There are some people in this world who will only call you when they need or want something. I’m sure we’ve all come across this type of person more than a few times. When you have something they’re after, they are your best friend. The minute that is no longer the case, the seemingly warm relationship suddenly goes cold.
What some people don’t realize, unfortunately, is the true value of relationships. There is tremendous value in our relationships beyond specific favors or a given dollar amount that can be extracted in the moment. The long-term benefits of building strong relationships have been studied at great length, and they are many. These benefits hold across relationships built with customers, management, employees, peers, suppliers, and others as well.
You might ask what the true value of relationships has to do with security. I’d like to discuss that in the remainder of this piece. I think after I illustrate the point through a few examples, the value will be clear. Having said that, I suspect that many of my readers already understand from experience how critical relationships are to the success of a security professional and his or her organization.
The best security professionals always keep the lines of communication open and warm, even when they don’t need anything. They don’t exploit, deceive, or cheat people. They understand that security is a profession built upon trust. Trust that is built on relationships. Furthermore, they understand that there are some things that money just cannot buy.
Let’s take a look at a few illustrative examples.
Many people reference the importance of information sharing to information security, and in fact, it’s something that I’ve written about in the past. One thing that some people sometimes overlook when discussing the topic of information sharing is the importance that trusted relationships play. The best information sharing groups are self-assembled. That’s not to say that there isn’t valuable intelligence to be consumed from a variety of different sources. Rather, what I’m saying is that we can all learn from the experiences, techniques, data, sources, and methodologies of one another. Without this, our efforts are far more limited.
Misunderstanding the value of relationships can harm us organizationally as well. Let’s work through a simple example. Many larger organizations may have a team that scans for vulnerabilities inside the organization, a team that configures, maintains, and updates alerting technologies, and a team that monitors the queue of alerts that these technologies produce. As you might imagine, there is a great deal of synergy that can be harvested here. If I do not run a given piece of software or run a version of the software that is not vulnerable, why waste cycles deploying and tuning signatures and vetting and qualifying alerts aimed at detecting exploitation of that vulnerability? Seems fairly straightforward and logical, right? Given that, why is it that most organizations have a difficult time connecting these three pieces of information for a simple but useful correlation? In some cases, it’s because the three groups aren’t working well enough together -- their inter-relationships need strengthening.
Given all the discussion of the talent shortage in security, I always find it interesting how little time organizations invest in cultivating relationships. It should be obvious, but every cultivated and nurtured relationship is potential future talent for an organization. Sure, a given person may not be a good fit for an organization at a given time. Or, conversely, an organization may not have something interesting to offer an individual at a given time. But what about in the future if the stars align and a person or an organization are searching for the right fit? Good people that are gainfully employed elsewhere, current students, and analytical people employed in fields other than security are all potentially valuable human resources to an organization. It requires an investment in time to build the relationships necessary to identify the right talent, have people you can call upon when you are looking for talent, or be someone’s first phone call, email, or text when they’re thinking about making a change. This is perhaps the most obvious of all the areas in which relationships can make or break an organization, yet it’s one that all too often ignored.
To anyone who has worked in the security operations and incident response field long enough, the importance of relationships during incident response should be clear. If we take a step back, we see that much of the time spent during an incident response, and particularly for a critical or high profile incident, is spent communicating to, working collaborative with, and/or asking for support from other areas of the organization or external sources. Simply put, as incident responders, we cannot effectively do our jobs without building the proper relationships inside of and outside of our organizations.
None of us know which one of our contacts will be the one to land that big gig somewhere or found the next hot start-up. Before you blow someone off, condescend to them, or ignore them, take a moment to think about the fact that you might need a nurtured relationship with that person in the future. I’ve heard from many different people about the hoards of people who all of a sudden wanted to “catch up” once they updated their LinkedIn status. It’s fairly easy to discern who is sincere and genuinely interested in building and maintaining a long-term relationship and who is merely looking, as I mentioned earlier, to extract something of value to them in the moment.
Relationships matter, and beyond that, they hold high value for us professionally, whether we realize it or not. I don’t care who you are. People make time for things that are important to them. If you think you don’t have the time to keep the lines of communication warm with people, you’re doing it wrong. Make the investment in relationships. It will be good for you, and it will also be good for the security posture of your organization.