The greatest testament to a cybersecurity professional is when a university asks you to teach their future cybersecurity professionals. I am extremely excited about this new opportunity. I look forward to sharing my knowledge and work experience with the next generation of future professionals.
THE IMPORTANCE OF HAVING A GOOD MENTORSHIP
One of the main things that I feel as though I missed out on, was the ability to have a mentor to guide me through some of the tough times in my career. Knowing the material and the requirements are only a third of what it takes to succeed in this career. In order to succeed in this career, I had to discover the hard way that you need to gain buy-in from
senior management. Buy in, is when you get a person or a group of people to take part and be on your side to complete an action or get an action completed. Why is this important? Well, first of all, IT IS NOT YOUR NETWORK! As a cybersecurity professional, it is your responsibility to protect the organization’s network based on how they want it protected. Sounds weird I know.
As a cybersecurity professional, it is important to know that the system that you promise to protect, is not yours to fix without proper approval. This was something that I struggled with early on in my career. Whenever I saw vulnerability, I wanted to quickly fix it and protect the network while securing all of the devices associated with that network. However, what I have learned is that when you do see a new vulnerability, you report it immediately to the CIO and senior management. Before you report to senior management about your discoveries you need to do some research in order to gain proper buy-in for all possible remediation efforts. If you do not present the information properly with all of the facts, then management will not think that it something that they should worry about. Below are some of the things that I would research before speaking to management (the order listed below depends on the nature and severity of the vulnerability):
- What is the vulnerability? Does it affect any other critical equipment or software?
- Has any PII been leaked? HIPAA? Does the Privacy Officer need to be involved? Is there any other department that you should tell?
- If there is any type of software or hardware in place that could have protected against this vulnerability? What failed? How and why?
- Is there a risk document in place already? Is there a POA&M in place? Is this something that management is aware of already?
- What are the ways that we can protect the network against this vulnerability?
Due to the separation of duties, sometimes it can be frustrating if your access is limited. While serving as an Information Security Officer, my access was extremely limited, and I was only allowed to play the role of “monitor”. I had to speak with the CIO and then he had his team do the necessary actions to correct the vulnerability or document it in the form of a POA&M. When I served as an Information Security Engineer, after I gain buy-in from the device owners, I would tell my team on the steps needed to protect the vulnerabilities.
When presented to senior management is important to have as much information possible. When doing so you will be able to gain proper buy-in to carry out the tasks that you have sworn to protect.
THE FRUSTRATING PART OF GAINING BUY-IN
It is important to realize that senior management may not be computer savvy. The information that you present to them may go over their heads. I have learned not to get flustered if I got the “deer in the headlights” look. I made sure that when I presented any information to management made sure to follow my presentation checklist.
- Do not use big computer words or too many complex computer terms. (You do not look smart by using your extensive vocabulary.)
- Break down the information in the simplest way possible and use examples.
- When presenting the vulnerability, it is important to make them understand the “Why should I care?” aspect. (Besides, it’s your job to make sure that the network is protected not theirs.)
- Make sure that you let them know what you need from them and how important they are to the security process.
- Do not be afraid to let them know all of their options. (It used to make me so upset whenever an organization just wanted to document the problem because they did not choose to correct the issue. Over time, I had to realize that it was not my call if the organization is choosing to accept the risk of having the vulnerability on their network.)
- Document everything. (If there is a plan in place to correct the vulnerability, it is important to document the timelines and milestones within POA&Ms. If the organization chose to accept the risk, document it and make sure the appropriate persons complete the needed action.)
- Follow through with whatever actions are agreed upon.
Once management involvement is solidified it is a great feeling. Nothing feels better than having senior management on your side in correcting a vulnerability. On the flip side, when management does not want to be involved in the correction of the vulnerability and consistently gives you a hard time…well, it is a terrible feeling. No forward progression in your workflow will only lead to the hassle of extending POA&Ms past their completion date.
As an instructor, I am so excited that I will be able to properly guide these new professionals within their cybersecurity career. I hate it when people hoard information and just sit back and watch someone burn. Early in my career, I was “thrown in the fire” all the time. I have had plenty of late-night pondering on what I could have done differently. Many tears were shed from being frustrated in the wee hours of the night. So much so that it hardens my skin from the flames. I do not want our future professionals to need to suffer the same fate.