As we approach the midpoint of 2013, I have begun to shift some of my thinking to strategic initiatives for 2014 and beyond. As I begin this shift in focus -- and, admittedly, as I come off of vacation :) -- I have begun to spend time thinking about what I am calling the "adaptive mindset." A friend a colleague of mine refers to this same topic as the "Agile mindset," but this often gets closely intertwined with the Agile development methodology. I believe the challenge I am referring to extends beyond Agile development, although we see this challenge most clearly manifested within Agile development environments.
I have often preached that the job of a security team is to "make lemonade out for two apples, a grapefruit, and a kumquat and make it look easy while doing so." The needs of the business can shift at an almost mercurial pace, and if security wishes to remain a supportive (and, therefore, a valued and relevant factor), security professionals need to be able to innovate secure approaches and solution on the fly and often without the benefit of exhaustive research time and/or ideal toolsets. Think of the Movie Apollo 13 when the lead engineer dumps a pile of parts on the table and informs the team that they must develop a solution to the orbiter's problem utilizing only the items on the table. Just another day in the life for a typical security guy :)
I have often preached that the job of a security team is to "make lemonade out for two apples, a grapefruit, and a kumquat and make it look easy while doing so." The needs of the business can shift at an almost mercurial pace, and if security wishes to remain a supportive (and, therefore, a valued and relevant factor), security professionals need to be able to innovate secure approaches and solution on the fly and often without the benefit of exhaustive research time and/or ideal toolsets. Think of the Movie Apollo 13 when the lead engineer dumps a pile of parts on the table and informs the team that they must develop a solution to the orbiter's problem utilizing only the items on the table. Just another day in the life for a typical security guy :)
The problem -- or, at least, the thing that I perceive to be a problem -- is that we appear to be losing some of profession's inherent ability to innovate on the fly. In the early days of security, we came from a wide variety of backgrounds; many of my peers trained as mathematicians, musicians, accountants, and (in two cases that I know of) Jesuit priests. As we have begun to create college programs centered around our information security, we have created a standardized group of people who understand The Way Things Ought To Be...but not necessarily how to get them there in less than a perfect methodology.
I first ran across this problem en masse during my studies for my Masters degree. I was in a cohort-driven program and for each class we needed to engage in online discussion groups around questions posed by the professor. I was to only sitting CSO (and had been for 3+ years) in my cohort, and I would often challenge the other students' answers with responses like "That makes sense and is leading practice, yes...but what happens when the situation is <X>?" Invariably someone would chime in "well that would never happen," only to have me explain that I had to deal with such a situation just the month before. This would lead to some stilted discussion as fifteen highly experienced and well educated personnel struggled to innovate a solution to a real world problem.
I see similar challenges as security shops attempt to work within an Agile development or project environment. Decisioning in such environments happens in small teams at the lowest level. The security SME doesn't need to know everything...but he does need to be able to think critically at a fast pace; make decisions; and consult the appropriate knowledge repositories to drive new and innovative solutions rapidly. Too often, security personnel struggle in these environments; in some cases, they mask their inability move and think rapidly by defending the need for security to follow a traditional waterfall model.
I am blessed to run a decent-sized security shop in an organization that truly values programmatic holistic security. My people are top notch with a true desire to do the right things as well as improve their personnal skills. As the security leader in such an organization, I find myself in a quandry. How do I balance the need for security specialists who can dig into certain topics and areas with nimble-minded generalists who have a passably working knowledge of multiple topics as well as the ability (and confidence) to make decisions on the fly in a fast-moving organization?
The first answer that comes to mind when I discuss this topic with many of my peers is "experience." Yes, clearly a more tenured and seasoned individual has a greater ability to flex and maneuver than a new recruit...but this begs the real questions of (a) how do we actively train and prepare young security professionals to adopt a nimble mindset as well as (b) persuade young security professionals to eschew some of their 'specialist' chops in favor of a more holistic knowledge base. Adding to this challenge, of course, is the young professional's resistance to knowledge transfer. Security professionals are proud of their skills and knowledge...and they have a right to be. Many of these younger professionals can feel threatened at the prospect of either sharing that knowledge with someone else (a la cross traiing) or placin that knowledge within some type of knowledge repository. After all, if someone else has the knowledge doesnt that make them expendable?
No organization can afford to staff itself with only senior personnel (even if such personnel were available in large numbers). Further, there is still a need for "screen jockeys" at some level to do the analysis on incoming events etc. Clearly an organization must find and strike a balance between the two - a balance that is partially driven by (a) training younger professionals on a broader range of skills; (b) encouraging critical thinking; (c) building knowledge repositories and documented security processes; and (d) automating as many routine processes as possible. We must eschew the notion that a young security analyst needs to spend 3-5 years perfecting nothing but one specialty skill before they can branch out. We must also encourage the notion that a well rounded, critical thinking professional is what is needed in order to drive transformation and value within an organization.
Fostering the mindset for agility and adaptability will be critical to the future of any transformative security program. Figuring out the right skillset balance without jeopardizing the daily activities or ballooning the security organization to an unreasonably large number is the hard work that accompanies that easy declaration. As I begin to put solution for adaptive mindset within my organization, I will share my approach and thoughts on this blog. All comments and inputs are welcome :)
No comments:
Post a Comment