Why Do Security Professionals Fail?

Why do security professionals fail? As Michigan’s current CTO and Director of Infrastructure Services, I’m very interested in this question. As the former CISO for almost seven years, I’ve also been studying this question for quite a long time. I’ve been observing those who succeed and those who often seem to fail to achieve their goals from various perspectives. I’ve managed individuals who sell and/or implement security solutions as well as IT staff who rebel when the security experts show up. I’ve chronicled the good, the bad and the ugly.

So what works and what doesn’t seem to make much difference in getting consistently positive results? My answers will probably surprise you.

I’m not the first person to ask this question. Conventional wisdom says we need more training and staff with more security certifications. Others say we need to pay Information Assurance (IA) staff better, gain a better understanding of the bad guys, provide more executive leadership training  or get more top-level executive buy-in. Of course, I support all of these items – who can argue against more executive buy-in?

Nevertheless, I’ve seen security staff around the country with all of the right boxes checked, and others with none of the above, be successful. For example, some people are able to obtain the executive buy-in for security when they don’t initially have it, while others who initially have significant executive buy-in either lose that support or can’t seem to use this advantage to get closure on key security projects.    

The corollary is also true. I’ve seen security professionals with all of these positive attributes fail miserably. The reality is that most of these items are outside of your control when you show up and become a member of a security team. Yes, you can choose where to work and decide if a company offers the right training, pay or other opportunities. But in today’s tough job market where salaries and benefits are being cut, your choices may be limited.

CSOs often joke that they want the job right after a major breach and the loss of millions of dollars. The last guy gets fired and you come in with all of the leverage and resources to get the job done right. However, this is a rare situation, and most security staff find themselves with a mixture of good and bad in their current situation.    

So what can you do? What character traits matter most in determining successful security professionals? What practical steps make a positive difference? Over the next several months, I’d like to offer you seven “can do” solutions. In this initial post, I will focus on the first and perhaps most important item in my view.  

Before I give my list of reasons I think professionals fail, I want to list a few caveats. I am presuming that you have certain basic skills and a professional resume. You call truly call yourself a security professional. If you don’t know the difference between an encrypted laptop and SSL, you’d better go back to the basics. And yet, my guess is that most people reading this article already know plenty of cyber facts. The Internet is full of thousands of articles on training, certifications, information assurance careers, and the like. I am attempting to move on to “the rest of the story.”  

 Problem #1 - Security Professionals Are Known as Disablers 

What’s the problem? Security professionals are often viewed as the “party poopers.”  This problem is very serious and actually threatens the credibility of every security consultant. Are you bringing problems or solutions? Are you viewed negatively?

An industry example of this involves cloud computing. Most of the technology world is rushing into cloud computing. While thousands of positive articles are being written about the ROI, cost-saving opportunities and transformational aspects of new cloud architectures, the security world is busy printing articles about why cloud computing either won’t work, is a bad idea, or will lead to more identity theft, security problems, and richer, fatter bad guys.  But can our cyber security situation actually get much worse than it is now?

What’s worse is that security professionals only read the bad news online while the rest of the technology community reads the good aspects of cloud computing. Most security experts are feeding themselves the wrong intellectual food. (Tip 1, read more about the positives associated with new technologies and not just how it easy it is to hack.)

Solution #1 - Be Known as an Enabler

So what can be done? Stop saying “no” to your customers. Offer secure solutions. Be an enabler. Answer the question: how can we ensure that this new project is delivered on time, on budget, and with the right level of security? Be known as a “can do” person, not a “Puddleglum” (read C.S. Lewis if you don’t know this character.)