By James Packer, CISSP, CCSP. Chapter President, (ISC)² London Chapter – and highly acclaimed in the Security Serious Unsung Heroes Awards ‘Security Leader’ category.
Our industry is one that is, at times, inherently pessimistic in its nature, because it has to be. We are professionals who dedicate ourselves to protecting against the worst case scenario, exploring how bad things could be and explaining the depths of the abyss so as to justify not diving in to it. This constant focus on things going wrong however can lead to a subconsciously negative outlook resulting in conscious connotations that serve no benefit to our cause.
I would like to share with you insights from my journey through the industry, specifically how I came to learn of not only the importance of being positive in my approach, but how this kind of approach can bring about opportunities for success that I may not have found without it. Whilst I want to focus on insights that you may find useful, I want to share a bit of my background that I feel will help to contextualise these insights.
My professional career started in end-user technology support services where I spent many years sharing my knowledge to help people succeed in using technology. Over time, this grew in to helping businesses succeed in their use of technology through architecting and operating infrastructure. I was one of the countless professionals for whom security was a foundational part of my IT job, when I realised I was quite good at it, I took the leap in to security full time.
Since growing my white hat wings, I’ve performed roles in cyber consultancy, security operations, cloud security, audit, risk management and most recently, head of the security function. In my spare time, I set up the (ISC)² London Chapter (https://www.isc2londonchapter.co.uk), I mentor a number of professionals, sit on a number of pro bono councils/boards and have won several awards for my work in the industry. Most recently, I’ve been honoured to win a Security Serious Unsung Hero award (http://www.securityserious.com/unsung-heroes-awards).
So what? Why is this context relevant? Well, in short, I’ve built my career from the ground up, centred around helping people and doing my bit to make a difference. Furthermore, I attribute the career successes I’ve had largely to the approach I’ve adopted; instilling positivity, excitement, passion and optimism in to every situation I can.
Now, I know what you’re thinking….. That sounds like a lot of hard work and like it would be very draining! In truth, yes, at times, it can be. But in those moments, I re-balance and re-energise my focus with the help of my wife and my son who remind me why I do what I do. With that in mind, I’m going to share the scenarios in which I’ve used positivity to get a successful outcome and how.
Positivity in business
In security, we have the difficult job of, at times, persuading businesses to change the way they operate to be more security focussed and risk adverse. With this, comes the need to “sell” our approach to stakeholders who need firm justification for these changes yet who have limited knowledge in the field.
Now this can be done in a number of ways and I’ve certainly tried a variety of techniques; from a facts and figures based pitch, through to a “scare tactic”, the technique which has worked the best in my experience is focusing on the positive, enabling outcome that the changes will bring about.
A good example of this is business email authentication (specifically DMARC for those practitioner readers out there), I worked with an organisation to implement this on their email platforms used by tens of thousands of staff and customers across the world, sending and receiving hundreds of millions of emails a year. The changes on paper seemed quite daunting and the business impacts seemed to outweigh the reduction in risk.
In this situation, I focused on what the business was set to gain rather than lose by implementing this. This included greater staff productivity through less hours lost to security incidents, increased customer assurance of the security posture and a higher email marketing delivery rate and thus an increase in email reputation and potential sales.
Support for the adoption of these changes, when put in these positive terms, increased exponentially and the organisation ultimately achieved a successful implementation. Positivity in this context changed how security was viewed; as a key business enabler and a function that, when aligned well to business objectives, can really help the business to succeed.
Positivity with colleagues
Security is a function that reaches right across the organisation; engaging with stakeholders in a great variety of roles, from those who understand and “get” security to those who are scared by it. The key to success I’ve found with a variety of stakeholders is to make security accessible to them, encouraging them to want security and demonstrating security as a facilitator in exciting ways.
Recently, I worked with a creative team, who build and maintain the public facing websites. This team really care for and love what they build and I used this passion to show them how they can better protect what they build through improved security practises. The team were very excited to engage with security and do as much as they can to be secure.
Positivity in leadership
As I’m sure I’m not the first to have experienced, it takes time to build maturity and composure in to ones approach so as to achieve success in your convictions. A well practised and confident professional style is a huge asset, but you do not pick this up over night. The more developed your professional style becomes, you will encounter those who are much earlier in their journeys.
It is hugely important to be a positive role model for those earlier in their careers. Those less experienced security professionals can, at times, struggle to see the benefit security has for the business and rather, see the business adversely as constantly breaking security rules. Guiding others on their journey, by championing a positive mindset toward their challenges and leading by example can really help foster a more productive and cohesive team.
Positivity with peers
I can recall the countless times I have been enlightened in my career by peers, where I’ve been deeply inspired and motivated by a talk, presentation, initiative or conversation to take action. In fact, this greatly influenced me to want to give back to my peers in turn and I do this via the London Chapter.
Never under estimate the power of a passionate ‘off duty” conversation, expressing yourself and your principles, or indeed sharing what motivates you to do what you do. They can be a great source of inspiration and motivation for those around you, even if you don’t immediately perceive it.
Positivity for you
Lastly, but arguably one of the most important insights I’d like to share is how vital it is to be positive for your own sake.
We are in an industry that is not only centred around protecting against negative situations, but we are in an industry that is under staffed, often involving long working hours and where we are inclined to invest large amounts of mental capacity avoiding this arena of disaster.
This can and does have a human cost to us as professionals. Burn out, fatigue, desensitisation, isolation; these are common in security. A positive mindset about the challenges we individually face in our roles can have health benefits and I fully advocate openness when it comes to mental health. It’s OK to not be OK, so be kind to yourself.
I’ve experienced how building the foundations of my approach around positivity has had amazing results, for me and those around me; it can be hard at times in our industry to achieve this, but this lesson for me certainly impacts my productive more than any technical training I’ve done!
And perhaps more concisely;
The POSITIVE THINKER sees the INVISIBLE, feels the INTANGIBLE, and achieves the IMPOSSIBLE.
– Winston Churchill