Source: www.securityweek.com – Author: Joshua Goldfarb
A few months ago, I found myself perusing a more than ample hotel breakfast buffet in search of a tasty breakfast. Fortunately, it was not difficult to assemble a plate that did not disappoint in the least. In fact, the food was so interesting to many of the hotel guests that one person became so fixated on the buffet that they plowed right into me.
Of course, this isn’t the first time this has happened to me. I’m sure many of you have experienced something similar, whether at a hotel buffet or elsewhere. We have all likely experienced people getting so fixated on something that they miss nearly everything else around them – including important things.
I believe we can learn an important security lesson from this. Why do people have the tendency to become fixated on things? What do we as security professionals get fixated on? When we become fixated on one or a few things, what do we miss? I’d like to examine these questions more closely in this piece.
Let’s begin with the why. While not everyone gets fixated on one or a few things to the detriment of other, more important things, there are plenty of people who do. Why is this? There may be many explanations, but one, in particular, jumps out at me.
Successfully practicing security within an enterprise involves steadily and continually working to improve the security posture of the enterprise. This involves setting the right strategy, executing to implement that strategy, and staying the course over a long period of time (adjusting and course correcting as required). It is tough, it is a challenge, and it is a grind. It is not sexy by any means. But it works.
On the other hand, distractions are tempting. They are inviting. They are interesting. They can even be sexy, or at least sexier than what we ought to be working on. And perhaps most importantly, they can grab people’s attention.
While it might be tempting to turn to a distraction to distract and/or appease management, in the long run it will hurt us. We will stray off course and not attain our goals. Being fixated on distractions has never helped any enterprise improve its overall security posture.
When we look at the what, there is no shortage of shiny objects that security professionals have been, are currently, and will be distracted by. For example, as I write this, there is a lot of chatter and attention being paid to ChatGPT. I certainly don’t mean to belittle or dismiss ChatGPT, yet if we think about it critically, for most security practitioners, how much influence does ChatGPT really have on our day-to-day execution against strategic initiatives and priorities? Probably not very much.
ChatGPT certainly isn’t the only topic people have become fixated on in recent years – there are many. These topics seem to come and go in a near constant stream – almost like a rotation of distractions if you will. So what can a security team do when a distraction comes their way? Well, it all boils down to risks and the potential for damage (monetary or otherwise) to the enterprise – that is what primarily interests executives and the board.
If the topic du jour can’t be mapped back into directly increasing the risk that an enterprise faces, the enterprise probably doesn’t need to pay much attention to it. Further, that risk mapping gives the security team the sound footing it needs to beat back any attempts to divert precious resources from strategic initiatives and priorities to distractions. While it doesn’t stop some people from trying, it is hard to argue with real data and sound logic.
When security professionals become fixated on distractions, what do they miss? Unfortunately, far too much. While not an exhaustive list, here are a few of the top misses that can be caused by the topic du jour:
- Making steady and continual progress against strategic initiatives and priorities
- Redirecting executive and board attention back to more important topics
- Conserving precious human security resources for the most value-added tasks
- Investing in long-term projects that will improve the overall security posture
- Finding gaps that can be filled to improve the state of security
- Identifying opportunities to sensibly and responsibly introduce automation
- Updating products and solutions to better support the mission
- Training and cross-training staff to improve their skills
- Participating in industry and peer forums to discuss and learn about important topics Searching for writing and public speaking opportunities to share your successes
So while the above list may consist of wins for the organization, those wins don’t grab as much attention as the topic du jour might. Well, at least that is the case in the short-term. In the longer-term, there are few executives and boards that won’t see the value in a security organization that is achieving strategic goals, producing real value for the business, and is able to show a strong return on investment.
Some people have the tendency to become fixated on one or a few things at the expense of other, more important things. Security professionals are no exception to this rule. Staying the course and sticking to strategic goals allows security professionals to steadily and continually improve the security posture of their organization without allowing distractions to divert precious resources away from more important tasks.
Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect – EMEA and APCJ at F5. Previously, Josh served as VP, CTO – Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.
Original Post URL: https://www.securityweek.com/stay-focused-on-whats-important/
Category & Tags: Management & Strategy – Management & Strategy