Mike Pivette from returnonsecurity.com has posted 25 lessons about the cybersecurity industry from his 17 years in that field. It’s a great list, and I agree with almost all of them.
You can agree with me, roll our eyes, or fight back in the comments. :)
Here’s the entire list. I selected and commented on a few of his points below.
2. If you don’t know how your company makes money, you don’t know how to truly protect it.
If you don’t understand how your company makes money, you don’t understand the risks the company faces. You won’t understand how employees and clients could steal from the company or commit fraud.
More importantly, as a security professional, you won’t understand when to say YES versus NO. See truth #4 for more on this.
6. There’s no talent shortage; there’s an imagination shortage on the hiring side.
My opinion on this one is similar to my opinion on #7. However, I will agree that lots of good people who don’t check all the skill boxes on the job description don’t get hired when they should be hired; I’ve always hired good people over skilled people, and I’ve never regretted it.
7. Cybersecurity is 10% tech and 90% diplomacy.
I think the main point that Mike is trying to emphasize how much diplomacy security requires. I agree with that, and that’s also true in internal audit. So many security and audit folks don’t get that; they still have the traffic cop mentality. Again, see #4 in Mike’s list.
I was a security professional for a number of years. While following basic security practices will go a long way (see #10), business and technology only gets more technical as time marches on. For example, deploying applications to the cloud securely is very technical.
I would say security (and audit) is more like 50% tech and 50% diplomacy. If you don’t understand the security implications and business risks, your diplomacy skills are useless because your recommendations are false, or at best, incomplete.
If you do understand the technology and how it works (and fails!), you also need to have the diplomacy skills to help the business understand why some risks are a shaky bridge too far. But you can have both tech and diplomacy skills, use both of them perfectly, but the business still takes the risk (and that goes back to #4).
22. The echo chamber is real; critical thinking is your only defense.
Don’t tell people what they want to hear, but what they need to hear, and then explain the impact of that truth. If you don’t know your business (see #2), your critical thinking won’t be effective because you will be thinking about the wrong things.
25. The best risk assessment tools are conversations, not spreadsheets.
People are the company’s best defense. Talking with them (not at them) can provide valuable context to spreadsheet data, which helps you with your critical thinking and the risks you are assessing. They can also explain why a circumstance or process exists. Knowing that might change your assessment of the risk.
I’d suggest you read the entire list here.
Auditors should think about each item applies to internal audit.
ITauditSecurity 