Piece of Mind

Alternate Title: What is an expert? A pert under pressure.

My Dad used to tell me that joke.  It wasn't until I got into security that I really understood it. When you find yourself in a small company trying to persuade or dissuade, you can become a little like the pert and get under pressure. Managing that pressure is important so you can avoid becoming an ex-security or ex-risk manager.  To help avoid the fails that lead to updating the resume, we need to understand how decisions get made and the input we need to be ready to provide.

Most decision makers love quantitative information.  However, in the absence of solid data, management will sometimes be happy enough with an opinion from someone they trust.  Tip:  That comfort is best gained through shared trials by fire, reputation or simply a well delivered explanation.

Unfortunately, in a small company, decision makers may feel like both data and trusted advisers are lacking. Very often, management in small companies don't see a big enough return to invest in formal data gathering exercises so they're open to a relatively significant level of "unknown" risk in Security.  Since budgets are tight and the perceived risk is low during a highly Sales oriented beginning of the company's evolution, management often chooses to ask IT staff to also do security. The problem is the most knowledgeable and talented IT people may not see Security as resume padding or important so they'll push it off till late or, which is worse, hand it down the chain to junior staff. This leads to weakly developed controls, often thrown in at the last minute before an auditor arrives that are more apt to fail during the audit or during a breach and cause a degradation in trust between management and IT and increase the cost for both operational IT and security controls.

So you're the person who suddenly finds yourself tasked with adding security in  this environment.  What do you do to educate yourself so you can describe the value prop of any control management may decide to propose or resist on your way to protecting their data and keeping your job? Beside all the other tips I've given so far, you have to GATHER ANY AVAILABLE DATA.   You cannot become their expert over night and you probably aren't near enough to being a Security expert to do your job well.   You can try to do it blind, but you can't be a consistent winner without some information you can use that matters to the people who've given you this role.

Where to begin?

I already said that the small company isn't likely to have or want to spend a lot of money collecting new data. So where are you going to locate the information you need to find the right path inside your company?   Sure we could go to Google and find some scary stuff that might work but FUD isn't ever as powerful as wisdom about the company's issues.   Let's consider what we do have that can at least get us started.

• Experiences:  As you've been talking to management to understand your role and their risk tolerance, did they tell you any stories?  Did they suggest that you talk to anyone else?   The stories will tell you what security is and is NOT at the company.   The people to talk to are people who've been there or who the management already trust so ask them to give you tips, ideas or just to be your mentor.
• Roles and Responsibilities:  If some aren't written, write down what your boss told you they wanted you to do.   List who you think you'll have to work with to achieve those objectives and what you think you'll need from them.   Then talk to those people to see if they agree or disagree and most of all to find out how anxious they are about the experience BEFORE you begin asking for their help.   THEN GO BACK TO YOUR BOSS and discuss the lessons learned so you can tune the objectives.   Defined expectations can be measured.  Without defined goals, you can't prove you achieved them.   Without defined roles for others and an understanding of the impact you will have on their other priorities you can't prepare yourself, them or management for the tough times ahead.
• Process residue:  Talk to the people who already do security tasks part time to see if you can get access to their output—remember not to take up too much of their time.   See what evidence they create that either gets measured or doesn't yet get measured.   Ask the people for examples that were tough on them personally.  This will give you a sense of “customer” impact caused by security to understand causes for resistance in the environment.
• Finance:  Talk to whoever paid for or spearheaded the last sizable security project.   Find out whether Finance was involved.  Ask Finance for whatever information they are willing to share from that project to gain an understanding of the purchasing process and to hear their stories and questions they asked along the way.
• Anyone:  Everyone worked somewhere else.  Ask them what they liked about security and what they didn't like at their last job and how it is different at this job.   Try to zone in on any experiences they had with people doing what you're expected to do.   DON'T try to steer them to focus on what you really want to know.   These conversations will be more honest and teach you more if you and they are just trading jokes and stories over lunch.

All the people you've talked to above are “experts” in their own way.  Since your job impacts and involves all of them, you can get a leg up toward being the pert with less pressure that management trusts during the tough conversations.  After talking to them you should not only have a better relationship with them but you also have a clearer picture of what management specifically wants from you, what success looks like for your new role and many of the pitfalls to avoid as you build your plan.  Just don't forget to make sure to keep a clear record of when you've achieved those expectations and when you've failed so you have Experiences (see above) to give back when you're in front of that decision maker who'd rather have real data.