We live in a world where Cybersecurity threats run rampant, with no signs of slowing down any time soon. Multimillion and billion dollar organizations are getting attacked because their 1 or 2 administrators did not have the manpower or support to stay on top of it. Or, was it simply a breakdown in communication between technician and management?
The Technician’s Side
As a recent member of the security technician realm, I know what you are feeling. I have walked in your shoes, stood by your side, saw your face when your hours of research and work get shot down by a manager who does not consider it ‘best for business’. Then, after trying your best with what you have, you get scolded for a policy not being in place, or a patch being discovered missing from a critical system during an assessment.
I hear you now: “I have been telling them about this for months,” you say. “They told me it wasn’t in the budget,” you say. Now, after all the work you DID do, you must remediate all missing items as quickly as possible so it won’t be discovered that the manager was not properly ‘managing’. You are normally by yourself, or a in small group, constantly combing the archives of information, looking for a way to make the company more secure. You are expected to know everything, but are also expected to ‘stay in your lane’ when it comes to suggestions.
As a consultant now, I interview many of you technicians, and this is what I hear. “Log reviews and correlation are manually done daily because management won’t purchase a SIEM,” “I get handed tasks with no direction or instructions,” or my favorite, “I was here until 1 AM last night because I was given last minute work to do before the assessor showed up.” The process is always the same:
- Manager: What should we do about (redacted)?
- Admin: Well, I have talked with a few friends who have dealt with the problem before, and they use a logging server to collect everything in 1 location for review, with alerts that send messages to myself and anyone we would like to receive them in the event of a critical item.
- Manager: A logging system? Doesn’t each system have its own log? Why can’t you just review them all individually, and let us know when an event takes place?
- Admin: Well… Yes. Each system does have its own log, but I could save over 4 hours a day by having everything centralized.
- Manager: Why do you need to do it quicker? What else do you have going on?
As junior admins know, the answer to the manager’s question can be summed up in 2 words: Everything else… If that took you down memory lane, then this next piece will really hit home:
2 months later:
- Assessor: I suggest having a central logging solution for all servers.
- Manager: That is a great idea! I will ensure that the administrator gets right on it!
I really hope you didn’t have any plans for your wife’s surprise birthday party tonight, or your son’s baseball game. But at least management is finally listening, right? They finally get your perspective, right?
The Manager’s Side
Wrong! You didn’t think it was that easy, did you? Do you want to know why managers won’t listen to you? You see, as much as they do not understand you, you don’t understand them. Answer the following questions:
- What was the company’s last quarter revenue compared to the quarter before?
- What is your company’s budget for items such as cybersecurity?
- What is the value of the information that you are protecting, or suggesting protection for?
- How often does your company meet to discuss items such as cybersecurity?
- If the company spends $10,000 to implement your suggestions, what will be their return on investment?
How many did you get right? If your answer was not all of them, congratulations; you are right where I was a few years ago. I subscribed to all the blogs, reviewed all the new flashy tools and tricks, and thought they would fit perfectly in my environment. Do you think I ever considered the amount that it would cost the company? Or the amount that the company considers ‘too much’? Of course I didn’t, and you may not either.
There are 3 things that always must be considered when suggesting a solution. I want you to guess which 1 many technicians always ignore:
Now, you know the time, since you will probably wind up doing the work, making you the resource. Do you have the time to do the work, on top of all the other things you need to do? But what does it cost – such as the amount of time you are paid to implement it, or annual fees to maintain the system? Do you see how we can get overzealous with a new idea, and never give a care in the world about how much it costs?
The reason managers may listen more to assessors than to technicians is not because technicians don’t have good ideas. It’s because as assessors, we try to speak a language that both technicians and managers understand, and our professional goal is always to provide a cost-effective security solution that fits the overall business need.
Building a Bridge
There are 5 things that you can do right now that will ensure more trust between management and yourself:
- Attend all budget meetings. We all want to be heard, so what’s a better place to understand money flow than at the periodic company budget meetings? Knowing where money goes and doesn’t go can allow you to make choices on suggestions that a manager may listen to.
- Research multiple solutions. Each problem does not have a single answer. For example, there are thousands of logging solutions, all having a different cost and functionality. Find what will get the job done at the best price. Sometime, having a “top 3” list, with quotes attached, can show the higher-ups that you considered all possible avenues.
- Discuss cost during all cybersecurity meetings. Okay, this one can get tricky, but hear me out… What is the ultimate goal of the company? Long story short: to make money. Everything has a cost, with the appropriate pros and cons attached to them. Every printed report, every email sent, and every meeting, costs money. You can take the information you learned from the budget meetings, and incorporate it anywhere. Does your solution, or the way you currently do business, benefit or cost the company?
- Ask Questions. Get an idea for why something is done a certain way. My least favorite answer is, “That’s just how we have always done it.” Just because that is the way things have been done in the past, doesn’t mean that there isn’t room for improvement.
- Don’t be afraid to ask for help. Don’t whine or cry about the fact that you are doing too much. Ask for help. Document your discussions with management about any concerns that you may have. When you take on too much work, and do not get it done, whose fault is it? Well, ultimately, it will be yours. But, did you ask for help? No? Then you have no leg to stand on. Asking for help does not make you an inferior technician, but rather a normal human being who can see that the company will miss key security controls if the work doesn’t get done.
So, who was I talking to? Was I talking to the poor lonely technician who is begging for some oasis and sanctuary from the “man”, but won’t take the time to understand what the business goal is? Was I talking to the manager who will not give this poor kid the time of day, who also does not understand how the kid thinks? I was talking to them both, because as the administrator must learn finance, the manager must be willing to teach it. On the flip side, the manager must acknowledge that the technician has valuable insight into how to address exposures and risks. Only once we begin to understand each other, will we be able to secure our infrastructure. So, I will ask you again. Why do I do it? To bridge the gap that will probably always remain bridgeless. But someday, we may be close enough to see eye to eye.