It is probably one of the hardest parts of our job as security professionals – presenting security issues & the potential impact of risk while not becoming an easy target for dismissal by critics. Indeed, if your day is anything like mine, much of our time is spent justifying our assertions that problems do indeed present a risk that the business should care about.
It was this that came to mind as I read a post over on Tim Ferriss’ blog calling out a letter written by Dr. Martin Luther King Jr. The post describes the circumstances of the letter and speaks for itself regarding what can be taken away from it’s reading. The skills & posture used in this letter are things all security professionals (and really, all professionals) should learn. The letter is long, but even if you don’t read the whole thing Tim has highlighted (in bold) certain sections which stood out for him. The ability to acknowledge an argument and calmly disarm it with facts is a skill that takes practice – but this letter stands as a fine example to get you started.
How to Respond to Criticism – Learning from Dr. King
I’ll cite only this short bit at the end of the letter:
Never before have I written so long a letter. I’m afraid it is much too long to take your precious time. I can assure you that it would have been much shorter if I had been writing from a comfortable desk, but what else can one do when he is alone in a narrow jail cell, other than write long letters, think long thoughts and pray long prayers?
If I have said anything in this letter that overstates the truth and indicates an unreasonable impatience, I beg you to forgive me. If I have said anything that understates the truth and indicates my having a patience that allows me to settle for anything less than brotherhood, I beg God to forgive me.
For the last year I’ve had a full time gig to build the InfoSec program at a small company. This is a company who had no prior security program and needed to have one built. Looking back on the last year there were a few things I did right, but plenty of things that didn’t go as expected. At the risk of putting my annual review out here for public scrutiny, lets talk about what I’ve learned and make some fun of us security professionals… at my expense.
Read more…
InformIT just published an article from Chris Nickerson which describes some of the training we inherently receive in life. You are taught things like “If you don’t have anything nice to say, don’t say anything at all” which are intended to make society as a whole function better and make everyone nicer to each other. This works great until someone chooses to exploit your concern for being rude and puts you in a position where you should question them, but are not likely to do so. Read the article, it’s 5-10 minutes and gives a great perspective on the risk associated with these mindsets. Chris makes the point that while Disney films have had a large impact on telling life lessons which promote better relationships between people, those same lessons weaken our ability to question that which doesn’t seem quite right. The maintenance guy you have never seen before, the phonecall that doesn’t sound quite like the CEO, or that email that looks legitimate but has something wrong. You want to question these things – but do you?
If you haven’t already, check out the new batch of podcasts over at ExoticLiability. Chris Nickerson, Ryan Jones and DJ Jackelope are putting on what is currently the most down to earth security podcast in existence. The latest, Episode 12, includes an interview about the upcoming version of Kismet with Mike Kershaw.
Topics include everything including current events & trends, new tools, social engineering and even a manhunt or two. They normally have a guest and then discuss other topics that are relevant at the time. It’s a good show & they’re fun folks to listen to. Take a break and hang out with these folks – if only virtually.
