Transparency and trust are so important in life and in risk management of a cyber security program. Fear is often the culprit when people are not transparent, eroding trust. Fear of personal risk or loss (keep my job or don’t want to rock the boat type attitudes), fear of making a mistake, fear of the unknown – and we haven’t even touched the surface of fears impacting the workplace (fear of work? :)).
I have seen two camps: those that share and those that don’t. Sometimes individuals and/or companies are just in uncomfortable ground but work towards a solution while others just refuse to share. It’s often a cultural challenge coupled with individuals. Leaders, at the top, MUST encourage, promote – in fact demand – transparency and trust and model it. If you aren’t doing this you’re selling yourself, your team, and your company short.
How does this make a difference?
Scenario A: Please tell me about anything you can malicious linked to IP x.x.x.x.
If I, as an employee or consultant, blindly go and find out everything I have will I hit the mark on research and response? Depends. If the client shares nothing else we can perhaps tell them about some domains associated with the IP, any abuse linked to that IP and/or domains hosted on that IP now or previously, etc. Of course there is always WHOIS information and reverse-IP data to consider. None of this is necessarily the path to pure awesome findings or context, but you might find something of interest? You could spend a lot of time establishing multiple threat contexts and threats, and for what? Does the client need additional IOCs because they had risk exposure or an incident? Are they trying to get a 3rd party vendor to blacklist something they have had issues or a problem with? Is it perhaps their own server and they want to know of anyone has been abusing it? So many angles and each has it’s own story – transparency matters!
Scenario B: My management has been talking about hiring more staff but hasn’t acted on it yet. Can I talk with you, privately, about what I think is going on and get your advice on how to convince them to hire staff, and the right types of staff? In this scenario vulnerability is required to reveal perhaps politics, personalities, and people…that involves risk, sometimes lots of risk. Once we are real with one another we can then be laser focused with a greater chance of success to meet the real need, stated or unstated.
Evaluate for yourself, your transparency and trust culture. Do you feel safe in your job or do you feel you need to manage perceptions, watch for this person and that, etc? Does your company shame or ignore people that make mistakes, or celebrate opportunities to learn and grow and move forward? Does your team meet as a team, and share things they didn’t know, are learning, etc, or is there only the sound of lone Tarzan beating his chest in the corner in a testosterone moment? If you want to be great, really great at security, you’ll have to be strong and courageous enough to be transparent and trust; willing to be hurt, betrayed, have others see your mistakes, and move forward in your growth over time; show grace to others to encourage an atmosphere that is safe and encourages learning. I’ve been doing security for a long time, full ninja status, and I still learn something new every day. A long time ago I had to give up the idea that I had to know it all – you just can’t. I need to be able to grow, adapt, and work with others to be successful. Transparency and trust are key ingredients to the success of your individual career, your colleagues, and your company.