In my previous article for SecurityWeek, I discussed how the city of Atlanta handled a recent snowstorm to illustrate the difference between having the information necessary to accurately predict events and taking proactive steps to alter or alleviate the outcome. The timing was particularly interesting because Atlanta had the chance to redeem themselves almost immediately with another large storm bearing down on them on the date of publication.
Given my new-found interest in how southern cities react to winter weather, I read a good deal of the news coverage on how they were applying lessons learned and if they would be taking a proactive stance towards this next storm. The passage below from a recent AP story sums it up quite well:
Georgia Gov. Nathan Deal indicated on Monday that he and other state officials had learned their lesson. Before a single drop of freezing rain or snow fell, Deal declared a state of emergency for nearly a third of the state and state employees were told they could stay home if they felt conditions were too dangerous. Schools canceled classes, and Deal urged people who didn't need to be anywhere to stay off the roads. Tractor-trailer drivers were handed fliers about the weather and a law requiring chains on tires in certain conditions. "We are certainly ahead of the game this time, and that's important," Deal said. "We are trying to be ready, prepared and react as quickly as possible."
Now let me preface all of my by stating that I don’t have any special kind of insight into any decisions that were made, the data they had on hand or their ability to handle another weather emergency. The direction they provided may have been spot on and appropriate in this situation.
However, I do want to use their reaction, even potential overreaction, to the second storm to make another point that I believe greatly impacts the role security professionals play in their organizations. As a society, we have a tendency to overreact. Whether in a business setting or in our daily lives, when something goes wrong, we generally overcompensate to ensure we are protected from the threat moving forward. While this may seem like the proper reaction to a threat at the time, it can also have wide-spread negative effects on the business.
As security professionals, we are always walking the line of what we can do to protect the organization but still allow for its employees to function at the highest possible levels of productivity. It’s not always easy to strike a balance and there is a component of risk that comes with every decision. It becomes particularly sticky following any type of security event. So how do we make it work?
Here are five things I recommend security pros keep in mind when navigating the line between tight security and keeping the organization running at peak proficiency.
1. Always be seen as proactive rather than reactive – This sends the message to the organization that you are in control and managing the threats rather than them managing you.
2. Be an enabler, not an inhibiter – By working with your organization to find secure solutions to problems rather than blocking usage altogether puts security in a more positive light and employees are more likely to follow protocols as a result.
3. Educate, don’t berate – The human element is always the weakest link in security and you need to accept that people are going to make mistakes. Use these times as a chance to educate them on best practices rather than belittling them over a mistake.
4. Remain calm when problems arise – The nature of the security business is that things will go wrong at some point no matter how well you plan. The ability to be focused and analytical in time of crisis is what separates the professionals from the also-rans.
5. Think like an attacker – Ask yourself where, when, and how am I likely to be hit? That is the question every security pro should ask multiple times a day, helping eliminate guess work and allowing for a neutral view of network defenses.
No one will deny the fact that security is hard. Not only do you fight a daily battle with hackers and emerging vulnerabilities, but you need to straddle the line of locking down the corporate assets while still allowing employees to conduct operations. Let’s face it, pulling the plug on everything connected to the Internet is really the only way we can be sure we are protected, but that simply isn’t practical. Being in business creates risk and our job as security professionals is to mitigate these risks to the best of our ability without dramatically impacting business operations.
Hopefully by keeping these five things in mind you’ll find it a little easier to strike the proper balance in your organization.