Why You Should Ask For Everything in Cybersecurity
Make Them Tell You “No”
Attend any meeting of security practitioners and there will be two threads of conversation: that there aren’t enough resources available to do security the way we really want; and, if non-security leaders only knew what we knew, they would make the resources available. Now we can debate whether either of these things are really, completely true, but that would be irrelevant. Security leaders BELIEVE these things to be true.
Being a cybersecurity leader involves a delicate dance of being likable, knowledgeable and relevant, and also making sure an organization understands what it needs to manage cybersecurity without dealing in Fear, Uncertainty and Doubt (FUD) or seeming politically inept. We have been conditioned to avoid FUD, so we focus on being politically savvy. We don’t want to overwhelm our non-security partners with too much talk of risks or threats. We want to be seen as business-enabling, so instead, we talk in calming, soothing tones about our security programs, the progress towards improvement, and how well the organization is rallying around the security agenda.
This tendency to self-censor, to avoid talking about difficult things, and to minimize what we really need to deliver a…
