I connect with many great minds in cybersecurity on Twitter. I learn so much from them every day. In the Security Bytes series, I share senior security professional’s most savvy advice. Some wished to use their real names, others preferred to stay anonymous. But they all shared tips that are seriously worthy of your consideration.
The question:
What’s the best decision you’ve ever made as a senior cybersecurity professional?
Learning to influence the C-Suite
For two CISOs (Chief Information Security Officers), joining the C-Suite and positively influencing their peers helped them to achieve their goals.
Accidental CISO
“Accepting the role in the first place. The idea was terrifying to me, and I honestly didn’t think I could do it. I’ve had such a huge impact on my company. My work to build and certify the security program paved the way for us to land major enterprise deals.”
Patrick C. Miller, CISO, Archer International
“I stopped using the word ‘security’ in executive discussions. Instead, I use risk management terms.”
It’s a topic Patrick talked about at Kaspersky Industrial Cybersecurity 2019 conference and a very good point. If CISOs and technical professionals want to influence the C-Suite, they must learn to speak their language. And talking money – the financial costs of all possible cyberattacks – is usually a good starting point for discussing risk management. Executives are more likely to care about security hardening if they realize how much money their companies could lose from cyberattacks and the related reputational damage.
Knowing your limits
Knowing which responsibilities you can handle, and which you can’t, is an important factor in your success as a cybersecurity professional.
“Hiring people smarter than me. Early on in my career, I watched managers and leaders who prided themselves on believing they were the smartest person in the room. I made note of what not to do. When I got the chance to build a team, I made the conscious decision to hire people who I knew I could learn from, who had better technical experience than me, and for whom personal growth was important.”
Joonatan Kauppi, founder, Leijona Security
“I recommended a competitor when a potential client requested a service that my company didn’t offer. Because improving our clients’ infosec is ultimately more important than improving our revenue.”
Beto on Security
“Dumping a toxic client.”
‘Nick’
“Learning to say no and sticking to just one job. I kept taking on extra contract work or even trying to work two jobs full-time, and found that I ended up failing at both of them.”
Lars Karlslund, founder, NetSection Security
“Trusting yourself enough to say no when it felt right.”
Troy Blake, PCI compliance and cybersecurity expert
“Focus on simplicity over complexity. Utilize products 100 percent before you add another tool to the cybersecurity environment. It makes management, maintenance and training so much easier – and it saves the company money.”
Henrik Klimatosse Kramshoej, “internet samurai”
“I never compromise my integrity. I lost a well-paid job because they made me set approximately 4,200 logins across 48 servers back to ‘passw0rd’ because locking them caused too many support issues.”
Ouch! Don’t rile cybersecurity professionals. They know how best to handle your business’s precious data.
Doing things your own way
Some cybersecurity professionals work best when they can make their own decisions and take charge.
Magda Chelly, founder of Responsible Cyber
“I went on my own journey with Responsible Cyber and stopped contracts by choice (optional work opportunities). I now delegate to my employees more and more.”
“The best professional decision I made was to move to Bonaire (a Caribbean island) and consult. I wake up every morning and feel very fortunate to be able to live here.”
Lisa Ventura, founder, UK Cyber Security Association
“Founding the UK Cyber Security Association and becoming a writer, blogger, influencer and keynote speaker in the cybersecurity industry. I have never been happier and I love what I do.”
Melanie Ensign, security and privacy communications, Uber
“Work for a cause, not a company. This makes it easier to find the right opportunity or walk away if it’s not right for you.”
Richard Greenberg, IT security evangelist
“Accepting a position when I had just barely qualified was an intense but amazing learning experience. I learned so much and it gave me confidence for my future endeavors. Push your envelope!”
Sameep Agarwal, former cybersecurity specialist
“The best decision I made was to interact positively with everyone I met. I speak my mind and convey my message without mincing my words.”
It’s malware!, malware researcher
“Talk about salaries with co-workers. Don’t let a company get away with unequal pay for anyone. And pay people for work, even if you’re a start-up.”
That’s sound advice. I agree with discussing money openly because it benefits workers.
Professionalism matters
Soft skills, like having a professional demeanor and being motivated to do your best, are critical for a successful cybersecurity career.
Vandana Verma, security architect at IBM
“Keep calm and be friends with the dev team!”
“Focusing on customer success and delivering fantastic services that aren’t just run of the mill. Deliver the best that you can.”
Richard Cardona, product security maven, Electronic Frontier Foundation
“Funnel customer vulnerability reports through support, but demonstrate how unaudited scans are full of false positives. For anything in question, escalate to appsec.”
Perhaps penetration testing relies on automation too much.
There’s always room for self-improvement
One thing’s for sure in your infosec career: you’re always going to need to continue learning.
M’hirsi Hamza, cybersecurity analyst, Barac.io
“Never hesitate to try to learn new things, even if it isn’t in your immediate field. If you understand what different teams do in your company, you can better understand what outputs you need to deliver.”
Justin Ruth, security researcher
“Putting myself through the OSCP (Offensive Security Certified Professional certification) – never be afraid to invest in yourself.”
Battisto, security enthusiast
“Spending a year as a helpdesk tech, then two years as a sys admin before getting into security. The best security practitioners need a good understanding of how networks function before they can learn to secure them.”
Experience counts. Be curious about everything.
Making a difficult decision
Sometimes decisions are difficult to make. Sometimes other people in your organization will resist a necessary change. These cyber-pros made difficult choices that worked out for the best.
NicoladiaZ, infosec consultant, Reporters Sans Frontieres
“Switching from Windows clients to Linux. It was a good decision regarding the users’ needs but it demanded strong political support and dis-learning capacities on behalf of end-users.”
It’s tough to break old habits. Sometimes you need to be assertive if there’s a good reason to switch vendors.
Shelly Kramer, CEO, V3 Broadsuite
“Convincing clients to go ‘all in’ on employee awareness training on a regular basis. Given the monumental phishing problem for corporate cybersecurity, employee training is always worth the investment.”
“Joe Schlmoe”
“I had to set up a security compliance team at a division of a Fortune 500 company. Dev folks resisted our efforts. The answer came to me after some weeks. I told the principals in a meeting that unless we all embraced security compliance testing, we were letting our customers down by possibly releasing a sub-par product to our customers. That took root, and within a year we went from mid 30 percent to nearly 99 percent compliance.”
Bl4ckP41nt, security engineer for a major US-based airline
“Challenge the C-Suite to manage down: explain the ‘whys,’ maintain the relationship, then watch the boat slowly turn.”
In conclusion, you can learn things the hard way by making mistakes and reflecting upon them. But the easiest way to learn is to listen to people with experience.
These opinions reflect those of the experts quoted and the article’s author.
Article published in 2019.