{"id":28943,"date":"2019-10-15T10:21:28","date_gmt":"2019-10-15T14:21:28","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?post_type=emagazine&#038;p=28943"},"modified":"2022-04-11T08:50:35","modified_gmt":"2022-04-11T12:50:35","slug":"security-bytes-best-decision","status":"publish","type":"emagazine","link":"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/security-bytes-best-decision\/28943\/","title":{"rendered":"My best decision as a cybersecurity pro"},"content":{"rendered":"<p>I connect with many great minds in cybersecurity on Twitter. I learn so much from them every day. In the <a href=\"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/security-bytes\/\" target=\"_blank\" rel=\"noopener nofollow\">Security Bytes series<\/a>, I share senior security professional\u2019s most savvy advice. Some wished to use their real names, others preferred to stay anonymous. But they all shared tips that are seriously worthy of your consideration.<\/p>\n<p>The question:<\/p>\n<blockquote><p>What\u2019s the best decision you\u2019ve ever made as a senior cybersecurity professional?<\/p>\n<\/blockquote>\n<h2>Learning to influence the C-Suite<\/h2>\n<p>For two CISOs (Chief Information Security Officers), joining the C-Suite and positively influencing their peers helped them to achieve their goals.<\/p>\n<p><strong>Accidental CISO<\/strong><strong><br>\n<\/strong><br>\n\u201cAccepting the role in the first place. The idea was terrifying to me, and I honestly didn\u2019t think I could do it. I\u2019ve had such a huge impact on my company.\u00a0 My work to build and certify the security program paved the way for us to land major enterprise deals.\u201d<\/p>\n<p><strong><a href=\"https:\/\/twitter.com\/PatrickCMiller\" target=\"_blank\" rel=\"noopener nofollow\">Patrick C. Miller, CISO, Archer International <\/a><\/strong><\/p>\n<p>\u201cI stopped using the word \u2018security\u2019 in executive discussions. Instead, I use risk management terms.\u201d<\/p>\n<p>It\u2019s a topic Patrick talked about at <a href=\"https:\/\/ics.kaspersky.com\/conference\/\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Industrial Cybersecurity 2019 conference<\/a> and a very good point. If CISOs and technical professionals want to influence the C-Suite, they must learn to speak their language. And talking money \u2013 the financial costs of all possible cyberattacks \u2013 is usually a good starting point for discussing risk management. Executives are more likely to care about security hardening if they realize how much money their companies could lose from cyberattacks and the related reputational damage.<\/p>\n<h2>Knowing your limits<\/h2>\n<p>Knowing which responsibilities you can handle, and which you can\u2019t, is an important factor in your success as a cybersecurity professional.<\/p>\n<p><strong><a href=\"https:\/\/twitter.com\/secwonk311\" target=\"_blank\" rel=\"noopener nofollow\">Secw0nk<\/a><\/strong><\/p>\n<p>\u201cHiring people smarter than me. Early on in my career, I watched managers and leaders who prided themselves on believing they were the smartest person in the room. I made note of what not to do. When I got the chance to build a team, I made the conscious decision to hire people who I knew I could learn from, who had better technical experience than me, and for whom personal growth was important.\u201d<\/p>\n<p><strong><a href=\"https:\/\/twitter.com\/JoonatanKauppi\" target=\"_blank\" rel=\"noopener nofollow\">Joonatan Kauppi<\/a><\/strong><strong>, founder, <a href=\"https:\/\/www.leijonasecurity.fi\/\" target=\"_blank\" rel=\"noopener nofollow\">Leijona Security<\/a><\/strong><\/p>\n<p>\u201cI recommended a competitor when a potential client requested a service that my company didn\u2019t offer. Because improving our clients\u2019 infosec is ultimately more important than improving our revenue.\u201d<\/p>\n<p><strong><a href=\"https:\/\/twitter.com\/BetoOnSecurity\" target=\"_blank\" rel=\"noopener nofollow\">Beto on Security<\/a><\/strong><strong><br>\n<\/strong><br>\n\u201cDumping a toxic client.\u201d<\/p>\n<p><strong>\u00a0\u2018Nick\u2019<\/strong><\/p>\n<p>\u201cLearning to say no and sticking to just one job. I kept taking on extra contract work or even trying to work two jobs full-time, and found that I ended up failing at both of them.\u201d<\/p>\n<p><strong><a href=\"https:\/\/twitter.com\/lkarlslund\" target=\"_blank\" rel=\"noopener nofollow\">Lars Karlslund<\/a><\/strong><strong>, founder, <a href=\"https:\/\/www.netsection.com\/\" target=\"_blank\" rel=\"noopener nofollow\">NetSection Security<\/a><\/strong><\/p>\n<p>\u201cTrusting yourself enough to say no when it felt right.\u201d<\/p>\n<p><strong><a href=\"https:\/\/twitter.com\/SeniorDBA\" target=\"_blank\" rel=\"noopener nofollow\">Troy Blake<\/a><\/strong><strong>, PCI compliance and cybersecurity expert<\/strong><\/p>\n<p>\u201cFocus on simplicity over complexity. Utilize products 100 percent before you add another tool to the cybersecurity environment. It makes management, maintenance and training so much easier \u2013 and it saves the company money.\u201d<\/p>\n<p><strong><a href=\"https:\/\/twitter.com\/kramse\" target=\"_blank\" rel=\"noopener nofollow\">Henrik Klimatosse Kramshoej<\/a><\/strong><strong>, \u201cinternet samurai\u201d<\/strong><\/p>\n<p>\u201cI never compromise my integrity. I lost a well-paid job because they made me set approximately 4,200 logins across 48 servers back to \u2018passw0rd\u2019 because locking them caused too many support issues.\u201d<\/p>\n<p>Ouch! Don\u2019t rile cybersecurity professionals. They know how best to handle your business\u2019s precious data.<\/p>\n<h2>Doing things your own way<\/h2>\n<p>Some cybersecurity professionals work best when they can make their own decisions and take charge.<\/p>\n<p><strong><a href=\"https:\/\/twitter.com\/m49D4ch3lly\" target=\"_blank\" rel=\"noopener nofollow\">Magda Chelly<\/a><\/strong><strong>, founder of <a href=\"https:\/\/responsible-cyber.com\/\" target=\"_blank\" rel=\"noopener nofollow\">Responsible Cyber<\/a><\/strong><\/p>\n<p>\u201cI went on my own journey with Responsible Cyber and stopped contracts by choice (optional work opportunities). I now delegate to my employees more and more.\u201d<\/p>\n<p><strong><a href=\"https:\/\/twitter.com\/nderground_net\" target=\"_blank\" rel=\"noopener nofollow\">Nderground<\/a><\/strong><\/p>\n<p>\u201cThe best professional decision I made was to move to Bonaire (a Caribbean island) and consult. I wake up every morning and feel very fortunate to be able to live here.\u201d<\/p>\n<p><strong><br>\n<a href=\"https:\/\/twitter.com\/cybergeekgirl\" target=\"_blank\" rel=\"noopener nofollow\">Lisa Ventura<\/a>, founder, <a href=\"https:\/\/cybersecurityassociation.co.uk\/\" target=\"_blank\" rel=\"noopener nofollow\">UK Cyber Security Association<\/a><\/strong><\/p>\n<p>\u201cFounding the UK Cyber Security Association and becoming a writer, blogger, influencer and keynote speaker in the cybersecurity industry. I have never been happier and I love what I do.\u201d<\/p>\n<p><strong><a href=\"https:\/\/twitter.com\/iMeluny\" target=\"_blank\" rel=\"noopener nofollow\">Melanie Ensign<\/a><\/strong><strong>, security and privacy communications, Uber<\/strong><\/p>\n<p>\u201cWork for a cause, not a company. This makes it easier to find the right opportunity or walk away if it\u2019s not right for you.\u201d<\/p>\n<p><strong><a href=\"https:\/\/twitter.com\/RAGreenberg\" target=\"_blank\" rel=\"noopener nofollow\">Richard Greenberg<\/a><\/strong><strong>, IT security evangelist<\/strong><\/p>\n<p>\u201cAccepting a position when I had just barely qualified was an intense but amazing learning experience. I learned so much and it gave me confidence for my future endeavors. Push your envelope!\u201d<\/p>\n<p><strong><a href=\"https:\/\/twitter.com\/sameepagarwal3\" target=\"_blank\" rel=\"noopener nofollow\">Sameep Agarwal, former cybersecurity specialist<\/a><\/strong><strong><br>\n<\/strong><br>\n\u201cThe best decision I made was to interact positively with everyone I met. I speak my mind and convey my message without mincing my words.\u201d<\/p>\n<p><strong><a href=\"https:\/\/twitter.com\/itsmalware\" target=\"_blank\" rel=\"noopener nofollow\">It\u2019s malware!<\/a><\/strong><strong>, malware researcher<\/strong><\/p>\n<p>\u201cTalk about salaries with co-workers. Don\u2019t let a company get away with unequal pay for anyone. And pay people for work, even if you\u2019re a start-up.\u201d<\/p>\n<p>That\u2019s sound advice. I agree with discussing money openly because it benefits workers.<\/p>\n<h2>Professionalism matters<\/h2>\n<p>Soft skills, like having a professional demeanor and being motivated to do your best, are critical for a successful cybersecurity career.<br>\n<img decoding=\"async\" class=\"aligncenter size-large wp-image-28945\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2019\/10\/15101324\/cyber-pro-best-decision-inline-1-1024x768.jpg\" alt=\"cyber professionals\" width=\"1024\" height=\"768\"><br>\n<strong><a href=\"https:\/\/twitter.com\/InfosecVandana\" target=\"_blank\" rel=\"noopener nofollow\">Vandana Verma<\/a><\/strong><strong>, security architect at IBM<\/strong><\/p>\n<p>\u201cKeep calm and be friends with the dev team!\u201d<\/p>\n<p><strong><a href=\"https:\/\/twitter.com\/UK_Daniel_Card\" target=\"_blank\" rel=\"noopener nofollow\">mRr3b00t<\/a><\/strong><\/p>\n<p>\u201cFocusing on customer success and delivering fantastic services that aren\u2019t just run of the mill. Deliver the best that you can.\u201d<\/p>\n<p><strong><a href=\"https:\/\/twitter.com\/richardcardona\" target=\"_blank\" rel=\"noopener nofollow\">Richard Cardona<\/a><\/strong><strong>, product security maven, <a href=\"https:\/\/www.eff.org\/\" target=\"_blank\" rel=\"noopener nofollow\">Electronic Frontier Foundation<\/a><\/strong><\/p>\n<p>\u201cFunnel customer vulnerability reports through support, but demonstrate how unaudited scans are full of false positives. For anything in question, escalate to appsec.\u201d<\/p>\n<p>Perhaps penetration testing relies on automation too much.<\/p>\n<h2>There\u2019s always room for self-improvement<\/h2>\n<p>One thing\u2019s for sure in your infosec career: you\u2019re always going to need to continue learning.<\/p>\n<p><strong><a href=\"https:\/\/twitter.com\/HirsiHamza\" target=\"_blank\" rel=\"noopener nofollow\">M\u2019hirsi Hamza<\/a><\/strong><strong>, cybersecurity analyst, Barac.io<br>\n<\/strong><br>\n\u201cNever hesitate to try to learn new things, even if it isn\u2019t in your immediate field. If you understand what different teams do in your company, you can better understand what outputs you need to deliver.\u201d<\/p>\n<p><strong><a href=\"https:\/\/twitter.com\/JustinRuth\" target=\"_blank\" rel=\"noopener nofollow\">Justin Ruth<\/a><\/strong><strong>, security researcher<\/strong><\/p>\n<p>\u201cPutting myself through the OSCP (Offensive Security Certified Professional certification) \u2013 never be afraid to invest in yourself.\u201d<\/p>\n<p><strong><a href=\"https:\/\/twitter.com\/DBattisto16\" target=\"_blank\" rel=\"noopener nofollow\">Battisto<\/a><\/strong><strong>, security enthusiast<\/strong><\/p>\n<p>\u201cSpending a year as a helpdesk tech, then two years as a sys admin <em>before<\/em> getting into security. The best security practitioners need a good understanding of how networks function before they can learn to secure them.\u201d<\/p>\n<p>Experience counts. Be curious about everything.<\/p>\n<h2>Making a difficult decision<\/h2>\n<p><strong>\u00a0<\/strong>Sometimes decisions are difficult to make. Sometimes other people in your organization will resist a necessary change. These cyber-pros made difficult choices that worked out for the best.<\/p>\n<p><strong><a href=\"https:\/\/twitter.com\/nicoladiaz\" target=\"_blank\" rel=\"noopener nofollow\">NicoladiaZ<\/a><\/strong><strong>, infosec consultant, <a href=\"https:\/\/rsf.org\/\" target=\"_blank\" rel=\"noopener nofollow\">Reporters Sans Frontieres<\/a><\/strong><\/p>\n<p>\u201cSwitching from Windows clients to Linux. It was a good decision regarding the users\u2019 needs but it demanded strong political support and dis-learning capacities on behalf of end-users.\u201d<\/p>\n<p>It\u2019s tough to break old habits. Sometimes you need to be assertive if there\u2019s a good reason to switch vendors.<\/p>\n<p><strong><a href=\"https:\/\/twitter.com\/ShellyKramer\" target=\"_blank\" rel=\"noopener nofollow\">Shelly Kramer<\/a><\/strong><strong>, CEO, <a href=\"https:\/\/v3b.com\/\" target=\"_blank\" rel=\"noopener nofollow\">V3 Broadsuite<\/a><\/strong><\/p>\n<p>\u201cConvincing clients to go \u2018all in\u2019 on employee awareness training on a regular basis. Given the monumental phishing problem for corporate cybersecurity, employee training is always worth the investment.\u201d<\/p>\n<p><strong>\u00a0<\/strong><strong>\u201cJoe Schlmoe\u201d<\/strong><\/p>\n<p>\u201cI had to set up a security compliance team at a division of a Fortune 500 company. Dev folks resisted our efforts. The answer came to me after some weeks. I told the principals in a meeting that unless we all embraced security compliance testing, we were letting our customers down by possibly releasing a sub-par product to our customers. That took root, and within a year we went from mid 30 percent to nearly 99 percent compliance.\u201d<\/p>\n<p><strong><a href=\"https:\/\/twitter.com\/Bl4ckP41nt\" target=\"_blank\" rel=\"noopener nofollow\">Bl4ckP41nt<\/a><\/strong><strong>, security engineer for a major US-based airline<\/strong><\/p>\n<p>\u201cChallenge the C-Suite to manage down: explain the \u2018whys,\u2019 maintain the relationship, then watch the boat slowly turn.\u201d<\/p>\n<p>In conclusion, you can learn things the hard way by making mistakes and reflecting upon them. But the easiest way to learn is to listen to people with experience.<\/p>\n<p><em>These opinions reflect those of the experts quoted and the article\u2019s author.<\/em><\/p>\n<p><em>Article published in 2019.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>What&#8217;s the best decision you&#8217;ve ever made?  Learning lessons from cyber-pros from around the world. <\/p>\n","protected":false},"author":2531,"featured_media":28944,"template":"","coauthors":[3535],"class_list":{"0":"post-28943","1":"emagazine","2":"type-emagazine","3":"status-publish","4":"has-post-thumbnail","6":"emagazine-category-cybersecurity","7":"emagazine-category-opinions","8":"emagazine-category-security-bytes","9":"emagazine-category-talent-business","10":"emagazine-tag-careers","11":"emagazine-tag-professional-advice"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/security-bytes-best-decision\/28943\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/secure-futures-magazine\/security-bytes-best-decision\/20299\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/secure-futures-magazine\/security-bytes-best-decision\/18633\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/secure-futures-magazine\/security-bytes-best-decision\/14844\/"}],"acf":[],"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine\/28943","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/emagazine"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2531"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/28944"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=28943"}],"wp:term":[{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/coauthors?post=28943"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}