Security and Emotional Validation
Information Security is about relationships and understanding.
Security is all about relationships. Having good relationships with your co-workers, management, and others in your organization will pay dividends especially when hard decisions need to be made.
Part of a good relationship 🤝🏼 is listening to the other person, and feeling their pain (empathy).
For example, say I find out that in our SaaS app we don’t have any RBAC (Role Based Access Controls) limiting certain actions and that everyone has admin. Wow… well that is a major concern, especially if any PII or sensitive data is involved.
However, I’m not going to lose my cool and cry that the sky is falling… yet.
First, I’m going to go to Engineering and discuss the finding. My goal here, in order, is to:
Gain an understand about the existing problem
Help them understand the severity and impact of the finding
Discuss and understand all the possible solutions, but more importantly for me to understand how hard this will be to fix and the impact on my colleagues
Here are some some sample questions to ask:
Is this something we are aware of?
If not, I’d like to hear their thoughts on the matter (before I give my rating)
What’s the level of effort required to fix this?
What can we do as compensating controls in the meantime?
At some point, I will want them to fully understand the severity and thoroughly explain the reasoning behind it. Maybe even cite examples if needed. Don’t overwhelm them and don’t give deadlines yet, just get on the same page.
Almost undoubtedly they will find this hard to fix. Engineering teams are already swamped, and this requires additional dev time that will take away from their existing work.
Now, here is the point of this article… listen to their pain. Empathize with their pain, and feel their pain. This will be a lot to take in, and what you need to do is let THEM know you understand them. They listened to you and your reasoning, now it’s your turn.
You can use statements like this as applicable:
“I understand you already have a heavy workload.”
“I’m guessing this is not an easy fix, right?”
“I know this is a lot to soak in right now, happy to sync up later to figure out options.”
“Anything I can do to help make this easier?”
Use a statement that communicates your understanding of their situations, and include emotional descriptions.
A Fix Without Mandates
I’d like to share a success story with you.
One time I found an issue via AWS GuardDuty that told me the block public access control was disabled on S3. The engineer’s identity was in the log, so I met with him to discuss the matter.
First I slacked him on the issue and asked if there was any context behind the action. He thoroughly explained the matter in Slack. However, seeing as it was a little complicated I setup a meeting to discuss.
In the meeting, we discussed the matter. I mentioned how I found the issue and the impact of the action. He mentioned that it was necessary for his software to work. We discussed different secure methods for accessing objects in S3 that might not require the control to be disabled.
At the end, I did not push a mandate on him… but we understood each other.
24 hours later, I got a slack from him saying he found an alternative way to the problem and deployed it already!
Problem solved! 👏🏼👏🏼👏🏼
How you approach a problem, person, or team will have an impact on how they respond to you
Gain and understanding of how they feel… be in there shoes
When people feel heard, they will be more understanding of your goals
Have you tried any of the techniques before? Any success or failure stories? Share them in the comments.