Your Path into Cybersecurity: “yes, but/and…” (Series 1: Ep 5)

A series based on the original 10 step pathway.

Cybersecurity tends to be considered an operational expense to a company, as it is not income generating. However, we do save the company money, reputational damage, etc., if done properly. But, at the end of the day, we are not the business! We support the business; and in supporting the business, we have to learn to work with and not against.

Take time to learn the business, how it operates, what is important and the best way to secure it. This approach allows us to "yes, but(or and)...", instead of no. If we understand what the business or business units are trying to achieve, we should be in a better position to build security into it.

In Sales, they are taught to say, "yes, but(or and)..." instead of no. This leaves opportunity to suggest alternatives rather than turning down an idea. We can learn a great deal from that approach. For example, if the business wants to move towards the 'cloud' but Security folk, being ultra apprehensive advises against it - what does this do? Does it get us closer to a more secure organization? Many times, it leaves a business to accept a certain amount of risk and move forward with their plan - most likely without the guidance of the Security team. What if the Security team mentioned that if moving to the cloud has a significant advantage for the business, the teams (including Network and Application teams) should consider a 'zero trust model'. This may spark additional conversation and lead to projects which will increase the security posture of the organization.

My point is saying this is that the Security team should welcome new ideas and approaches to doing business, work to understand the end goal, why it is important and determined the best security measure(s) to be implemented. This approach makes the Security team a partner in the game, instead of the team that gets engaged when something goes observably wrong. We all know it is typically a tad bit late at that point.

We aren't the gatekeepers (or maybe we are). But let's focus on building security in from the onset!