4 habits from consulting every security professional should steal

After being home with paternal leave 80% of the weak and working 20% of the week, I will be switching percentages from tomorrow. That means more time to get hands-on with security. I’ve recently switched from risk management consulting to a pure security position within a fast-growing organization with a very IT-centric culture. Working one day a week in this environment has been great to get an impression of the organization and its context, and now the real work begins. I think habits from the consulting world will be beneficial to everyone involved. Here’s how.

 

sec_pic_habits_consulting
Successful consultants must not only be good at what their technical area of expertise is, but also at moving around in unknown territories in client organizations while navigating complex issues with many stakeholders – these are habituated skills that security professionals should adopt.

 

Slipping into someone else’s shoes

Consulting is about understanding the unarticulated problems, and getting to the core through intelligent questions. That is the essence of it; the good consultant understands that context is everything, and that the perception of context is different depending on the shoes you wear. This goes for strategy development, for risk management in general, in definitely for cybersecurity.

Use your analytics for (almost) everything

As a consultant you must be able to back up your claims. Your recommendations are expensive to get, and they’d better be worth the price. Often you will create recommendations that will be uncomfortable to decision makers – due to cost, challenged assumptions or that your recommendations are not aligned with their gut feeling.

This is why consultants must be ready to back up their claims, with two essential big guns; a convincing approach to analysis, and solid data. Further, to add to the credibility of the recommendations, the methods and data should be described together with the uncertainties surrounding both.

Working in security means that you are trying to protect assets – some tangible, but most are not. The recommendations you make usually carry a cost, and to convince your stakeholders that your recommendations are meaningful you need to provide the methods and the data to make them compelling. Which brings us to the next step…

Always make an effort to communicate with purpose

Analysis and data become useless without communication. This is the high-stakes point of consulting, communicating with clients, stakeholders, internal and external subject matter experts. Not only for presenting your facts but as a support for the whole process. Understanding context is never a one-way street; it is a multifaceted, multichannel communication challenge. Understanding data and uncertainties often require multidisciplinary input. This requires questions to be asked, provocations to be made and conversations to be had. Presenting your recommendations requires public speaking skills. And following up requires perseverance, empathy and prioritization.

In cybersecurity you deal with a number of groups, each with their own perspectives. Involving the right people at the right time is key to any successful security program, ranging from optimizing automated security testing during software integration to teaching support staff about social engineering awareness.

And that leaves one more thing: learning

If there is one thing consulting teaches you, it is that you have a lot to learn. With every challenge you find another topic to dive into, another white spot in your know-how. Consultants are experts at thriving outside their comfort zones – that is what you need to do to help clients solve complex issues you have never seen before. You must constantly reinvent, you must constantly remain curious, and you must process new information every day, in every interaction you have.

Cybersecurity requires learning all the time. One thing that strikes me when looking at new attack patterns is the creativity and ingenious engineering of bad guys. Not all attacks are great, not all malware is complex, but their ability to distill an understanding of people’s behaviors into attack patterns that are hard to detect, deny and understand is truly inspiring; to beat the adversaries we can never stop learning.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s