Many infosec professionals, despite being very knowledgeable about information security technology and concepts,...
struggle to develop successful information security programs. Successful infosec pros have good soft skills as well as strong technical skills.
This tip discusses the importance of soft skills development and outlines four key skills that, if mastered, will help security professionals be successful.
1. Gain senior management support
Security pros must have the support of their senior management; they allocate the money and resources that are essential for a successful information security program. Infosec pros should arrange regular meetings with senior management, during which they clearly explain the organization's prioritized risks, and how their projects are appropriately mitigating the risks and supporting business objectives. This will increase senior management's trust and confidence in the information security team.
During the meetings, security pros should avoid glaze-inducing technical discussions. Instead, they should focus on the high-level objectives of security projects and provide clear evidence of how they are benefitting the organization. Infosec professionals should also proactively let their senior management know if a project is not going well or a serious vulnerability in the organization has been discovered; senior managers don't like being surprised.
2. Collaborate and listen
Infosec pros often need the support and cooperation of other teams, such as IT operations or help desk, to successfully implement and maintain security controls. Security professionals should regularly meet with employees of such teams to learn about their processes and security concerns. Focus on listening and learning during these meetings rather than talking; try to find common ground and areas of mutual self-interest. Teams like help desk are great sources of information about how end users really use an organization's information systems and interact with security controls.
Security managers should give other team managers advance notice about upcoming significant projects and ask for their feedback. The managers will appreciate the heads up and may identify potential issues -- such as increased calls to help desk -- that will impact project implementation and success.
Whenever possible, infosec pros should seek to work collaboratively with other groups in their organization. For example, if a penetration test finds vulnerabilities, work with the network and system administration groups to appropriately mitigate the vulnerabilities rather than seeking to assign blame for them. While it might be satisfying to find someone to blame, it doesn't do anything to reduce the risk to the organization.
3. Make information security relevant
As infosec pros, we understand how important information security is. However, the core mission of most organizations is not security. The hard reality in a lot of organizations is that many employees do not fully understand information security risks. A successful infosec pro will make security relevant to employees by appealing to their self-interest. For example, if an infosec pro is trying to reduce the susceptibility of her organization to phishing attacks, she should provide training to employees about how phishing can be used to take over personal accounts like employee bank accounts. Whenever possible, explain security threats in simple terms and explain how security controls protect employees and their organization.
Successful security pros understand that many employees will resent and circumvent overly burdensome security controls that prevent them from getting their "real" work done. Because they often have strong technical skills, it can be difficult for infosec pros to understand the perspective of non-technical users and the real-world conditions they work in. Regularly meeting with end users and the teams that support them will help infosec pros develop and implement security controls that are appropriate and reasonable.
4. Choose your battles
Every day infosec pros are faced with a large list of threats and vulnerabilities which could impact their organization. A successful security professional understands his organization's prioritized risks and regulatory requirements and then fights hard for controls that support these. Don't be a "security Chicken Little" who is in a constant state of alarm or the "no" guy who rejects every user request; this will lead to being ignored or bypassed by employees and the loss of senior management support.
Know the difference between "must have" security controls and "nice to have" controls. When it's time to fight for a security control or project, successful information security pros support their position with well-researched facts and cost/benefit analysis.
The importance of soft skills development
Soft skills development can be initially uncomfortable for infosec pros; many like things to be black or white. Increasingly, however, information security is gray, and the security pros who understand the importance of soft skills and who develop and use them will succeed in their projects and careers.
About the author:
Steven Weil, CISSP, CISA, CISM, CRISC is an independent security consultant. He has 18 years of experience in information security design, implementation and assessment. He has provided information security services to a wide variety of organizations including government agencies, hospitals, universities, small businesses and large enterprises.
With his background as a systems administrator, security consultant and security architect, Weil has a strong understanding of the strategic and tactical aspects of information security.