“It emphasizes the idea that ensuring the safety and protection of information and systems goes beyond simply implementing security technologies or using the latest tools. Instead, it requires a comprehensive and proactive approach ingrained in the thinking and culture of individuals and organizations.”
I was able to participate in this year Defcon and there was an interesting conversation around what do organizations look for when hiring security professionals and my answer is usually that I want the right attitude first and foremost – knowledge is easy to gain and those that just collect accolades of certifications should maybe think about gaining experience rather than yet more acronyms. However, it’s difficult to get someone to change their mindset, so the right attitude is very important. But what is the right attitude?
Firstly, security professionals differ from developers and IT engineers in their outlook and approach, so this needs to be understood and not combined them, in my opinion. The mindset of a security professional is constantly revolved around critical thinking and what could possibly go wrong (something that tends to spill over into our personal life as well, much to the annoyance of families and kids). Contrast this with the mindset of a developer who is being measured on their delivery of new features. Most developers, or IT engineers, are looking at whether what they have delivered satisfies the requirements from the ‘customer’, the positive case, i.e. does it perform the function we intended? Security professionals look for the negative case, i.e. can I do anything other than the function intended? Of course, as a security professional, if you don’t understand the intended function then you cannot set appropriate security controls or assess the potential impact if things go wrong, but your mind will immediately go to the ‘what if’ scenario. Therefore, expecting an IT engineer to deliver effective security is unrealistic.
Secondly, security professionals must be curious (and I don’t mean odd), continuously learning and embracing change. The threat landscape is constantly changing, and technology doesn’t stand still, so it isn’t possible, as a security professional, to know everything. What you must be able to do is go back to the first principles and work out what you should be worrying about, not just churning out the same solutions and technologies you always had in the past. I have previously sat in interviews where some candidates where pretending to know everything, or putting little effort into understanding the scenario that is been presented, is going to get dismissed quickly. Equally, I’m not interested in someone who knows one single technology inside-out and shows no interest in learning something new and improving their skills- their knowledge will be obsolete very soon and then they become difficult to hire.
In practical terms, this mindset includes:
- Awareness: Understanding that security threats exist and staying informed about current threats and best practices.
- Risk Assessment: Identifying potential risks and vulnerabilities specific to your context, whether it’s in software development, network infrastructure, or personal data handling.
- Proactive Measures: Taking preemptive actions to address security concerns before they become major issues.
- Continual Improvement: Security is an ongoing process; it requires constant review, updates, and adaptation to new threats.
It’s important to remember that technology is only as effective as the people using it and the processes in place. A security-aware mindset should be present at every level of an organization or individual practice. It involves a culture that prioritizes security, promotes education and training, and encourages everyone to take responsibility for the security of their actions.
By embracing security as a mindset rather than merely relying on technology, we can create a safer environment for ourselves, our organizations, and the users and customers we serve.
In conclusion, a key identifier of a good security professional is whether they’re interested in learning the business – if they’re not, then they’ll never understand the impact of what can go wrong, and they’ll probably default to deploying tried and tested technologies rather than embracing change and setting appropriate controls. Security professionals have to spend time understanding the business in order to gauge the impact and assess risk correctly so that work can be prioritized, and the risk appetite of the business met.