3. I’m not happy ‘till you’re not happy Building better Information Security relationships Heather Diehl, PMP | Enterprise Architecture | ITCD, 702 Information Assurance @Goddard June 27, 2011 http://www.flickr.com/photos/amylovesyah/4444095375/
What brought you here?Role?Interest?The title?Let me tell you about the title… Luke DruryI thought it was hilarious… till I thought it was sad.http://www.flickr.com/photos/jordandelion/4370518981/
We’re spending a lot of time saying no to our customers, aren’t we?This is a problemhttp://www.flickr.com/photos/markdodds/5125418883/
The reputation is a bad one to have.The No attitude, or at least an undeserved reputation is a huge problem.It gets in the way of our effectivenesshttp://www.flickr.com/photos/amylovesyah/4444095375/
But I’m not here to feed you a bunch of fluff. We’re talking about requirements, today.http://www.flickr.com/photos/andrewmalone/5163291500/
As an Information security professional, truth is that you are an excellent defender of NASA… if you can pull off a magical balancing act.http://www.flickr.com/photos/dunechaser/142079765/
If you say No as a reflexhttp://www.flickr.com/photos/markdodds/5125418883/
Now,it might go a bit too farhttp://greatfirewallofchina.org/index.php?siteurl=http%3A%2F%2Fnews.yahoo.com%2F
It could have an impact on the missionhttp://www.flickr.com/photos/repoort/2645497916/
Think about what exactly you are saying no to.Are you responding directly to a specific request?“I want administrator rights on this machine!”Do you ask them why, or kneejerk “NO!”What are some other ridiculous requests that you get?http://www.flickr.com/photos/xurble/376588066/
Let’s talk about the people you work with http://www.flickr.com/photos/kaptainkobold/5181464194/
What are they trying to do? Do you even know? Have you asked? Do they build satellites? Do they run a training and education center?Do they make sure the bills get paid?L’Enfant’s Plan for DC
They are a component of the system that is NASA GSFCWhat they need from you is assurance that they can do their jobs safely.http://www.flickr.com/photos/contemna/5272576625Heather Diehl
So your people work on marvelousthings, complex thingsDealing with complex people, processes and requirements of their own, in order to contribute to even greater, more complex thingshttp://www.flickr.com/photos/contemna/5725291684/Heather Diehl
See the person, and what problem they are trying to solve.How does IT Sec enable them?http://www.flickr.com/photos/contemna/5273189110Heather Diehl
You are part of this. Think back to the basics….What are the 3 components of Information Security?ConfidentialityAccessibilityIntegrityhttp://www.flickr.com/photos/joelogon/346368521/
So, if they present you with a request don’t forget to look beyond confidentiality…have you asked what they are trying to accomplish? What problem they are trying to solve?Or are you comfortable not understanding? You should be aware that not understanding their role in the greater context actually introduces risk of its own.http://www.flickr.com/photos/askpang/5402492304/
Because you can offer alternatives. Ones that meet security requirements, and integrate with the constraints of our environment… But you can only do that if you start to look beyond “No” into the land of “Perhaps”http://www.flickr.com/photos/contemna/5272578725Heather Diehl
With knowledgeable questions, you can break down defensive postures… Find out what their needs actually are.Maybe the prickliness perceived by each side isn’t actually true.Who is the defensive hedgehog?http://www.flickr.com/photos/swamibu/1937158223/
Be careful about that reflexhttp://www.flickr.com/photos/markdodds/5125418883/
Do you want the relationships to be better? Assume noble intent on their part. Go in with noble intent yourself.Don’t sabotage the relationship from the start.Start asking “What are you wanting to do”http://www.flickr.com/photos/screenpunk/2421689164/
You may find that sometimes what looks like anger [and hostility], is actually pasta.http://www.flickr.com/photos/mrwalker/428510520/
Old habits die hard. On both sides.If you’ve made yourself an obstacle to completing their work, your customers have gone, and will actively continue to go around you, ultimately creating more risk.http://www.flickr.com/photos/davidmoisan/3153441857/
Remember that badgering gets you nowhere.Don’t get caught up in personal battles. Just because you are being more mission-focused, doesn’t mean that the atmosphere around you will change overnight.Badgers: Original flash animation: http://www.weebls-stuff.com/wab/badgers/Know Your Meme: http://knowyourmeme.com/memes/badger-badger-badger
Because they just want to do their work.http://www.flickr.com/photos/gsfc/4954529973/
So, how do you see the people and their requirements in the organization? http://www.flickr.com/photos/mac_filko/5491559690/
While most have same basic requirements, their individual roles sometimes come with a not-so common set of additional IT requirements.They must use a legacy program that wants to write it’s data to the Program Files folder… that you could redirect outside of the folder…Sound familiar?http://www.flickr.com/photos/aaron_anderer/4093181371/http://patft.uspto.gov/netacgi/nph-Parser?Sect2=PTO1&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=1&f=G&l=50&d=PALL&RefSrch=yes&Query=PN%2FD253711
Anyone want have a similar story to share that has information that could be reused? Successful strategies?http://www.flickr.com/photos/westfieldma/31590231/
The more personally invested you become, the easier it is to do these things:Asking “How can I help?” “what are you trying to do?”Have you made yourself part of their mission?Do you know it?Are excited by it?Are *curious* about it?Are you proud to be part of it?If you aren’t, why not?http://www.flickr.com/photos/dunechaser/250617151/
The way you are treated will likely change, tooYou get to demonstrate your knowledgeYour competenceYour analytical abilityYou are a valuable professionalhttp://www.flickr.com/photos/donsolo/1344386562/
Because your security role significantly helps them to be more effective.This is NASA. The response of NO has a different meaning here. We do impossible things. http://www.flickr.com/photos/28476480@N04/4548378501/
The fact that you careAbout their workAnd their success.You become a trusted part of the team.Yes, it is “My Little Pony: Friendship is magic”. I’m going to love and tolerate the $&*! out of you. Deal.