Key Mindset Traits for Successful Security Professionals

Cyber/information security is fundamentally not about technology. It's about people. As one climbs the career ladder towards security leadership, interpersonal communication and relationship-building skills become increasingly indispensable. For me, despite its complexity, the technical security stuff has always been relatively easy to learn when compared to the unspoken subtleties of "people skills". As I've progressed in my security career, the skills I've found to be crucial to security success are: 1) Transparency - being open and communicating frequently with your staff, your peers, your leadership, and the wider organization. It's easy to overlook when the technical workload is high, but it's amazing when everyone is on the same page and aligned towards the larger goal of improving the organization's security. Take the time to communicate, even if it's easier sometimes to bury yourself in technical work. 2) Discretion - conversely, the ability to keep things confidential when needed is very important. This means being the person who people can trust with information they'd rather not spread around. Security teams deal with a lot of sensitive information. Without implicit trust from their colleagues they tend to get cut out of critical information flows, and this hampers their ability to succeed. 3) Kindness and respect - everyone has a lot going on all the time, especially in technology and security. Don't be afraid to step up and give support where needed, even if it means sacrificing some of your time. It's also important to understand that all of us face challenges both inside and outside of work which may not be readily apparent, and approaching each other with kindness and respect is priceless. There are times when kindness and respect also require humility and being able to apologize. In person, and not over text message, email, etc. 4) Flexibility - be willing to compromise. Security teams which are the proverbial "Department of NO" don't accomplish much. Sometimes you need to give a little bit of ground on a particular security issue to maintain a relationship which will ultimately improve security in the organization in the long run. Never forget, security colleagues, that without good relationships with people throughout your organizational chart, all the fancy security technology and processes in the world will not accomplish much. Security success depends on everyone being aware and aligned towards the security mission, and feeling like they are on the same team. Keep learning, colleagues. I am, every day.

If you're coming up in the cybersecurity profession, you must start learning communications skills, and understanding the business. Unless you want to remain a ninja in the basement forever, you have to start building relationships. And what are relationships built on? Trust. The organization - the leaders of the organization - must trust you. Trust means they believe you're the real deal - you know what you're talking about - AND you care about the mission - you want to be part of making the mission successful. So you apply your expertise specifically to help the organization meet their mission. In security - it is often a denial. You can't do that. The department of NO. But we have to be able to go past that. We have to engage and understand the business justification, and then apply that to the rationale. We have to be able to find secure alternatives. That requires engagement and creativity. Sometimes it requires us to find other solutions that can supplement or act as compensating controls - to allow the business to do what they need to do - securely. A CISO should never be the person that says NO to everything. A CISO is someone who understands the business and it's mission - who builds trust, competency and relationships with the leaders of the organization. A CISO is someone who uses their experience and creativity to find ways to allow the business to do what they need, securely. You simply cannot do that unless you're connected - have a great relationship - have built trust - and have established that you have great competence in securing these complex situations. I recommend you read CISO Evolution by Matthew Sharp and Kyriakos Lambros. This is really a textbook for CISOs as well as those who aspire to cyber leadership. Rock and Matt are my friends and mentors. I am so lucky to know them personally. Our profession is one of protecting and serving. Find that mindset - focus on that mission. Your organization relies on you. It is a serious job. Learn as much as you can - practice and train constantly. Even when you're an old guy like me - you will still need to learn and apply your training. And it will still be as rewarding as it always was.

A cyber professional's ability to work well with people is just as important as their technical prowess. - An appsec engineer identifies a vulnerable third party library in production code and seeks to understand the context instead of immediately escalating and calling the developer's "baby" ugly. - A sec awareness and training manager reaches out to an employee that missed a deadline to discover they were on bereavement leave and could use a few extra days for their assignment. - An analyst notices a control gap and talks with relevant teams before recommending a compensating control that minimizes impact while addressing the risk. - A CISO exercises empathy rather than an iron fist to nurture an effective culture of security across their company. Treating our colleagues and customers like humans (not robots) is one of the key ways we can improve organizational security posture. #security #people #culture #empathy #ciso #softskills #interpersonalskills #success