Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Good morning. Welcome to episode 6060 of uh Mornings with Mark by episode 60. I should probably remember the name of the show a little more confidently than that. Um What I want to talk to you today about was simply why can't security teams get along with others?
I know that seems ridiculous. We're all adults, we're all trying to achieve the same goals. But are we? So I've talked a lot over the last few episodes about getting started in cybersecurity. Um And I think, you know, where I have a challenge in giving advice, people, uh giving advice to people on how to get started in cybersecurity is that I think fundamentally how we implement cybersecurity today is broken.
So I find it very difficult to say, hey, you should take these steps to get into cybersecurity and perpetuate the challenges we have today. Um I've been doing this for a very long time, unfortunately, um, probably too long in some respects, but that uh length of time gives me a different viewpoint, I think.
Um, and a lot of folks who have been doing this for a while have that sort of um broad perspective as well, but we haven't facilitated as much change as I would like to see. And one of the biggest changes I find or uh that we need to do is how the security team is viewed within the organization, how the security team views itself and how to actually fundamentally make changes as much as I love seeing the next cool zero day exploit the next cool huge vulnerability or theoretical attack.
You know, that stuff is really interesting, but it's not really um you know, we have conferences that are centered around this type of information and yes, there's value in that, but we don't talk nearly enough about getting out into your organization and educating people raising the level of everybody's cybersecurity knowledge of helping build security in by design, building privacy in by design.
Yet we in information security are the ones with all the knowledge. We are the ones who understand that risk aspect that understand that threat matrix that can help communicate that yet we really fail to do that. I think it's understandable from some respects, but it really holds us back.
So let me give you AAA couple of things to think on because this is not a Mornings with Mark where I come to any conclusion, this is very much a conversation starter, hopefully or hopefully a continuation of a conversation we've been having. Um But here's something I find interesting from security perspective and you see this mirrored in law enforcement in defense in anything where you're constantly fighting an adversary or feel like you're in an adversarial situation.
At some point, cynicism steps in it takes hold and everything is doom and gloom. It's the nature of the business. Sometimes it's really unfortunate. You know, there's a reason why in law enforcement for forensics teams, they cycle people in and out on a regular basis because you can only take so much before your perspective is permanently shifted.
And that perspective, there may be advantages in that shift, but more often than not, there's significant disadvantages. So let me take this a little step further and say this, if you're constantly looking at users negative behavior, it is inevitable that you form a negative general impression of users.
If you're constantly looking for crime, you're going to tend to see crime everywhere. If you're constantly looking for security risks and threats, you're going to see them everywhere. You may think. Well, isn't that the job? Yes, that's part of the job, but part of the real core of information security within an organization is to help move that business forward.
Um There's no bad risks except the risks that you're completely unaware of. And if implicitly taken, um in on, you really need to have risk out there, evaluate it as a business decision and move forward. But if you're constantly sitting there and looking at bad user behavior, um have a negative view of your users, um have a negative view of, you know, you're constantly being bombarded with attacks and this type of thing, you're not gonna have that positive outlook.
And I think that really comes to the core of why security teams don't play well with others is because we're grumpy gus, we're negative and cynical because that's all we're exposed to. I think that's on us. Um, from a security perspective, I think you really need to push forward.
You need to look at the positive aspects. You need to put yourself out there and work with other teams in the business to ensure that you're seeing the positive side, that the upside. So that when you do see malicious user intent or poor user behavior, you can put it in proper perspective and say, wait a minute when Mark did that really dumb thing and downloaded that um cool new app and infected his Endpoint and everyone in his business unit, that's an isolated thing.
That's not a constant thing. And I think that's a huge challenge in security and I think we've set ourselves up and our systems up to amplify that. This comes to a part of my challenge around. Um So right around security operation centers, they're required. Now, I understand that I think they provide value.
Now they perpetuate this negative view, but they also isolate security as opposed to having just an operation center in which security is a part, right? So security is a part of the business. It should be treated in the rest of the operations of the business and it's the same with the people.
So I think my thought for you today is really, are you grumpy? Are you cynical? Are you trapped in this self perpetuating negative feedback loop? And how can you break that? How can you step out and look at the positive aspects of the business? Look at the positive influence that you as a security professional could have on the business.
Can you go teach somebody something today to get a win on your belt? That's pure positive. Can you notice some interesting outbound traffic on the network and say, wait a minute if I go talk to mark about the fact that, you know, he's using an unencrypted connection to his email server.
If we make that encrypted connection, he's better off and it's really little to no impact on him. It's just a little bit of education. Is there a simple win that you can put in the positive column? I challenge you to find that today and then find another and another and another.
Adjust that perspective. And I think we'll work better with other teams within the business because right now we have that reputation of being grumpy, cynical always saying no. And I think what we've set up as organizational structures, what we've set up as systemss reinforces that viewpoint, not just from others but from ourselves.
And you really need to break that and get positive. So find a positive today. What do you think is this resonating with you? Hit me up online at marknca um In the comments down below if you're watching this um on any of the networks, um always feel free to email me me@markn.ca.
This is very much an ongoing discussion. As always, I appreciate that you've stuck with me through 60 episodes. I look forward to the next 60 the next 60 after that, in the meantime, have yourselves a wonderful day. Find that positive and keep building on it.
