The importance of standing together

Anyone working with cybersecurity today know it can be a tedious and never-ending task. You can be working late hours - even round the clock - and still feel like you're falling behind. But few things are impossible when we stand together.

The past few years hasn't really showed any improvement in this area - first we were thrown out of the office with the emergence of covid-19 and had to adapt to a virtual way of living that in itself introduced lots of challenges - not at least around information security - and further advanced our dependency on a (working) digital infrastructure. I've written an article of this topic already back in 2020 and I'm glad to see that we have emerged more competent and robust now that we are slowly returning to normal.

Then the unthinkable happened and war broke out in Europe. Since 2016 cyberspace was already recognized as a domain of operations in which NATO must defend itself as effectively as it does in the air, on land and at sea.(1) That the pen is mightier than the sword is an old expression, and we've certainly seen examples before around fake news and election tampering. But how devastatingly effective propaganda and control of information can be in 2022 was never clear to me the way it is now following the war Russia currently is waging on Ukraine.

Few things are impossible when we're standing together.

One thing life has taught me over the years is the importance, and strength of standing together. When enough people rally behind a common goal, there are almost endless possibilities of what they can achieve. If we go back to NATO again, the defensive alliance has kept the peace within Europe for an unparalleled number of years. Pivot then to cybersecurity and see how the industry based CERTs(2) (Computer Emergency Response Team) have managed to combat advanced threat actors across country borders through sharing of information, and collaborating on events.

Over the years as a security professional, a mantra has often been "we should not be competing on security". Meaning that even competitors within an industry will mutually benefit from working together in this area. Not only will they be jointly more effective in detecting and responding to security incidents - the will also contribute to an increase in the overall trust of their industry. And if it's something the past few years have thought us it's the important of digital trust. As ISACA puts it: "Becoming a digitally trustworthy enterprise is important for organizations to enhance reputations, their relationships and brand loyalty with customers."

We should never be competing on security.

The guys over at Team Cymru(4) is another great example of how to mix (commercial) Security offerings with (non-profit) community events. Looking forward to attending one of their events this fall, I came across an interview that was done back in 2019 (the last time this event was held). The questions are just just as relevant three years later - and I'm glad to see so are my answers.

Q: How do you balance the workload between your security job and personal life??

?A: “Working with security, you never really shut off.??It’s like a 24/7 position most of the days.???How I manage is that I try to rest when I can, and I also try to delegate my responsibilities.?When I’m out of the office, I do not necessarily pick up the phone all of the time. I have people that I trust.?People that I’ve trained that will act in my stead. I think it’s important that you empower your team members, that you trust them, and that you have good processes in place for escalation.??It definitely is a challenging line of work especially if you are the one with the responsibility; but being pragmatic, flexible, and making sure that you have a good team that can share the burden is how I do it.”?

Being pragmatic, flexible, and making sure I have a good team that can share the burden, is how I do it.

Q: If you were to give two or three bits of advice to established Information Security professionals that want to further their careers, what would you?say?

A:?“If you want to further your career in cyber security,?it matters which level you are?at,?but I have found?that what I can do as a single person has a limit.??What I can do with a team or a group of people is a lot more.?So, I would say if you?have come to the point where you are really a master of a discipline?and you want to advance, you need to improve your ability to?build a good team.?Find the people?that are better than you in some areas,?put them together?and?see how the magic works.??

If you?have come to the point where you are really a master of a discipline?and you want to advance, you need to improve your ability to?build a good team.

But?I think the number one thing?is to try to turn your focus to the business of whatever company you are working for. Security is usually seen an insurance and?something that is important,?but first and foremost security must be?a business?enabler.??If you start doing security for security’s sake, and you end up running a security theater,?that?won’t?help anybody.?Once you have the professional knowledge around everything digital and security,?try to?further your business knowledge and see how you can fit?security in as the business strategy.?That would greatly elevate?your importance to the company and ensure a career.”

First and foremost, security is supposed to be?a?business?enabler.

(1) https://www.nato.int/cps/en/natohq/topics_78170.htm

(2) https://www.nfcert.org/

(3) https://www.isaca.org/en/digital-trust

(4) https://team-cymru.com/company/#team