Layer 8

Security is fundamentally about people, and everything we know about people is relevant to security. -- B. Schneier

What he said.

Lovely, succinct post from Larry J. Hughes, Jr. on how to win friends and influence people through security ... well, okay, maybe not the friends part.  As he points out, nobody shouts “Group hug!” when a security person enters a meeting.  In the best case, it’s “Mmmm ... donuts!” and in the worse case, it’s “Release the hounds.”

His points include:

Say “no” by saying “yes.” Well, kinda.  I’ve found it’s best to say, “Sure, I’d be happy to help you with that ... AND here’s what it’ll take.” It’s also known as being one step up from the can-do attitude: it’s the can-charge attitude.  “Sure, we can do that for you, and here’s what it’ll cost.” All the best consultants work this way.  (Stay away from “yes, but”—it’s too close to “no” and it’ll drive people crazy.)

Learn when to say “That’s good enough for now.” Preach it, bro.  As a few people have been emphasizing lately (including Marcus Ranum), we’re not ever going to reach the state of Perfect Security.  We’ll always have to settle for Good Enough Security, because that’s all the market will tolerate.  I’ve sometimes shocked customers who were sure that I was going to put my foot down on something, when instead my back-of-the-mental-envelope risk analysis said that it was probably okay.  People freak out when you start being reasonable, but then they kinda get to liking it.

Ask questions rather than making absolute statements. [...] It politely keeps the burden of justification where it belongs. Another good one.  I found out third-hand that one developer said to another that I pretended not to understand things, but in reality I was forcing them to do their homework and think.  I’m always in favor of attempting to make people reason things out for themselves.  Once in a while it results in someone’s facial expression getting stuck in deer-in-the-headlights-mode, but that’s an externality as far as I’m concerned, so I’m okay with the risk.

If I had to pick three tips to give to security professionals, they would be:

1.  Understand techology.

2.  Understand risk.

2.  Understand people.

That’s it in a nutshell.  Now, go forth and secure that perimeter!  (Sorry, Jericho.)

Posted by shrdlu on Wednesday, September 26, 2007
(2) CommentsPermalink blogmarks Favicon del.icio.us Favicon Digg Favicon Fark Favicon Furl Favicon Google Bookmarks Favicon StumbleUpon Favicon Technorati Favicon TailRank Favicon
Page 1 of 1 pages