Chapter 9. Don’t Overlook Prior Art from Other Industries

Ben Smith

There’s nothing I like better than uncovering a clue that someone else may already have figured out the very problem I am grappling with. This is especially awesome when that potential solution arrives from a completely unexpected source, someplace well outside the boundary of information security.

Here are some examples in thinking about how you might deal with...

Adversaries

We tend to be hardwired in thinking that “telecommunications” is a recent innovation. But communicating at a distance, and the networks humans use to move a thought from one place to another, have taken many forms over the centuries. Think about Depression-era bicycle couriers on Wall Street, commercial express companies, national postal service programs, semaphores, flag signaling, line-of-sight and relay communication, heliographs, fire-based beacons, smoke signals, synchronous optical telegraphs, and carrier pigeons.

Do you suppose there might be (already learned!) lessons about how each of these telecommunications networks was exploited for mischief or crime, poisoned with false data, or simply used in some unanticipated way?

Projects

As an information security professional, your coworkers may consider you an unwelcome representative from the Department of No. Where this can become especially uncomfortable is when we are tasked with contributing to projects headed by other departments. When you are asked to weigh in on one facet touching your world, how do you tactfully make your point and get it to stick?

Enter the world of improvisational acting. Improv can be leveraged as a means to communicate more productively, especially around tough asks from your colleagues that set off your internal information security alarm bells. The key to any successful improv session is to keep the conversation, and the ideas, flowing by answering “Yes, and…” (accepting) instead of “No way!” (blocking). Agreeing to consider a request, while at the same time laying out how you might fulfill it, is usually more productive than turning someone down immediately. Hint: this is an essential skill upwardly mobile information security professionals tend to figure out early on.

Coworkers

Security awareness programs usually fall under the purview of the information security team. Why do some security awareness programs fail? Bland content, poorly aligned objectives, and settling for a one-time checkbox compliance approach can all contribute to short- and long-term failure. A common thread across many successful security awareness programs is the goal to not just make end users aware of potential areas of exposure, but to actually change underlying behaviors that are contributing to the problem.

Broadening the conversation to encourage basic hygiene and instill new foundational habits are appropriate goals not only for information security, but in fact you may recognize these very same concepts and language from the world of public health risk management. Are there takeaways from prior public health initiatives that we can apply to our security awareness efforts today?

And a final point, important enough to break out on its own here: Ask your family. Ask your friends. Just because they aren’t immersed in your information security world doesn’t mean they can’t offer up a story, or an analogy, from their perspective that might just help you with your problem du jour. Ask them what they think about your challenge.

Even better, this phone-a-friend approach forces you to be able to describe your challenge clearly and cleanly to someone not already in the thick of it. If you can’t do that, then perhaps you don’t fully understand the nature of the problem.

Don’t jump to solve a challenge without first taking the time to think about adjacent industries, or related problems, or possible lessons from history.

Or more succinctly: don’t reinvent the wheel.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
184.73.56.98