Many of my colleagues believe that their responsibilities as an information security professional stop at their day job. They’re exhausted by the stress of constantly putting out the latest security brush fire. Trying to balance daily operations while keeping up with the latest threat intelligence is challenging on the best day, so by the time the shift ends, they simply want to shut off. I understand, but would argue that this isn’t a good personal or professional choice.
Rather than a technologist, I prefer to think of myself as a peace officer. My vocation is to keep an environment free of violence, albeit the digital kind. Like members of law enforcement, being off duty doesn’t mean I’m exempt from the code of conduct that applies when I’m at work. I consider myself an information security evangelist in my daily life, teaching and reinforcing its principles to the unwashed masses: my friends, dentist, and neighbors.
The benefits of being generous with my time and knowledge are invaluable. I gain an understanding of the risk appetite most people have for security controls. It gets me out of my “best practices” ivory tower and helps me appreciate what works and what doesn't, and understand how I can improve the industry to better serve the user. I mean, that's why we're here, right?
Recently, my physical therapist asked for help with computerizing her office. Was I overqualified for the task? Sure. But I saw it as an opportunity, a chance to help a flip-phone clinging Luddite with modernizing her business. I know that some in IT still see users as a drain on their time, but these moments give me a chance to get feedback about the industry I work in and how well our “controls” actually serve the user. I ended up implementing about half of the security measures I’d normally apply, but they were controls that I knew she could live with every day without cursing the gods (and me).
But being a security good Samaritan isn’t restricted to improving technical proficiency, it also provides an opportunity to flex empathy skills. Treat it like a practice session, asking for feedback from a friend or acquaintance. It’s an exercise in building emotional intelligence and cultivating respect for the other -- that carbon unit between the keyboard and the chair.
[Read how a popular competition among information security enthusiasts has evolved into a mainstream endeavor critical for professional development in "Want To Develop Information Security Skills? Capture The Flag."]
It’s easy for IT professionals to get caught up in our solutions. That’s why we fell in love with the engineering profession; there’s nothing like the smell of “new computer” in the morning. But if the technology takes the user nowhere, it’s a waste of everyone’s time. I told someone recently that I felt my job was 50% public relations. How am I going to get a user to do what I need if I’m alienating him or her?
According to Tina Seelig, a professor at Stanford University and executive director of Stanford's Technology Ventures Program, subject matter knowledge is a tool for creativity. If I’m helping someone to accomplish a goal, doesn’t that make my work more meaningful and more creative?
While the people in your community don’t work in your enterprise, they work in someone’s organization. By being that good Samaritan, it allows you to look at security in larger context, providing some insight into the mind of the user so you can understand their wants and needs on a much grander scale. That ennobles not only you but our profession overall.
[Get tips for managing IT teams in Michele Chubirka's workshop "Humans Aren't Computers: Effective Management Strategies For IT Leaders"at Interop Las Vegas March 31-April 4. Register today!]