Security Experts:

Politics and Security Don't Mix

There are plenty of issues and challenges every security team already faces. There's no need to add politics to them.

Sometimes, it seems like politics is everywhere lately. In recent years, politics seems to have worked its way into all kinds of places that used to be relatively free of it. Whether it be sports, food, or yes, even work, I’m guessing I’m not the only person who longs for a time when not everything was politicized.

Aside from being unpleasant, it turns out that politics is bad for security. How so?  Security professionals already have a tough enough job to do when we stick to the issues related to managing and mitigating risk in the enterprises we defend. When we stray beyond those issues, and in particular, into the realm of politics, it not only makes our jobs harder - it also reduces our effectiveness. Allow me to elaborate on why that is the case.

Divisiveness: Politics, by its very nature, is divisive, rather than unifying. On many issues, politics tends to alienate a large portion of the population. In security, it is difficult enough to build relationships with key stakeholders, get their buy-in, build consensus, make security a part of corporate culture, work collaboratively with the business, and move initiatives forward. Introducing politics into the equation works against all of that by alienating people - people that you instead need to find common interests to rally around and work collaboratively with to solve problems

Dilution: In the security field, we are fortunate to have some great thinkers. In recent years, we have also had the privilege of being able to consume their guidance, advice, and words of wisdom nearly instantaneously via social media and other means. While I am eager to hear what security experts have to say about security issues, I am less interested in their political opinions. Unfortunately, the introduction of politics makes finding thought leadership and clarity more difficult and time consuming than it ought to be. In other words, politics dilutes the message of security experts. If I, as a security practitioner, find that, imagine what stakeholders on the business side, executives, and boards find. It is already hard enough for us as a profession to clarify, focus, and communicate our message. Why dilute that message with topics that are not relevant to the security issues and challenges we seek to address?

Exclusion: When people rally around a common cause, there is a bond that is formed between them. When this cause is security-related, members of the security team can work together towards a common goal. This is, by definition, inclusionary in nature. On the other hand, when politics enters the mix, those who either do not agree with the political stance or do not care to grapple with politics in the workplace are, by definition, excluded. This works against building comradery, enhancing teamwork, and increasing collaboration. The result is a less productive security team, which, in turn, results in accomplishing less security goals. This, of course, results in a weaker security posture for the enterprise, which is against the interests and mission of the security team.

Distraction: To say that politics in the workplace is a distraction is to be generous, in my opinion. I’ve seen politics used repeatedly, unfortunately, to divide people and cause them to argue with one another rather than find common, shared interests to rally around. This, of course, has a tendency to get the entire team off-topic and can cause the team to forget about or deprioritize what they really need to be focused on. A true security leader won’t weigh their team down with these types of distractionary tactics. They prevent progress, they aren’t good for morale, and they certainly aren't good for the enterprise’s security posture.

Diversion: I don’t know too many security teams that don’t have enough work to do on a day-to-day basis and have resources to spare. Staying focused strategically on making progress, steadily improving the state of security at the enterprise, and preventing damage to the enterprise requires high levels of both drive and energy. Introducing politics into the environment pulls focus and enthusiasm away from important security initiatives and tasks. Instead, that drive and energy is partially invested in efforts that don’t help to improve the enterprise’s security posture. The result of this is that precious resources within the security team are essentially diverted to activities that are not value-added.

If we step back and take a look at politics, it is hard to disagree that its aim is primarily to divide us. As difficult as it may be, particularly in recent years, it is in the security team’s best interests to keep politics out of the workplace. There are plenty of issues and challenges every security team already faces. No need to add to them.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is currently Director of Product Management at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.