One thing that occurred to me this morning as I was working on something else I’ll share with you in a few weeks is that perhaps some of my last few emails have come across a little hard-assed. And if that’s the way you’ve felt, I’m not apologizing, but I am acknowledging that perhaps it’s time for a little bit of a break from that particular tack.
The thing is, if you’re getting this email, I know you want to do better as a security leader, CISO, architect, security manager or whatever role you have. If you didn’t, you wouldn’t be on the list, and you wouldn’t be trying to figure out ways to solve your problems on your own.
And I’m very aware of this fact.
And I know you’re capable of doing more than you’re able to do right now.
And I also know that it can be pretty hard going at times.
So today, this particular insight was a result of applying practice #14, pause and reflect, of The Agile Security System™ in my own work.
While it’s the “last” of the practices I’m advocating you work to install as habits in your own work as a security professional, it’s certainly one of the most important ones. Because if we never stop…if we never actually pause, catch our breath and appreciate that, we’ll, at least we’re still breathing…or if we never actually see what we drive past every day on the way to work, or the store, or wherever…
…then we’re actually preventing our brains from doing some of their best work. The psychology is some of what’s behind the Pomodoro timer method and its variants, it’s the basis of the practice of meditation—or even the recommendations to go for daily walks and take frequent breaks.
They’re not just for your body, they’re for your mind as well.
And if there’s a profession that needs those kinds of breaks as much as anyone, it’s the modern security professionals!
So, yes, I’ve been harping pretty hard on what the consequences of not doing a better job creating and maintaining professional relationships outside of security, and I’ve also been admonishing you not expect “the business” to learn the subtitles of cybersecurity risk so they “get” what it is we’re trying to do for them.
Guilty as charged.
The reason it might have seemed that I was getting a bit carried away is simply because this is something I literally see every…single…day.
Every time I talk to security people, if it’s not the leaders – the CISOs or the CSOs or the Heads of Information Security – then it’s individual members of the team who are actually in the meetings with the business and technology people who are trying to solve the problems and “deliver the business.”
And if it’s not that, I regularly see this theme coming up in the press, blogs and other articles. In fact, I found about 6 today when I was looking for something else (bless my Google-fu).
So yeah, I get frustrated.
I get frustrated at our attitude as an industry—and one of the biggest reasons I get so frustrated about the lack of importance or dedication or time made to address this problem is that…
I’ve done it too. In fact, I did it for a very long time.
But then, I realized that this is really the thing that was holding me back—to getting more respect from the people on the projects I was on, from the leaders of the organizations I was working with, and it was just basically me getting in my own way.
…and I really don’t want you to have to struggle as long as I did to figure this out.
Because it’s a bitch. And it’s slow…and it’s really annoying and, frankly, it “wears a feller out,” as my Dad used to say.
So yes, I know you can do better.
And I know you recognize this problem,
and I also know that trying to force a horse to drink just leads to a drown, dead and still thirsty horse.
So….
There are some practical thoughts and ideas I’m confident you can use to improve the way you engage and interact with the non-security people you’re supporting so that they will be more appreciative, be more open to listening, and may even buy you drinks without the additives I mentioned yesterday.
But it won’t just happen.
It takes work, and that work and commitment to be better has to come at the expense of something else. You have to carve out the time.
So if you’re willing to make that commitment, then what you’ll find in the upcoming September issue of the Security Sanity™ newsletter is going to be full of some ideas that you can use the very next day – or even the same day – to start being more effective.
And if you have trouble, as a subscriber, you also get to ask me any questions I’m qualified to answer. That’s part of the deal as well.
But if you can’t, won’t or just aren’t able to right now, then, hey, I understand. That’s cool, and we can’t always do everything we know we should when we want.
As I’ve said more than a few times before, I’m good either way. The newsletter isn’t for people who won’t get value out of it, or who aren’t able to implement.
So, if it’s for you, and you’re not already subscribed, then you can make sure you get it here before it goes to the printer in a few days:
Either way, you’ve got this.
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
