Leading without authority: Invisible Security

Running a Cyber Security program for your organization is leadership, and often it’s leading without authority.  For your program to run effectively it must:

Lead without imposing: Your users should feel like they’re making security decisions because they make sense, not simply because they’ve been mandated to do such, this is especially necessary when you’re leading without authority. When they do need to make a decision that impact their security or that of the business it should be the path of least resistance. When security is hard to use people often find a way around it.

Empower your users: Members of your organization should be given the tools, training, and education they need so that they can understand what decisions to make on their own, and when (and how) to ask for help. Training is not a panacea; in my years of running phishing simulation I’ve learned that we can’t completely solve security with awareness training. The human operating system has a critical vulnerability, we can be lied to, and that’s not getting patched out. But training can be a valuable part of your layered approach, by teaching your users what to look for and how to report trouble when they spot it.

Be trustworthy: Zero Trust is a common buzzword these days, but if the org has zero trust in their security team it’s not going to get budget, buy-in, or support. We have a lot of access but with great power comes the need for great oversight. No one on your team should be able to violate anyone’s privacy without everyone on your team knowing. And everyone on your team should know when and how to handle sensitive data.

Have empathy: Empathy is critical for building psychologically safe teams where everyone can be their true authentic self and do their best work. Having empathy for the customer too is critical in security and engineering. We often interact with users 1:1 when they’re having a bad day. They got phished, or executed malware, or made some other simple mistake that had a large impact. These are opportunities to teach, but you need to make sure they’re first in a place where they can learn. If users feel embarrassed by these mistakes they might try to hide them rather than report. The sooner we hear about these mistakes (that anyone could make) the sooner we can start mitigating the impact.

Provide invisible protection: A mature security program is one that doesn’t ask much of the end users. Human error shouldn’t remain at the top of your risk register as an unsolvable problem. A friend who was VP of DevOps once pointed out to me that the FAA almost never classified a plane crash as human error. The systems are so resilient that a pilot would have to try to crash the plane. Security shouldn’t be your end user’s burden, it should just happen, effortlessly. If we build resilient systems that give our users a safe way to fail we can reduce this burden and enable the business to move faster.

Sometimes the best leaders are the ones we don’t even know exist, even when they’re leading without authority. Our controls should provide zero friction, until they need to.

Each of these domains can be matured and measured independently. As these grow you’ll have plenty of success stories to share.

I know you can do it,

sedward5