Security Experts:

The Answer is Right in Front of You

I have lost count of the number of conversations I’ve either observed or been involved in where people simply aren’t listening to one another.  Whether it’s in a meeting, at a conference, in a social setting, or elsewhere, sometimes I take a step back and marvel at the complete breakdown in communication.  In some cases, it almost seems as if there are two different conversations happening at the same time between the same two people.  I am certainly not the first person to notice this phenomenon -- there are indeed many people who have written numerous books and articles on the subject.

Allow me to share a story that I believe illustrates this concept quite well.  Recently, I was invited as a guest to an educational program for new entrepreneurs.  This particular educational program is an ongoing series of sessions on different topics.  In this particular session, a guest speaker was brought in to speak to the group about the importance of listening to customers.  I thought that the speaker did a wonderful job of articulating why listening to customers is so critical, as well as giving the new entrepreneurs tips and tricks on how they can improve their listening skills, particularly when conversing with customers.

I’m sure you can imagine my surprise when, after an hour and near the end of the presentation, someone raised their hand and asked the following question: “What is the point of arranging all of these customer conversations?  They won’t yield anything!  That time would be better spent on product development!”

It was as if this particular person had not internalized any of the materials that had been presented over the previous hour.  It very quickly became clear that this person may have heard the entire presentation, but he did not listen to any of it.  Further, the speaker explicitly stated several times that developing a product around problems that a customer is looking to solve is far more lucrative than developing a product in a vacuum without a clue whether or not people have a use for it.

I’m sure many of my readers understand this point quite well, and they may now be asking themselves what this could possibly have to do with security.  That is certainly a fair question, and as usual, I am prepared to answer it.  I would argue that in security, some people and organizations have a listening problem that impedes their progress and stunts their maturity.  Allow me to enumerate a few use cases to illustrate why this is the case and how it can be rectified.

Prioritizing Risks

As many of you are aware, I have written several times about the importance of understanding and prioritizing risks as part of a successful security program.  Sometimes, when I present on this topic or speak to people about this topic, they ask me how they can understand the risks to the business that are most important to mitigate.  I’m sorry to disappoint, but the winning approach is relatively low-tech.  Talk to people.  Have a dialogue with the business.  Understand the business needs and priorities and how security can be a partner in those efforts.  Granted, this can be a fairly complicated undertaking that is often more art than science, but it works.

When security professionals build bridges to better understand the business, they also get important context around the different directions the business is being pulled in.  And guess what?  That often highlights what the biggest risks are.

As an example, say that I am a security professional working inside a benefits outsourcing company.  At first, you might think that protecting customer data might be the biggest priority.  Indeed it is a big priority -- if a security issue results in the theft of a customer’s employee data, they will be quite upset.  But you know what will make them even more upset?  If their employees don’t get paid on payday.  That’s right -- the availability of money movement usually gets a higher priority than the confidentiality of customer data.

Being Attuned To Market Needs

One thing that I’ve always found fascinating is how people assess market needs and market direction.  This is something I’ve observed both inside and outside of the security space.  More often than not, people use a number of different techniques, which can include such things as gut feelings, fingers in the wind, and hunches.  All flippancy aside, it would be a stretch to say that most of the people I’ve witnessed trying to assess market direction and market needs are doing so scientifically.

So what should they be doing instead?  Talking to customers in the space, and lots of them.  Ask them what problems they’re looking to solve in the next 12-36 months, along with other issues and challenges that they expect to encounter.  Sure, you’ll get a wide variety of answers, but you’ll most likely also get quite a bit of overlap.  That should help you assess market forces far better than a crystal ball will.

Moving In The Right Direction

I often find myself in a conversation with new entrepreneurs.  Any conference, meetup, or group function you go to in the security field is bound to have several of them.  Most of them are extremely bright, determined, motivated, and hardworking.  At the same time, most of them do not have experience on the customer side, nor do they understand the problems that customers are looking to solve.

While some entrepreneurs excel at managing relationships with customers and leveraging those to zero in on the right problems and challenges, many do not.  Even the best intentions, brightest minds, and most energetic teams need to be focused in the right direction.  This focus can only come from listening attentively to those in the field that meet face-to-face with issues, challenges, and problems they are looking to solve on a daily basis.

No one ever said that prioritizing risk, meeting the needs of a complex market, or starting a technology company were easy.  But not listening attentively won’t make any of those any easier.  More often than not, the answers we seek are right there in front of us.  Good things come to those who listen.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently Co-Founder and Chief Product Officer at IDRRA. Prior to joining IDRRA, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.