I have been in the IT field for over 15 years professionally and 30 years as a hobby/interest. One of the things I find as I move up in the IT Security field is the lack of soft skills in security professionals. I have found in agencies that are struggling with security adoption that there is usually one or two security professionals that come from the old school of INFOSEC and still want to see security as black and white, yes or no. These people with rigid views limit themselves in their career. I have heard from hiring managers above these people that they did not promote this person because they were too rigid. They were not problem solvers only roadblocks to solutions. They lacked in people skills (often called soft skills). They were labeled "hard to work with", "Dr. No", the place where ideas go to die, etc..
If you wish to rise up to managerial levels I suggest you work hard on your people skills AND business skills. If you cannot get past the response of "The regulation says X, so we must do X!" then you will struggle. Higher management has to look at the whole picture, not just can we comply with regulation X. If the solution you are proposing costs a million dollars and the executive does not have it in her budget, then no amount of demanding, stalling, denying other things, or refusal to let them go forward will help. You need to get to a point where you can say something like this:
ISO: The regulations say X. It will cost us $1,000,000 to implement option A.
Exec: I don't have $1,000,000.
ISO: OK, then our risk exposure of not being compliant with X is this. We can (reduce, mitigate, transfer, etc.) by doing option B which will cut our risk to Y, but will leave the remaining risk at level K. It will only cost $200,000.
Exec: I'm sorry but I don't even have that in the budget.
ISO: OK. So if we do nothing we will not be in compliance with X. Our level of risk is at level M. This leaves us vulnerable to X,Y,Z. We will continue to look for ways to reduce this risk but for the mean time, are you OK with accepting that level of risk?
Exec: That is where we are, so yes, I will accept that risk.
ISO: I will get the paperwork fixed up for you to sign. Thank you.
Please go work on your people skills and become more flexible in your approach. Learn how to integrate the business portion into the solutions you provide. Tie your security initiatives to the strategic plan/goals of the organization. Learn business, leadership and managerial skills. Understand that there is a difference between management and leadership. Your local libraries are often a good source of free information. Doing these things will help get more of your solutions accepted and help you be more promotable.
I agree with your comments. We as security practitioners need to improve our soft skills. Often I have seen my team focus heavily on technology or compliance requirements for a client without first understanding the VP or C-level's business challenges. If we do this I believe we can position security as an enabler of their business not only as a cost.
Thank You, Amen, Ditto, Kudos, etc.
I spent way too much of my career figuring this one out, even with it being pointed out to my face. After I started living it, it is amazing how much more my colleagues actively seek out my input and how much happier I am.
The downside is that I am kinda like an ex-smoker. It now stresses me when I see people focusing on (or turfing) the problem instead of helping to find the middle ground.
I think this is sage advice.
I wouldn't so much look at it as or focusing on the problem or 'turfing' either so much as you need to balance the equations in the back end and present the Bottom Line Up Front(BLUF) back to the people that need to make the decision. Right at the top end of town, abstractions goes even further - terse statements of logic.
Though, having said that I appreciate the points of frustration and ultimately successful organization line up behind their decisions, no one ever really escapes responsibility(look at the way GDPR is set up) - lobbing it over the fence invariable leads to weasels fighting in a sack at some stage in the future.
You never get to the crux of the matter until you can prioritize, assign value, estimate likehoods - it always comes down to negotiation - and it tends to be easier to deal in the positives that then negatives, but in the analysis its always risk, impact, and threat.
This reminds me of an article I read long ago that has always stuck with me. The point of that article was that IT has historically been the department of “No” and needs to become the department of “Know”.
And to take it even further IT has to become the "Department of inNOvation". We have to look at creative ways to provide what the customer is asking for. Another good skill to have is helpdesk experience. Working a helpdesk is like being an interpreter for foreign languages. 7 people can call you and say my computer is not working. Even though they say the same thing, they each have a different problem.
User 1: No power to the CPU.
User 2 Monitor is turned off.
User 3 Hardware failure and computer is not booting.
User 4. Had a book on the keyboard during boot up causing a stuck key error.
User 5. Computer OS was upgraded and now doesn't know where to find stuff.
User 6. Has a project that is late and needs something else to blame.
User 7. Accidentally deleted the Microsoft Office icon and can't get into email and thus their computer is not working.
The key skill is being able to ask the right questions to be able to figure out the "real" problem so you can craft the appropriate solution. The same with security. If someone comes to you, they have a need. Try to figure out the need and if the current options do not provide a solution, then try to be innovative and craft a new solution.
You should also have an open mind, with a good determination to keep learning, and motivating yourself to keep learning, rather than stagnating. With digital transformation or should I state it is more digital disruption, but at least now the CXO's are now listening and having to take notice. It has taken years, for many these to realise the value of alignment with the business and security.
When I was new in the InfoSec business, I was at a conference roundtable. The table leader (a CISO at a Fortune 50 company) asked us what our job was in one sentence.
Naively, I answered "To eliminate risk at my company." He very politely laughed, and he was right to do so.
The correct answer, of course is, "To manage risk levels commensurate with my company's risk appetite."
A company that does not accept a level of risk is a company that will soon go bankrupt. The tremendously successful companies take acceptable risk to move forward. Some of that risk is operational, strategic, or financial, and some is information risk.