Everyone must work together

Like a well-oiled machine, everyone in an enterprise must work together in order to implement a successful information security or cybersecurity program.  On the same note, everyone within the infosec community should work together as well.  I feel this is an extremely important topic and has multiple layers such as the team environment, enterprise wide, and the infosec field as a whole.

Let me tackle the team layer first.  I think most of us would agree that everyone within a team should work together, because the more members of a team share information, train/mentor and help each other, the more successful the team will be.  I think that is even more important when talking about an infosec team in an enterprise.  The infosec team must work as a cohesive unit in order to successfully secure an environment.  However, I’ve worked in several places where that just wasn't the case.  At one company I worked for, this sentiment was being tossed around, “He is a SOC analyst and I’m a security engineer.”  “There are things I do, that he doesn’t need to know about.”  Do you see a problem with this attitude?  I hope so.  If a security engineer makes changes and doesn’t tell the SOC, how can the SOC effectively monitor the change?  Likewise, if the SOC saw suspicious behavior, they could be running it down for hours when it was a result of an engineer’s change.  This “wild goose chase” would take the SOC’s attention away from legitimate threats and all because one member of the infosec team didn’t want to work together by sharing information.  There really isn’t any reason not to share information laterally in an infosec team other than someone not wanting to be a team player either out of laziness, arrogance, or thinking they have some sort of “job security” by being the only one "in the know."  Arrogance is the worst of these, because laziness and thinking you have job security can be changed.  Arrogance on the other hand can only be changed by the owner.  In this example it was even more annoying, because it was a small team of 4 people for a very large company.  When a team is that small, you should be sharing information simply so you aren’t a single point of failure or so you don’t receive phone calls every 5 minutes when you are on vacation.  Plus, a 2nd set of eyes is one of the best ways to catch mistakes.  I don’t know how many times I thought I had something perfect and after asking a co-worker to double check my work, they pointed out something I overlooked or forgot to go back and change like I had planned.  I know I'm capable of making mistakes or overlooking things, which is why I ask people to double check my work.  Of course a lot of arrogant people don't think, or realize, they can make mistakes too.  

Let me touch on the “job security” thing I mentioned.  Another sentiment I’ve experienced several times before is someone thinking/saying, “I don’t write work instructions, because it gives me job security.”  The people with this idea truly do believe if they are the only ones that know something it is impossible for them to be “walked out the door.”  I’ve seen enough people walked out the door over my 24+ years to know the business doesn’t care if you are the only one that performs your role, the only person with the passwords, or the only one that knows a certain product.  I’ve been put in many bad situations when someone was walked out the door and I was left to pick up the pieces.  If the business intends to replace someone for whatever reason, they aren’t going to stop simply do to you being the only one that knows how to perform a function or operate a piece of hardware/software.  The saying of “everyone is replaceable” exists for a reason.

Let’s move past the infosec team and onward to the enterprise as a whole.  Everyone in the enterprise from accounting, to sales, to infrastructure, to the help desk must work together and must include the other teams/departments.  Whether we are talking about planning a new change, making a change, or working through issues, different teams must communicate.  Non infosec teams should work with the infosec team early in projects if they want the project to be implemented securely and without major hiccups or delays.  If a change/addition is made to the environment by a team outside of infosec, infosec must be informed to ensure those implementations are monitored, logged/audited and secured.  This is also a 2 way street.  Infosec must also share information in the opposite direction.  If infosec is planning to implement a change, especially if it could impact operations, they need to talk with representatives of other groups to see if the change will impact them.  I would encourage the infosec team to enlist a couple of “test subjects”.  Make the change on a small scale and see if the representatives, or test subjects, are impacted.  Working together truly is a two way street.  Remember the old adage, “You must give in order to receive.” 

There truly must be a good relationship amongst all teams in the enterprise for an infosec program to be successful, but in my mind the infosec team is the one that truly must lead the way in building good relationships.  I feel this way for several reasons.  One, the infosec team needs to realize the first step to being invited to the table and included early in planning discussions is to be open and assist the business in meeting requirements (read my other blog post on this topic).  If an infosec team is consistently being a road block, businesses will not be inviting them to planning discussions.  They will instead get their project approved by management and funded before reaching out to the infosec team, which causes a lot of problems and often leads to security being a road block.  Two, it only takes 1 or 2 incidents where the business is crippled due to a poorly planned infosec change to turn other departments against them.

Now let’s move outside of the enterprise/company and on to the infosec community as a whole.  Everyone in infosec should be willing and open to working with each other to share experiences, ideas, etc.  We can all learn from each other no matter what our experience level or exposure.  One of my biggest pet peeves is working with people who are cocky and arrogant.  You know what I mean.  One of those people that feel or say things like, “there’s nothing you could possibly show or teach me that I don’t already know.”  If you feel that way and are truly that arrogant, I’m sorry but you have already failed at information security and I honestly believe you are a liability.  I think everyone needs to be open to sharing, no matter what their professional level, for a very simple reason.  No two people will ever have the same experiences in life.  So being open and willing to share experiences with and listen to the experiences of others is extremely important.  Let me toss out an example.  Even if 10 people sitting in a room have seen credential stuffing, I guarantee they have all seen it performed in different ways, worked at different companies when it happened, and/or handled the incident differently.  That would mean each of the 10 people would have different experiences to share and each of the 10 people could learn something from the other 9.  I have always felt that anyone can participate in troubleshooting or a planning discussion.  By anyone I mean even if someone strolls in from HR, the help desk, accounting, legal, etc., they may have an idea that could help in one way or another.  Even if they don’t have the answer, they say something that pushes everyone down the right path or sparks someone's memory on how to solve the problem.  When my daughter was 13, she solved quite a few problems for me just by saying one thing that made something click inside me.  It’s like the old adage, “two heads are better than 1”. 

I’m high on mentoring and learning from others.  I know I’m not perfect nor am I an expert.  I also know there is a LOT to learn or keep up with in our field and there just isn’t enough time in the day to learn or keep up with it all.  If you ever want to collaborate, swap war stories, etc., don’t be afraid to reach out to me.  You can drop me an email via the Contact Us page or on Twitter @k33nbuff3r.

I know each of these layers will have challenges, but hopefully there are enough of us willing to work through those challenges to make our teams, our company, and, more importantly, the world a better place.