An Outsider’s View: How to Partner with Your Information Security Team
Over my career, I’ve watched information security grow from a part-time job within IT into a fully-fledged department with a complex set of accountabilities and disciplines. I’ve never been the primary information security leader at my company, but I’ve always been a close partner.
You probably hear from your information security team from time to time. Depending on your role, you may hear about policies, security awareness, audits, assessments, compliance, risks, and threats. However, you probably don’t hear a lot about security from people that aren’t in security. As a fellow outsider, I thought I’d share some of my secrets of success for effectively partnering with this important team.
Do what they say
Sometimes, the information security team will ask for your help. They may need to you participate in an audit remediation. They may need you to fix some vulnerabilities. They may tell you to stop clicking on so many email links. Many receive these requests as an annoying burden. Most of us are plenty busy with our day jobs and it seems like the information security team just heaps more on our plate and makes everything a number one priority.
Here’s something to keep in mind: Your information security team has to deal with some really bad people. They defend the company against cybercriminals every day. Give them a break and be nice to them. The last thing they need is a fight inside the company they are trying desperately to defend.
Be the first line of defense
You may have heard the phrase, “security is everyone’s job.” It’s true, but I’d like to be more specific. The teams I lead develop and run many of the technology systems for the company. In those teams, we are accountable for secure application code, security patching, secure networks, encrypted laptops, secure cloud configurations, secure roles in the ERP system, and many more things. We have a lot of security responsibilities considering we aren’t in the actual “information security team.”
Our information security team sets the rules. We execute. Rules don’t do any good without execution. The information security team doesn’t have the resources to oversee absolutely everything. We need everyone to do the right thing. My team is the first line of defense. The information security team is the second line of defense. The audit teams are the third line of defense. When we all work together, we can defend the company.
Learn the language
Information security professionals can seem like an odd group of people until you get to know them. At one point in my career, I struggled with my information security team because I had a hard time anticipating what they needed. I tried to argue my point of view, but I didn’t get anywhere.
I saw this as a potentially career-limiting struggle, so I took drastic action. I decided to pursue my CISSP certification. CISSP stands for Certified Information Systems Security Professional and it’s one of the primary information security leadership certifications. Most Chief Information Security Officers have it. I took a class. I read the 1300-page book cover-to-cover twice. Then I took the test and passed it.
While the credential gave me some credibility with the information security team, the real power was in the understanding. For the first time, I understood their mental framework. With that power, came empathy. With that empathy, I was able to align our goals for mutual success.
Few outsiders will pursue a CISSP. But everyone should do something to learn the language of information security. Sure, they can better understand you too, but meet them at least halfway.
Thank them for defending the company
I love recognizing and celebrating accomplishments. When my team does something awesome, I love making a big deal about it and sharing it widely. Due to the sensitive nature of information security, that teams’ accomplishments are only shared within a tight need-to-know circle.
In these modern times, it’s safe to assume that your information security team is doing some pretty heroic things for your company, but you just don’t get to know the specifics. Therefore, make a point to thank them anyway. Trust me, they’ve earned it.
Podcast: Play in new window | Download