Be careful of who you listen to.

It’s amazing, no matter how much you think you know, there is always someone that can teach you more.

I’m fortunate enough that a young woman in cyber-security has asked me to mentor her. Crazy as it is I learn so much from each of our weekly meetings. As I tell her stories or explain why we are doing something I improve. My delivery, my understanding, my passion, my focus, and most of all my inspiration. So thank you to her.

That brings up the subject of this post. Be careful who you listen to.

It was during one of our 1 on 1’s that the subject of my one and only blog post came up. She glanced at it and turned to me and asked me why I hadn’t posted more. Given the nature of our relationship I told her the truth. Someone that I admired and considered a mentor told me that I was too casual and that it wasn’t interesting or relevant. So I listened and stopped.

Then that crazy, brilliant you woman that for whatever reason listens to me asked me who was my audience. What the heck! I pride myself on being a strategist but I hadn’t even thought that through with my first post.

Who is my audience?

Is it the uber security technical guru looking for some magical advice? Maybe.

Is it the app developer trying to make sense about what the previous guy said? Probably.

Is it the business leader in a panic about the next breech? Possibly.

Is it the CISO trying to explain his program and goals to all of the above. Partially.

I think the answer is All Of The Above.

My audience is all of you. There are more than enough technical blogs covering cyber security. In my opinion there isn’t enough of a conversation about how do we translate what each other is saying. Geeks talk to geeks, business people talk to each other, but for the most part when they try and cross lines it is just a mess.

I want to help bridge those language barriers.

So the lesson is be careful who you listen to, a vendor, a “industry expert”, a teammate, a customer, a mentor, and most of all careful what you tell yourself.

It is the sad truth of cyber security we exist because of the fundamental problems with human. So when we listen to somebody we have to pay attention to their motivation. We have to learn to recognize those people or organizations that while they may not want us to fail they are quite content with the status quo.

The status quo is exactly why we keep hearing about breaches, why as an industry we keep layering bandaids on top of bandaids without addressing the underlying issues. Our job as cyber security professionals is to help our companies be able to deliver their fundamental business need securely. We exist because they are scared and we shouldn’t scare them more, They need to feel safe and secure when we walk in a room. Their trusted security partner is there to help.

We need to earn their trust so they listen to us. Same way I am going to work to earn yours. This is a partnership, a collaboration, or simply put a conversation.

Till next time,

Francisco

P.s. she also said I need to get a better looking site. Thank you RR I really appreciate you putting that mirror in front of my face.

Tags:

Categories:

Getting Started and where we are going.

Thanks for tuning in. I’ll tell you now, I’m not here to tell you how you should run your security, I’m here to tell you what my vision is for Information security and the changes that I feel must happen.

Remember you are getting what you paid for. I’m looking for creative dialog with all of you. I want your thoughts and opinions, but start a flame war and we are done.

Fundamentally I believe that security is needed. I wish it wasn’t so. I wish we could all just play nice with each other. I wish, such an amazing and powerful phrase, it defines who we are and how we perceive the world. Problem is as the saying goes “if wishes were horses, beggars would ride .”

I remember the days when we all dialed around, used telnet, WAIS and gopher to bounce around and discover all these new amazing systems. Problem is that some at some point whoever ran those systems irritated somebody (Whether real or imagined) and that somebody decided to enact their (to them) justifiable revenge and the need for security was born.

Heck people this is fundamental to human nature, no matter what your ideology is they all assume that we are jacked up and need improving. I would love to be able to leave my house unlocked but inevitably no matter how rich or poor you are there is somebody who thinks that they should have what you have.

If you disagree with me great! I dare you to drive, walk, crawl, whatever to anyplace where a sizable population of humans live and hold the cost of your next rent payment in cash in your outstretched hand and take a stroll. Are you worried somebody will take it?

Why do you keep your money in your pocket or purse? Is it only for convenience?

The reason I say all of this is because as technology professionals we have to deal with the crux of all of this. At some point the organization that you work for, that pays your bills is going to piss somebody off.

For the business owners you have to ask yourself, who do you want guarding your company? Do you want a fresh from high school kid that took a “Security Guard in 90 days or less class” or do you want the Spec Ops individual that has years of experience and training?

I’ve only started to touch on these topics. Information security must change. Send me ideas for topics. Let me know what we can chat about. I’m thinking my next post will be about who the CISO must become.

Talk to you soon,

Francisco