I have been in the IT field for over 15 years professionally and 30 years as a hobby/interest. One of the things I find as I move up in the IT Security field is the lack of soft skills in security professionals. I have found in agencies that are struggling with security adoption that there is usually one or two security professionals that come from the old school of INFOSEC and still want to see security as black and white, yes or no. These people with rigid views limit themselves in their career. I have heard from hiring managers above these people that they did not promote this person because they were too rigid. They were not problem solvers only roadblocks to solutions. They lacked in people skills (often called soft skills). They were labeled "hard to work with", "Dr. No", the place where ideas go to die, etc..
If you wish to rise up to managerial levels I suggest you work hard on your people skills AND business skills. If you cannot get past the response of "The regulation says X, so we must do X!" then you will struggle. Higher management has to look at the whole picture, not just can we comply with regulation X. If the solution you are proposing costs a million dollars and the executive does not have it in her budget, then no amount of demanding, stalling, denying other things, or refusal to let them go forward will help. You need to get to a point where you can say something like this:
ISO: The regulations say X. It will cost us $1,000,000 to implement option A.
Exec: I don't have $1,000,000.
ISO: OK, then our risk exposure of not being compliant with X is this. We can (reduce, mitigate, transfer, etc.) by doing option B which will cut our risk to Y, but will leave the remaining risk at level K. It will only cost $200,000.
Exec: I'm sorry but I don't even have that in the budget.
ISO: OK. So if we do nothing we will not be in compliance with X. Our level of risk is at level M. This leaves us vulnerable to X,Y,Z. We will continue to look for ways to reduce this risk but for the mean time, are you OK with accepting that level of risk?
Exec: That is where we are, so yes, I will accept that risk.
ISO: I will get the paperwork fixed up for you to sign. Thank you.
Please go work on your people skills and become more flexible in your approach. Learn how to integrate the business portion into the solutions you provide. Tie your security initiatives to the strategic plan/goals of the organization. Learn business, leadership and managerial skills. Understand that there is a difference between management and leadership. Your local libraries are often a good source of free information. Doing these things will help get more of your solutions accepted and help you be more promotable.
A scene right out of the book "The phoenix project".
This was the case for the CISO who had to do a 180 degree change in perspective and started helping the company after he realized he had been a major obstruction!
This is my life every single day. At my current job, I've actually had one particular person who thinks highly of himself literally take work from my hands and make it his own.
Everyone in DoD Cyber has an ego a mile wide. There's zero team work at my office -- just a bunch of high-speed know-it-alls crapping all over each personally and professionally.
I see it in the DoD/Federal world more than the commercial world though. My theory is this started occurring when DoD made CISSP a requirement -- and ISC2 membership soared. CISSP is about as watered down as an A+ now.
The thing which really cracks me up (ironically) is Windows people prognosticating how much they know and implementing the latest alphabet soup MMC (heaven forbid they ever open a terminal) and thinking STIG-ing a box equals cybersecurity.
The risk people are a riot too. RMF has destroyed the definition of the word "risk". RMF has morphed into a half-baked decision making platform for managers more worried about covering their backside than providing secure products and services to clients.
Risk is simply how much is one willing to devote to protecting something and how would the ramifications of that risk affect the business (which can be, but not limited to: reputation, product delivery, legal, service delivery, etc.) That's it! That's all "risk" truly is... it doesn't need to be 1,000s and 1,000s of pages of NIST documentation.
However, the OP has written more of a rant than a roadmap of "how to become a more effective security practitioner". Which is understandable as I'm venting too.
> They were not problem solvers only roadblocks to solutions.
> They lacked in people skills
> (often called soft skills).
Problem #1... considering communication and collaboration a "soft skill".
Hiring authorities -- if your interviewS aren't tailored to see how a candidate truly communicates and plays with others (more than the unquantifiable bullets on their resume about how awesome they rate themselves at communication and collaboration) then that's a problem. Your problem. Culture begins at hiring. Period.
> They were labeled "hard to work with", "Dr. No", the
> place where ideas go to die, etc..
My experience on Air Force projects is people who think outside the box (hate that cliche BTW) and are the true innovators are the ones labeled as roadblocks -- because the rest of the process people (who really aren't technicians) don't understand the industry and current practices.
> Understand that there is a difference between management
> and leadership. Your local libraries are often a good source
> of free information. Doing these things will help get more
> of your solutions accepted and help you be more promotable
Unfortunately, a book isn't going to help the people which are the target of your post out. This is lost upon the people you're fussing about; they don't know when they are the problem. Complicating matters is like minds hire like people -- that's how dysfunctional empires not only get built but thrive and reproduce.
From an ISC2 perspective, and I've written them about this (and got some positive replies), they're not helping either. Not one bit. Take the bi-monthly magazine for example. It follows a repeatable template:
1. Here's some conferences to attend.
2. Here's a spotlight on a chapter.
3. Here's a disadvantaged person who overcome challenges to make cyber a career
4. Cyber needs 10MM jobs over the next x years to meet y demand.
Where's the meat?
Moreover, and going back to the notion of "roadblocks who don't understand the industry and current practices", ISC2 isn't helping here either. If you read the magazine and attend a conference a year, you can meet your CPEs for your cert on that alone. I see ZERO coming out of ISC2 which goes to actual, relevant, professional development.
Where's the meat?
All material ISC2 has been pumping out lately is process and theory -- they're NOT helping to advance the industry or keep the good guys ahead of the bad guys.
I can say that for far to long Information Security was seen as the "NO" people. I've been in IT since the days of the punch card and at times avoided contact with INFOSEC as much as possible. But a few years back the CISO approached me about wanting to change to a "lets see how we can help you do this securely" environment. Now we see development groups actively approaching INFOSEC for consultation and can truly say I don't feel our security posture if any less secure while changing the message to "how can we help you". In fact I feel we are more secure in many, many areas.
@mgoblue93wrote:
Everyone in DoD Cyber has an ego a mile wide. There's zero team work at my office -- just a bunch of high-speed know-it-alls crapping all over each personally and professionally.
However, the OP has written more of a rant than a roadmap of "how to become a more effective security practitioner". Which is understandable as I'm venting too.
> They were not problem solvers only roadblocks to solutions.
> They lacked in people skills
> (often called soft skills).
Problem #1... considering communication and collaboration a "soft skill".
Hiring authorities -- if your interviewS aren't tailored to see how a candidate truly communicates and plays with others (more than the unquantifiable bullets on their resume about how awesome they rate themselves at communication and collaboration) then that's a problem. Your problem. Culture begins at hiring. Period.
> They were labeled "hard to work with", "Dr. No", the
> place where ideas go to die, etc..
My experience on Air Force projects is people who think outside the box (hate that cliche BTW) and are the true innovators are the ones labeled as roadblocks -- because the rest of the process people (who really aren't technicians) don't understand the industry and current practices.
> Understand that there is a difference between management
> and leadership. Your local libraries are often a good source
> of free information. Doing these things will help get more
> of your solutions accepted and help you be more promotable
Unfortunately, a book isn't going to help the people which are the target of your post out. This is lost upon the people you're fussing about; they don't know when they are the problem. Complicating matters is like minds hire like people -- that's how dysfunctional empires not only get built but thrive and reproduce.
OP here. Just so you know I have over 25 years of federal service, at least 15 years with DoD. This is a roadmap because it tells people how to succeed. I followed this formula and rose in the ranks, yes even in DoD. Don't be that know-it-all jerk. IF you recognize yourself as that person then here is how to change it. IF you are not yet that person, don't follow in their footsteps. I agree that most of the people you and I am seeing that are that way, are not going to change. This post isn't designed to get them to change. It is targeted to, and designed to help others not become those people.
The reason communications is considered a soft skill is because it's methods are not set in stone. Hard skills are like programming a computer, If this, then that. Place this here and that there and you should get result X. Repeatable, easy to teach, and not a lot of variation in technique. You cannot be that rigid in communications, hence the categorization of the skill as being soft, i.e. malleable. You have to change your technique based on the situation.
Many books have helped me not become that person, that is why I recommended them. Not just books on IT stuff, but books on management, communications, organizational culture, etc. Expand your horizons. My post was not designed to just complain about or try to change others around you (i.e a rant) but to help you see where others, that I passed by on the way up the ladder, were failing. IF you can learn from the mistakes of others, you will not have to suffer the same fate as them. My post was not complaining about others, but showing where the landmines were and trying to help others avoid them. Using these techniques I was able to rise from computer operator to IT Specialist to Deputy CIO to CIO. I also served as a Cyber Security Division Director and now I am a CISO. Being malleable and nice to people, while being able to solve problems helped me move up the ladder rather quickly (14 years). I was also able to move where the job opportunities were, and that is big in advancement in the DoD/federal government.
Another thing that I would offer to help you out is to look at your words. When I see phrases like "Everyone in DoD has an ego a mile wide...", "..zero team work...." Those words, Everyone and zero, are absolutes. If you use absolutes to describe things a lot in your work, you will lose people's respect quickly. I was in DoD and I did not have an ego a mile wide, so I have already disproved your first comment. Now, is it true that there may be a higher percentage of ego maniacs in DoD, yes, but you cannot say everyone. When you use absolutes, people usually become psychologically defensive. All they have to do is have one situation that it was not true in, and they subconsciously begin to distrust you. I share this with you not to start a flame war but to help you understand what good upper management sees when they start hearing those words. I want you to succeed. I want to help you.
I agree with you about the government hiring process, it is a joke. "Here, fill out this questionnaire and self rate yourself on these questions. If you rate yourself high enough we will pass your name on for consideration." It is a system that penalizes honesty or people without huge egos (most people do not like to brag about themselves when applying for jobs). Perhaps that is why DoD has a higher percentage of ego maniacs, because the hiring system is set up to reward people with huge egos, people willing to lie because they know how to play the system or people who know how the system works and plays by the rules they are given. I have had more than my share of secretaries and grave diggers apply for IT positions and they rated themselves highly on the IT questionnaires without having the requisite IT experience in their resumes to back it up. I did part-time federal resumes on the side for a few years and helped people "play the game the way the government wanted to play it". It is a lousy system.
Agreed. This is a good write-up. So much of this comes with experience though. Its hard to teach. Another thing I've seen that I think leans into this is places where tech sector jobs are plentiful. People lacking the soft skills just move around every few years because things just aren't going their way. Sticking out the difficult projects and learning to work with the difficult people builds character.
Thank you CISOScott.
Great post and very informative. I agree about the importance of soft skills and I appreciate the fact that you have suggested the local libraries as a starting point for improving these essential skills.
Thank you once again.
Generally agree with your comments. InfoSec is a risk management discipline that supports and advises managers. Performing a supporting role rather than seeing oneself as a decision maker has implications, in some peoples minds, for the status attached to the role.
Some execs do try to short circuit sensible conversations by stating that there are no legislative or regulatory risks, which is never true, rather than talk about risk levels and risk appetite. They can also attempt to shift responsibility by stating that the InfoSec department or CISO needs to 'sign off on', 'approve' or 'authorise' business decisions. Beware there will be people in your organisation who don't want advice, don't want to discuss analysis, options, recommendations, but only want to hear 'Yes, I approve'. Diffusion of responsibility and the effects committee group think are an ongoing risk. It's not just about the soft skills of the individual security practitioner.
You simply need the resilience to persevere until the rest of the business understand you're a reasonable human.
> InfoSec is a risk management discipline
If so, then infosec needs to transition a bit. It needs to be an development and engineering discipline as well; otherwise the industry will become overrun with policy makers all the while the adversaries have their way with information systems.
Some of the recent and biggest breaches proves my point exactly. Target was completely avoidable and directly traceable to poor architecture. Equifax, again completely avoidable and just plain lazy on their part to not patch a critical flaw.
Check out "Enterprise Security Architecture" by Sherwood, Clark, and Lynas sometime. It translates technical to business and business to technical. It also talks about risk through the layers of conceptual to contextual and by role inside the organization. Risk is a dynamic concept and certainly not how RMF has polluted the term to mean.