You work in cybersecurity, right?
That makes you one of the no guys.
I have, and can understand the attitude.
Why does it happen?
Too often, cybersecurity lives in a cybersecurity ghetto.
Away from everyone else.
All anyone in the organization will know about are the things that cybersecurity does that affect them.
These people wont know the cyber schmucks telling them these things.
They wont know what they do.
They wont know why cybersecurity does whatever it does.
They wont know how skilledor not–the cybersecurity crew is.
They will only know that someone is asking them to stop doing something they found perfectly reasonable.
Or to spend time doing something they dont think is necessary.
Living in the ghetto creates ignorance that works both ways.
As security people, we in cybersecurity are supposed to know how the rest of the organization works.
In my experience, we often dont.
The ghetto makes it more difficult for the cyber crew to do its job.
After all, they cant do it alone.
They simply cant: Cybersecurity should be everybodys business.
Indeed, you could say that it is too important to leave to the geeks.
But when cybersecurity is burrowed in the ghetto, it becomes only what those guys do.
Nobody else owns it, nobody shares responsibility for it.
How do we escape the ghetto?
There are attitudes we can adopt that make it easier to reach out to people.
There are things the cybersecurity crew can do to let others know what it does and why.
After all, it is their job to know these things.
There are no ‘stupid users.’
People do press the wrong links, go to the wrong websites, and choose foolish passwords.
We have heardor made–jokes about the problems that exist between chair and keyboard.
In a perfect world they would (and wed be doing something else).
But the world is not perfect, and not everyone knows cyber stuff.
All of us expect that these people, experts in their own fields, will treat us with respect.
Never say never; rarely say no.
It is true that we in cybersecurity often have to tell people not to do this or that.
None of this means that we have to say no automatically to what colleagues propose.
After all, is security ever simply a binary proposition where one thing is secure and another is not.
And, of course, there are different ways of doing things, some riskier than others.
To be frank, we couldnt do our job when it was given to us.
But we could discover when a remote server was down.
That became our saving grace.
Because he wanted those reports, the rest of senior management did, too.
We rose to the task and honed both monitoring and reporting.
As a result, we gained a reputation for competence.
He was not disappointed.
This reputation carried over into our cyber work, which we became increasingly good at.
They can be used to monitor problems in internet configuration or performance.
A development shop can even use some of them to monitor applications.
This means that the cybersecurity crew may learn about any number of problems before others do.
Letting fellow techies know about problems those colleagues will be responsible for can increase the value of cybersecurity.
It can also help get cybersecurity out of the land of no and open up the ghetto.
They can see how these things behave and must understand why when things go wrong.
Outreach
Attitudes are personal, though often enshrined in a groups culture.
Most organizations have several ways to do this.
There are e-mail lists, including those that go to everyone.
There are often internal web pages.
And there are regular reports to management or others.
Cybersecurity certainly needs a way to send alerts, particularly if immediate action is required.
But it should go beyond that.
It should make an active effort to reach out to the rest of the organization.
Email lists can be good for that.
Piggybacking on the efforts of others can be good, too.
Our InfoSec group is take advantage of that to send out messages about security topics.
Such an effort takes time and effort.
An effort like this can also require skills that a cyber team might not have readily available.
But it may well be worth making the effort.
Many organizations have a formal security awareness program.
This can certainly be helpful.
There might also be resources elsewhere in the organization that cybersecurity could draw on.
If not, why would they write in the first place?
Answering the mail quickly and fully encourages people to communicate problems that could be related to security.
Having a single, easy-to-remember address for cybersecurity can help.
It can also help to verify someone is responsible for answering the mail.
In one SOC, we analysts rotated that duty, watching the inbox through an entire day.
None of us liked the duty; all of us found him irritating.
But people kept reaching out to us, breaking down the walls of the ghetto.
Attend more meetings?
No one particularly likes meetings, and all of us complain about them.
But they can do three things for cybersecurity.
They can give insight into how others in the organization operate and what they find import.
They can give cybersecurity a face so that others know who to talk to.
And they can let cybersecurity know who to talk to when security problems arise.
Informal stand-up meetings like those common in several organizations I have worked in can be especially valuable.
They are by nature short, open to outsiders, and focused on what is important.
I have done that with several meetings in my current organization.
What cybersecurity does and why it does it should be transparent to all.
A public relations effort can do much to tear away curtains that hide the cybersecurity effort.
But there needs to be a place where the documents are kept that spell out whatever the organization requires.
Everyone should be able to access them and know how to do so.
That might seem obvious, but, too often, organizations treat such documentation much like state secrets.
And then they wonder why procedures are skipped and policies ignored.
The Personal Touch
Many cybersecurity professionals proudly count themselves members of the community of geeks.
That can give cybersecurity a human face.
In general, we can make yourself more available and more public.
How we can do that will depend on the situation in our organization.
I do several things that make me better known and more accessible.
I hang my coat in a closet close to people not on my team.
Whenever I do, others see me and I get a chance to make contact.
When passing someone in the hall, I acknowledge them with a glance, perhaps a word.
Days of the week is one.
Monday: It is the worst day of the week.
Or good, for a Monday.
Tuesday: At least we got past Monday.
Wednesday: Over the hump!
Thursday: One day to Friday.
The weather also works, of course.
It can be too hot, too cold, too wet, too dry.
Or it is a good thing that winter is over.
Other topics may spring from things within the organization that everyone recognizes.
Suggestions like this are not always easy to carry out.
Believe me, I know.
For some folks, these things are simply contrary to nature.
But they have numerous benefits.
They let people know who they can talk to.
They open up that ghetto.
Tear down these walls!
Yet none of that is true.
And the ghetto keeps cybersecurity from becoming everyones job, as it surely is.
The ghetto, therefore, makes the difficult work of security even harder, sometimes close to impossible.
The suggestions made here cannot guarantee that the walls that enclose the ghetto will vanish.
just, comment on how to improve this article.
