As InfoSec Professionals, we fight for Freedom and Justice!
We beat back the Forces of Evil that would do our Organizations harm! And we fight for the End User!
We are Superheroes!
I've got news for you, folks...
The End User could care less. They just want to do their jobs without interruption by you and your "Cyber crap".
This is one of the most sobering things that a new person coming into the industry must face: the lack of recognition and gratitude from those whom we help protect can be off-putting for those who aren't used to it (or even thrive on it, such as some of us do).
Indulge me in a bit of a backtrack in my own career...
I joined the military to become a systems maintainer. I spent nearly a year learning all manner of electronics and RF theory, before rolling into computer hardware, systems and network administration, and then end-to-end systems maintenance.
Maintenance of anything, as it turns out, is one of the most thankless jobs anywhere.
Luckily, my brothers and sisters already doing the job prepared me well for this by making sure my skin was sufficiently thick to...well...not give a damn what the End User thought.
This is almost exactly what new InfoSec Professionals need to internalize, with some...modifications.
Admittedly, the military I grew up in was at war. War is difficult, uncomfortable, and raw. Most InfoSec professionals will, thankfully, never have to experience that.
Instead of "not giving a damn" what the End User thinks, an InfoSec professional MUST care. But, they must also be prepared to receive little thanks and adulation.
A military maintenance professional has a lot of established doctrine and technical manuals to rely on, and those standards can be a backstop to any potential issue that can arise from a conflict. That sort of doctrine doesn't hold any weight in a commercial context.
What does the End User care about the NIST Cybersecurity Framework? NOTHING! The End User just wants to do their job, and you had better not get in their way!
So, how do we relate our passion and desire for security to our End Users?
InfoSec professionals need to keep the satisfaction of the End User in mind. We are responsible to our organizations, which is made up of these End Users. Somehow, we need to make it work.
We tend to point to models like the "CIA Triad" as a basis for a secure operational model in InfoSec. This is a great model, as it is simple to describe and relate to. However, it's important to fully grasp exactly who values which part of the triad...
We need to understand the motivations of those folks who support the business, because we support these people. They are the End Users, and they are the reason why we have an organization to support. Whatever is important to them needs to be taken into account when we formulate action plans.
By embracing Availability as a shared necessity with our End Users, then incorporating Confidentiality and Integrity in such a way that they enable Availability, the End Users would be all for it. For instance, if we can show how two-factor authentication enables Availability by protecting Confidentiality and Integrity, our End Users are more likely to accept it.
Ultimately, if we can demonstrate shared values and understanding of what is important to the business, we will face far fewer challenges to our security mission. And then, maybe, you won't have to worry so much about how thankless our job is.
No comments:
Post a Comment