Security Experts:

Security Teams: Trust the One You're With

Stephen Sills’ 1970 single “Love The One You’re With” inspired me to write about a topic that I’ve been meaning to write about for quite some time.  Where could I possibly be going with this, you ask?  That’s certainly a fair question.  In the security realm, it’s not love, but rather trust that I think deserves mention.  I’d like to discuss the theme of “Trust The One You’re With”.

Trust is extremely important in the information security field.  In fact, it’s so important, that the security community is more or less built around it.  Most security professionals I know maintain a circle of trust, either formally or informally.  A relationship built on trust over time can often achieve what more formal relationships seem to have great difficulty achieving.  For example, information sharing happens informally through a network of trusted relationships more often than we might realize.

It’s not just between peers and between different organizations that trust exists.  Trust is also important between executives, management, and employees.  In other words, the trust between those who run the security organization, and the analysts, incident responders, engineers, and others who do the work on a daily basis is also extremely important.  Unfortunately, I’ve noticed over the course of my career that many people and organizations struggle with this “internal” trust.  This can create an uncomfortable environment that stifles creativity, hampers productivity, decreases efficiency, and ultimately lowers the overall security posture of an organization.

While not an exhaustive list, here are a few trust-related issues I’ve noticed between management and employees, with a few thoughts around them:

● Live outside the comfort zone: Because the field of information security is so new, it’s not uncommon for someone who in a leadership position and has responsibility for a security program to come from outside of the field entirely.  This is obviously less than ideal for a number of reasons, but given the shortage of security talent, and in particular, security leadership talent, it is the situation we find ourselves in.  If you are a manager who is new to the field, you probably don’t have a tremendous amount of experience or expertise in the field.  Perhaps you’re even the first person to admit that.  Chances are, if you’ve built or inherited a good team, your team has far more experience and expertise than you do.  In order to be successful, you’ll likely need to learn to trust and lean heavily on a small number of team members.  This may seem uncomfortable at first, but it’s probably a lot less uncomfortable than making decisions in a vacuum.  That can often lead to disaster.

● Don’t micromanage: Sometimes, when people feel overwhelmed, under informed, or vulnerable, they tend to react by digging in deeper.  In other words, micromanagement sometimes arises out of a sense of feeling threatened, or at the very least, not knowing who or what to trust.  Unfortunately, micromanagement generally doesn’t produce very good results.  For example, a micro manager may send his best resources off on several different tangents, which can end up wasting a tremendous amount of valuable time.  Or, a micro manager may shift focus and priorities continually,, making it difficult for security staff to understand what the true priorities and direction of the organization are.  And of course, micromanagement can very quickly fatigue and frustrate the best talent, thus causing them to look for relief elsewhere.  That is not a great way to retain talent as you can imagine.

 Seek first to understand, then to be understood: I’ve seen many situations over the years where a lack of understanding fueled by a lack of communication causes people to feel tense, pressured, or angry.  This can sometimes result in an explosive reaction, or at the very least a reaction that can damage trust between team members.  Think you understand a certain situation and it angers you?  Take a deep breath, and seek first to understand.  Sometimes we just need to communicate openly and understand each other.  When we do so, we might just come to understand that things are not nearly as off course as we originally thought they were.

● Avoid knee-jerk reactions: How many times have I heard the phrase: “But we have to do something!” in my life?  More than a few times, I can tell you.  Doing something is easy.  Doing the right thing, or what needs to be done is much more difficult.  When the pressure is dialed up, it is all too easy to become extremely reactive.  Unfortunately, knee-jerk reactions often do more harm than good.  How so?  They can sometimes divert focus and energy from tasks that need doing to those that don’t.  That’s never good for the team dynamic.

● If you can’t take the heat, get out of the kitchen:  Incident response is a tough field.  During a critical incident, the response can be tough, demanding, and heated.  There may be chaos at times, or at the very least organized chaos.  No matter how good your incident response plan is or how many times you’ve tested it, things can and will go wrong.  It’s natural to feel a bit pressured and uneasy about things.  But you have to trust your team.  If you’ve done a good job setting them up for success, they will do well.  But if you don’t trust them to do their job, they will sense that.  That can often have many undesirable consequences.

One of the lines in the well-known song reads: “If you can’t be with the one you love, love the one you’re with”.  In security, if we can’t be with the one we trust, we should trust the one we’re with.  I know we don’t always get to build or manage our ideal team.  But we should still be able to give our team members the freedom and trust they need to do their job.  If we can’t, then why do we have those people on our team to begin with?

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently Co-Founder and Chief Product Officer at IDRRA. Prior to joining IDRRA, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.