March 26, 2008 - #50

Mike's Pep Talk:

Over the past 4 months or so, I've given the "How Focusing on Compliance Can Get You Killed" pitch, which focuses on the audit process and how to do it "right." The most recent version was presented at the Source Boston show. My bud RSnake writes up a little ditty that mentions the session and basically asks if auditors are "scarier" than hackers themselves.

That's actually an interesting question. Many of the folks that work with security professionals every day tend to see this dysfunctional behavior and perspective frequently. The problem is that most practitioners are too deep in the muck to realize how screwy that is.

Auditors are scary because we think of the audit like a 5 round fight with Anderson Silva. We figure we are going to get pummeled, look like an idiot, and have a list 4 times as long when the findings report comes back. Maybe if it goes well, only our heads will pop off. The fact is, security professionals can both influence the audit process and make it a productive experience.

That's right, an audit can be a productive experience. Now before you figure I'm on crack and send this newsletter to the circular bin, hear me out a bit. We seem to forget that auditors on the same team we are. Seriously, they want to make sure the data of the organization is protected.

We also forget that auditors see an awful lot of stuff. They are in a different environment almost weekly. They see the good, the bad, and the ugly. Did you ever consider asking the auditor for help? Figuring out how they would recommend you solve a problem? You are probably too busy ducking, weaving and counter-punching.

For me personally, I think the hackers are a hell of a lot scarier than auditors. The hackers are trying to break my stuff and steal my private information and intellectual property. The auditors are working their asses off to protect it. You tell me which is the right side of the coin.

Think about this the next time you are prepping for an audit. Do you want it to be the equivalent of a root canal or a day in the park? OK, maybe not a day in the park, but at least the auditor will use novacaine - if you ask nicely.

Photo credit: WhiskeyTangoFoxtrot

If they don't want a YES man, they want a YES man

When I'm kibbutzing with practitioners at shows or in other venues, I usually try to understand how and why they ended up in security. Although a lot of folks enter the business because they think it's cool, or that they will have assured employment (both are true) - they don't realize how hard it is. Why is it hard? Because of the scenario that Sharky describes in this blog post.

The fact is, we security folks tend to fight as many battles inside our walls than we do outside. And I'm not even talking about the insider threat. I'm talking about the politics of making security, if not urgent, at least a consideration. The Sharky scenario scares the crap out of me because the poor support guy that gets saddled with the security title may as well leave today. He CANNOT be successful.

Why? Because the CIO wants a yes man. The first indication that someone wants a yes man is that they go out of their way to tell you that they don't want yes men. I've been there sports fans and that is indication #1. Folks that are interested in your opinion don't even think to mention about yes men because that line of thinking is totally contrary to how they work. They EXPECT you to challenge them and they covet your perspectives. That stuff goes without saying.

Talk is cheap. And if they need to talk about treating you well, then they probably aren't doing it in practice.

The truth is that most executives are weak and they surround themselves with people that are weaker. They hoard information, keep their folks in the dark and try to position themselves as indispensable. Do any of those traits sound familiar? If so, get out now. You may as well be working for Mike Myers. You will end up with an ax in your head, sooner or later.

I was very lucky in that I was able to recruit great people to work with me. Not everyone (I did hire some stinkers over the years as well), but most. And I let them do their things. I'd challenge them and they'd challenge me. I wanted their opinion because I knew they were better at what they were doing than I was - or else they wouldn't be there.

Best of all, I learned from almost everyone that's ever worked on my teams. That's the thing that weak managers don't get. They think they know everything and since they tend to hire doofuses, they usually do know more than those around them. But they are on the express train to nowhere, and you deserve better. Make sure you are working for someone that will help you and teach you. Or else you are wasting your time.

Buy It Now!

Ready to buy the Pragmatic CSO right now? Good, I'm sure you'll find the process of value to your organization. But if not, then remember you've got 30 days to tell me it sucks and ask for your money back. Click on the links below and go right to the shopping cart. A journey of 1000 miles begins with one step, take that step today.