The following is a guest post by a 2016 Secure360 Wisconsin Gold Sponsor Optiv.
These days, security professionals are asked to be knowledgeable about a wide range of topics. Not only is the technical aspect of the job ever-changing, but healthy knowledge of legal, financial and other issues is becoming less of a bonus and more of a necessity in this field.
Effective security programs require complete knowledge of many issues, but it’s nearly impossible for one person to be an expert in audits, every type of law, information technology and many, many other disciplines.
For years, elite athletes have touted the value of “cross-training,” or training in something that may not be your profession, but will help you do your job better. Interdisciplinary security teamwork can bolster a security professional’s knowledge in areas that may not be the job, but will help them do their jobs better.
While the most obvious, this also can be the most difficult piece of advice to adhere to. If you have a privacy lawyer on the phone while investigating a breach, listen to what they have to say. It can be all-too-easy to fall into the trap of “being an expert” anytime you deal with someone outside your industry. Even if you have run into a scenario a dozen times and think you know what the lawyer will say, listen. You may learn something new, get an update on standard practices or a simple refresher from someone who knows more than you.
And always remember, you need their help, so take it.
You’d be surprised at how many people are afraid of asking questions about even the most highly technical industry terms. When you find yourself in an interdisciplinary situation, understand that you will not know terms, techniques and commonly-used tools. That’s OK! If someone uses a term you don’t know, do not hesitate to pause and have them explain. If you create an environment where questions – even simple ones – are encouraged, everyone in the room will be better off, and you’ll all leave a little bit smarter.
On the security pro side, don’t wait for questions. Make sure you break down the densest lingo or scenarios into terms everyone can understand. Never assume everyone knows everything.
Get on the same page
An easy way to ruffle feathers is when the “knowledge gap” is too wide. Explain things that are obvious (“you should change your passwords”) and you fail to demonstrate value. Off-handedly explain things that are technical (“your IAM program is vulnerable to third-party risk”), and you could alienate your interdisciplinary team.
Setting a baseline of understanding is key. Remember, this is a team effort. If someone is missing a playbook, help them out.
One goal of interdisciplinary teamwork is to gain perspective to help a security program run better. But don’t try to bite off more than you can chew. After some meetings, in can be easy to think you can do more than you actually can. You aren’t suddenly qualified to be an intellectual property lawyer because you spent an afternoon in a conference room with one.
I call this “doing the doable.” Ask yourself “is this doable?” from a resource, time, efficiency and effectiveness standpoint. Try and create action plans, review them and then assess if it’s possible. Taking knowledge back to your team without any sort of realistic plan to implement it is a wasted effort.
Lawyers and accountants are professions you are most likely to work with during cross-disciplinary sessions. They may not – and should not – be the only ones. You may work with a client’s communications team or human resources or a litany of other possibilities. Each department of an organization will have varying levels of security knowledge, as well as unique goals and directives.
Don’t dismiss a department rep even if it is not be obvious why they are there. If an organization has been breached, someone from marketing may have crisis communication experience, for example. When doing our jobs, sometimes we forget that security affects every level of business.