Gifts for the Security Leader
All this Security Pro wants is…
’Tis the season for gift giving. Regardless of how you spend this time of year, you would need to live under a rock (or, at least, not be connected to the Interweb) to not see the plethora of gift ideas being advertised. I admit, I’ve done my civic duty to give back lots of cash into the economy. I have a wonderful community of friends, family and co-workers for whom I am eternally thankful, and I love using this time of year to recognize all these people who mean so much to me.
I have also been taking some end of year time to reflect on the year that has passed, and what I want for the year to come. And I’ve realized that I need to find some time to give myself some gifts, so I can continue to thrive in the world of Information Security.
So, in no particular order, here is my wish list for 2020:
Life moves pretty fast. If you don’t stop and look around once in a while, you could miss it. — Ferris Bueller
Just yesterday I was looking at my plans for January, and then I blinked and it’s the end of December. And in Security, this is happening even faster than in other places. The amount of new tech, old tech, new threats, old threats, and emerging legislation, makes it impossible to stop and take a breath. But of course, a good leader MUST pause, and take stock, and reflect, and plan.
So this year, I will give myself the gift of time. This will mean scheduling days each quarter to block out typical meetings and other standard activities, permit myself to prioritize me first, and take time to check in with my goals, aspirations and achievements. Just a day, every month or so, is an investment in me, my team and my family, to make sure I’m working on the right things, for the right reasons, in the right way. Just a day, to make sure the world around me hasn’t changed so much and my original plans still make sense. Just a day, to check in with myself to ensure I’m not burning out, or over-stressing people around me. Just a day, to ensure I’m still aligned to my core values.
It’s not what you look at, it’s what you see. — Henry David Thoreau
Phew, there sure are a lot of bright, shiny things in Security. Blue/Red/Purple teams, threat matrices, zero trust things, bug bounties, devsecops, frameworks, awareness, gamefication, threat intelligence, endpoint tools, cloud, AI, machine learning…and on and on and on and on. How in the world can one Security leader do all these things, and do them well? How can you know if you’re working on the right things, with the right priorities, with the right speed?
The truth is, you cannot ever know if you’ve got it right. An absence of security breach doesn’t mean you’re doing things properly. No one else can know either: not the most experienced CISO on Twitter, not the most technical external or internal auditor; not even your boss. No one else walks in your shoes, at your organization, with your budget, and your team, and your priorities, and your constraints.
So, this year, I’m going to give myself the gift of perspective. It doesn’t matter what “the experts” in the media, the industry, or the vendor community tell me. I will listen to all of them, and then will give myself the gift of trusting my own experience and expertise to know that I am working on the right things at the right time, in the right way. I will continue to learn, and absorb new information, and to adjust my tasks as I see fit — but I will rest assured that I’m doing what I should be doing without second guessing myself.
The weak can never forgive. Forgiveness is the attribute of the strong. — Mahatma Gandhi
As a Security leader, it’s easy to be angry at people around you. Business leaders who refuse to invest in Security until something Bad happens. Technology partners that are so worried about seamless customer experience that they forget the negative customer experience that comes with data loss or system outages. Vendors who are trying so hard to win your business that they pepper you with spam and other unwelcome solicitations.
Mostly, Security leaders, including me, continue to be mad at themselves for not being as effective as we want to in building Security partners and advocates who can work with the Security program. We take it as a personal failure when our budget requests are denied. We wonder where we went wrong when a team member leaves for a better opportunity.
So, this year, I give myself the gift of forgiveness — not for others, but for me. This year, I will cut myself some slack. Sometimes, the money just isn’t there to spend on Security. Sometimes, other staff have been given goals that are not mine. Sometimes, our staff outgrow our teams, and they follow a natural progression to their next gig. In each scenario, I will recognize that these things are not wholly within my influence, and to forgive myself for the things I cannot control.
Practically speaking, I’d really really really like to triple my Security budget, and my team. Rationally speaking, I know that this is never going to happen, and even if it did I would still want more money and resources — it’s a bottomless pit of need.
So, if I’m going to receive something really meaningful this year, it needs to be a gift from me to myself, something I can do without filing a request in triplicate. It needs to be something that takes little money, but probably some effort. It needs to be something that nourishes the Security soul.
Sometimes, what we need doesn’t come in a box. Sometimes, it comes from the most unlikely of places — ourselves.
May it be so.
Happy New Year!