Security Experts:

Seven Attributes of a Great Security Team

Lessons from a great tour guide can help you in your efforts to improve your organization’s security posture

I recently took a week off of work and toured around with my family. We are very fortunate that my father-in-law is an amazing tour guide who generously volunteered five days of his time to show us many wonderful sites. It was a great experience.

There are, of course, a number of attributes that make him such a wonderful guide.During the five day tour, it occurred to me that we can learn several security lessons by analyzing these attributes. What do I mean by this? Here are seven attributes that make both a tour guide and a security team great:

1. Sincerity: When a tour guide believes what they are sharing, the tourists pick up on that sincerity, and they are better able to internalize what the tour guide is telling them. Similarly, when a security team believes in the principles it is preaching, and those principles are practical, logical, and sound, the enterprise will pick up on that sincerity. This bolsters the security team’s credibility and allows it to work more effectively with the enterprise.

2. Passion: When a tour guide is passionate about the topics they are presenting, that comes across to those on the tour. On the security side, when a security team is passionate about improving the enterprise’s security posture, that drive to improve upon the status quo resonates with the enterprise. The enterprise will be more willing to work together on various issues and challenges with a passionate security team than with one that appears to be “phoning it in.”

3. Energy: Giving a great tour is exhausting. Nonetheless, the guide needs to push through and keep the energy level up. The tourists would certainly take notice if that were not the case.  Along the same lines, a security team needs to drive its efforts to secure the enterprise with a consistently high level of energy. Failure to do so calls into question the importance of security initiatives, which, in turn, reduces the enterprise’s willingness to work alongside security to move those initiatives forward.

4. Humor: Humor can be a great tool when used properly.  Tour guides may use it to make a moment more memorable or to drive home an important point.  Security teams can use humor to diffuse difficult, tense, or uncomfortable situations, to convey humanity and emotion when dealing with difficult topics, to gain support and buy-in, and/or to help emphasize an important point.  A well-placed and well-timed joke goes a long way towards helping a security team improve its organization’s security posture.

5. Knowledge:  When a tour guide knows their stuff, it shows. Though not all tourists pick up on this, many do.  Those who have spent more than a few years on the business side know very well how to spot a security team that is not knowledgeable. If the security team knows its stuff and uses data and logic to drive decisions rather than emotion and intuition, the business will pick up on that, and that builds trust. That trust translates into a willingness to collectively and collaboratively solve problems that is so vital to the success of the security program and, in turn, to the success of the business.

6. Be current: When research is conducted and new information comes to light, the understanding around a historical site may very well change. A good tour guide is up to speed on the latest developments and knows how to work those into the tour.  Similarly, risks and threats to the enterprise evolve constantly. The sharp security team is able to track the evolving threat landscape and factor that new knowledge into its strategic, operational, and tactical efforts.  Astute stakeholders on the business side will pick up on and appreciate this, which will make them more willing to participate as active stakeholders in security efforts.  The result is a more secure and better protected enterprise focused on supporting, rather than inconveniencing, the business.

7. Know your audience: A speech or presentation that a guide gives to one group may fall flat to a different group.  Similarly, when a security team is presenting itself, its strategy, its goals and priorities, its metrics, and/or its plans, it needs to understand with whom it is speaking. Management, executives, and the board are most likely interested in understanding risk - those risks that may cause the enterprise to suffer a financial loss or significant brand damage.  Stakeholders on the business side, on the other hand, are most likely focused on their particular bailiwick or line of business operating in as profitable or effective a manner as possible. In a similar manner, other stakeholders have their own priorities that they bring to any discussion or effort. The security team that understands their audience can tailor their efforts and the presentation of those efforts to make them palatable to the audience they are being presented to.

Whether or not you’ve recently participated in an organized tour, the lessons from a great tour guide can help you in your efforts to improve your organization’s security posture. Above are merely seven of the qualities that I believe translate from guiding a group to securing an enterprise. I believe it quite likely that you will likely be able to add a few of your own as well.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is currently Director of Product Management at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.