Just returned home after a quick business trip to the Middle East. The temperature was solid, the trip went smoothly and the delegation achieved what it set out to accomplish.But I was reminded that the operational effectiveness of an enterprise information security program has a strong correlation to the seniority of those who support it in the first instance.I’m yet to come across a leadership team too far gone to convince that information security is not only a business supporter, but an enabler – allowing the business to make informed decisions and exercise healthy risk-taking. Infosec can deliver demonstrable value.
So how does one start the conversation? I don’t think you need to start the conversation. Just start delivering.
Whether you’re an infosec analyst, team lead, manager or executive, you don’t need permission to start showing the value your team can deliver. Nor should you be waiting to be asked. Get in there. No budget? No problem. Haven’t been trained appropriately? Get onto it (you don’t need $$$ for that, I can assure you). Don’t feel like anyone is listening? Don’t give them a choice. Give them something that they won’t want to miss out on.
Here’s my personal top 3…
Lunch and Learn Sessions
These are easy and can earn business capital that you can take to the bank. They take between 30 and 45 minutes (run over lunch time, hence the name) and they introduce your fellow business users to concepts they’ve heard of but not seen. A couple of examples:
Demo of a basic buffer overflow and some post-exploitation fun with Metasploit. Show them what it looks like from an attacker/victim perspective as you silently take control over a workstation. If you can do the demo on your company’s standard operating environment, all the better.
Get yourself a wireless interceptor and run a session on why business users need to be careful when connecting to unsecured free public wifi networks. Can have a solid finale if you ask everyone to pull out their mobile device and see what network they think they’re connected to.
Plenty of choices are available, but the end result (if done well) can be some serious business capital for your infosec team. You’ll be surprised how quickly word can spread. As always, get permission, research your audience and sector, and deliver something exciting but relevant. The cost of these sessions are usually limited to the time taken to set them up.
Infosec Travel Briefings
Most businesses send staff on business trips at some point. Sometimes overseas. Injecting into this process gets some visibility to your team while adding value to the business. A two page summarised brief is all that is required. Include a map of the local embassy, and their contact details. Provide a list of do’s and don’ts from an infosec perspective (DO keep your mobile device with sensitive information physically secure at all times; DON’T use your room safe to store commercially sensitive information, etc). Remind them of your business policies, but give them useful, actionable information to help them keep any business information secure.
If the delegation is travelling to a location with a higher propensity for electronic attack, do the brief in person. Give them a debrief when they get back. You may be surprised at what you’ll want to do regarding user accounts and log sweeps when users return from their trip with strange stories.
Give users the tools they need to protect company information, but don’t go nuts and scare them to the point where they don’t want to travel because of the evil hax0rs. Make them feel comfortable coming to the infosec team to report anything suspicious. The exposure to senior management in this area is high.
Understand The Strategy
This one can be bit harder to nail down sometimes as it depends on the business, but it can generate an excellent return. It involves really understanding what it is the company is trying to achieve, and assisting by making available relevant stats/trends/models to the leadership team that supports them. Often, these are not even security-related. They may be simply some incoming IP address trends for certain customer behaviours, or activity changes in network transaction numbers over time from a particular geo. And anything in between. Call out strategically-relevant data trends and send them upline. Information that may seem totally irrelevant to you may be of great interest to business leaders.
No, it’s not technically your job. But it can get you serious kudos and earn you a higher place at the decision making table.
As an infosec professional, you need to prove value. It’s not impossible. Your business leaders need to know what you’re delivering and the value it provides and capital requests/opex bumps should be approved based on that fact.
Hacking people is just another way of showing what you are delivering and, more importantly, highlights what you’re not delivering but should be.