Fresh off of an out of State vacation, InfoReck is back! This week’s post was inspired by a horrible communication I received recently.
Many information security practitioners have highly technical backgrounds. We can speak in depth about OSI layers, development techniques and the advantages of DHCP versus static IPs. Having this type of knowledge allows us to talk nuts and bolts with the system administrators we work with. It is valuable.
But we are not just IT guys. In InfoSec we have to worry not just about keeping servers and routers up and running, but also about the risk appetite of our organization. We need to be able to discuss annualized loss expectancies, and how we comply with applicable standards (HIPAA, GLBA, SOX).
As information security practitioners we need to live in two worlds. We need to have the forward-thinking mindset of an entrepreneur combined with the task oriented problem solving of a good network administrator. And more importantly, we need to be able to speak to both sides in a language they can easily understand.
When you speak with business stakeholders, they do not want to hear about what firewall rules you are implementing. When you start getting into the details of how you are implementing defenses against Cross-Site Request Forgeries they start thinking about what’s for dinner. Similarly, if you go into a meeting with network engineers and cannot understand the implications of the new VLAN configurations they are proposing, you will be viewed as just another business person to placate, rather than a teammate to strategize and plan with.
Speaking the right language is important. Know your audience, or your audience won’t listen. When you deliver the security analysis to the business in terms of dollars or corporate risk, they will hear you loud and clear. But when you deliver the security analysis to the technical staff, you’ll want to discuss recommended techniques and best practices so you can sync with the world they live in.
Information security requires more soft skills than running a network, server or phone system. And it requires more technological skills than making a business plan or giving a good presentation. Finding the right mix in any particular environment is essential to advancing the mission of security.
Connect with Robb on Google+