if you were to look at the phishing problem through a wellness model, you may first consider security awareness programs to help users understand what a phishing email looks like to avoid clicking on a nefarious link. We often underestimate the complexity in people.
Doctors sometimes have this issue too. Let’s say you have a health issue that would get easier to manage if you lost 20 pounds. Just because the prescription is simple (“Just lose weight.”) doesn’t mean that it will happen.
Same goes when a security pro says “Just manage your network inventory.” Even though the answer seems simple enough, the orchestration of it is actually much more complex and difficult. Not everybody is in a position to manage inventory as you may think they should be, so try a different approach.
#2 You find it hard to relate.
It is hard for security pro to capture the mindset of a person in terms of how they interact with technology. We exist in a “security first” kind of world. As realistic as that may seem when your job is protecting information and even people, it is not going to always get you where you need to be because others’ minds are not in the same place as yours.
We have a warped sense of normalcy as security professionals. We live and breathe security. We find it interesting. The reality is that not many people find it that interesting.
If you find yourself in a meeting and are about to say something that starts with “from a security perspective…”, that should be a red flag or warning bell. You need to be able to phrase what you say outside of your own perspective and apply it to what needs to be done. That’s a much more powerful approach.
#3 You don’t listen well enough.
You learn about a problem that’s not terribly new. There’s an unpatched server attached to the network. You know already know how to fix it. No discussion needed, except perhaps an eyeroll. But have you really listened well enough to the point where you have a solid diagnosis? Perhaps not.
Find patience to better understand the underlying root cause. What failed down the line that led to server not getting enough attention? You’ve easily thought of the technology and people part of the problem, but is there a gap in process that you may have missed? Start thinking along these lines and you may find a larger issue that, once solved, will lead to fewer unpatched servers.
#4 You are not clear enough.
Security pros are naturally quite skilled at documenting security requirements, controls or policy. Sometimes our expectations exceed what we are providing in the first place. For example, your doctor wouldn’t expect your infection to heal properly if she simply said “Take this medication”, right? Without knowing how many pills to take each day, at what times, or before or after meals, a very effective medication could end up becoming useless. Or worse, harmful.
If you want to have a very specific outcome you need to very specifically guide people there. The more time you spend documenting steps the less time you will spend fixing mistakes that didn’t need to happen in the first place.
Communication is a two way street. Our job is to make sure we are received. And if that means adjusting our own mindsets a little bit towards the altruistic and away from the judgmental, then we may all be the better for it at the end.