Layer 8

Security is fundamentally about people, and everything we know about people is relevant to security. -- B. Schneier

What he said.

Lovely, succinct post from Larry J. Hughes, Jr. on how to win friends and influence people through security ... well, okay, maybe not the friends part.  As he points out, nobody shouts “Group hug!“ when a security person enters a meeting.  In the best case, it’s “Mmmm ... donuts!“ and in the worse case, it’s “Release the hounds.“

His points include:

Say “no” by saying “yes.“  Well, kinda.  I’ve found it’s best to say, “Sure, I’d be happy to help you with that ... AND here’s what it’ll take.“  It’s also known as being one step up from the can-do attitude:  it’s the can-charge attitude.  “Sure, we can do that for you, and here’s what it’ll cost.“  All the best consultants work this way.  (Stay away from “yes, but”—it’s too close to “no” and it’ll drive people crazy.)

Learn when to say “That’s good enough for now.”  Preach it, bro.  As a few people have been emphasizing lately (including Marcus Ranum), we’re not ever going to reach the state of Perfect Security.  We’ll always have to settle for Good Enough Security, because that’s all the market will tolerate.  I’ve sometimes shocked customers who were sure that I was going to put my foot down on something, when instead my back-of-the-mental-envelope risk analysis said that it was probably okay.  People freak out when you start being reasonable, but then they kinda get to liking it.

Ask questions rather than making absolute statements. [...] It politely keeps the burden of justification where it belongs.  Another good one.  I found out third-hand that one developer said to another that I pretended not to understand things, but in reality I was forcing them to do their homework and think.  I’m always in favor of attempting to make people reason things out for themselves.  Once in a while it results in someone’s facial expression getting stuck in deer-in-the-headlights-mode, but that’s an externality as far as I’m concerned, so I’m okay with the risk.

If I had to pick three tips to give to security professionals, they would be:

1.  Understand techology.

2.  Understand risk.

2.  Understand people.

That’s it in a nutshell.  Now, go forth and secure that perimeter!  (Sorry, Jericho.)

Posted by shrdlu on Wednesday, September 26, 2007
(2) CommentsPermalink blogmarks Favicon del.icio.us Favicon Digg Favicon Fark Favicon Furl Favicon Google Bookmarks Favicon StumbleUpon Favicon Technorati Favicon TailRank Favicon

Next entry: Teach your children well.

Previous entry: Tip o' the day.

Comments

stacy Canada on 09/26  at  09:48 PM:

Learn when to say “That’s good enough for now.“

The problem I have with that is making sure it really is “good enough” because “for now” can be a very long time.

I’m always in favor of attempting to make people reason things out for themselves.

I love watching someone argue themself into agreeing with me.

United States on 09/27  at  09:45 AM:

- I’ve done that before as well, saying “that’s good enough for now.“ Sometimes the chances of an attack are low, but the benefit of the idea is very high. One really needs to pick one’s fights, at times. Like Stacy says, though, I’ve been bitten by the “this is just temporary” which is just another way of getting what you want done, and later calling it permanent.

- I like to ask questions too. I’ve found that people latch onto an idea much more when they come to conclusions on their own. You know the answer, and you could just force them, but a little dialogue may allow them to reason it out for themselves. Amrit just posted recently about humility in security, and this is an excellent example of it.

Page 1 of 1 pages

Add a comment

Name:

Email:

Location:

URL:

Smileys

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: