The word "nice" is defined as pleasant, agreeable, and satisfactory, according to Oxford Language, Google's dictionary. The word "kind" is defined as friendly, generous, and considerate. Although some people use these two words interchangeably, they are, in fact, quite different.
Lots of people seem nice, but how many of those nice people are kind? Unfortunately, less than we would hope. In my opinion, in addition to being a better way to live, being kind has many other benefits. This is especially the case in the security profession, where kindness can help us improve our security postures. To explain this, I’d like to explore five mistakes the unkind make that harm their security postures.
1. Lack of gratitude: When something goes right, grateful people think of and thank others who helped them along the way. But ungrateful people look to take credit. When something goes wrong, grateful people seek feedback and look introspectively to understand what they could have done differently. Ungrateful people look for others to blame. The security organization in any enterprise has a challenging and demanding mission – one that requires a team of advocates, allies, stakeholders, and champions who can work together with gratitude. Gratitude also goes a long way toward recruiting and sustaining that vital support. That, in turn, helps the security team move its objectives forward, which helps the security team improve the enterprise's security posture.
2. Bad faith: Wikipedia defines good faith ("bona fide" in Latin) as "a sincere intention to be fair, open, and honest, regardless of the outcome of the interaction." In other words, good faith requires offering information, transparency, truthfulness, and reasonableness, even if doing so results in an outcome that is less desirable than what you wanted. Over time, when a security team operates in good faith, other parts of the organization learn to trust the security organization, which helps that security organization operate more effectively.
3. No reciprocity: As the saying goes, life is a give and take. Unfortunately, some people only know how to take – or, more precisely, they won't give unless they can get something out of it for themselves. Security teams typically need to work cross-functionally with a large number of stakeholders in order to move their initiatives forward. So, for example, perhaps the security team wants to enforce strong authentication, while the business side wants to extend customer sessions to reduce friction and yield more conversion/revenue. If each side gives a little and can come up with creative solutions around session length, the enterprise is likely to find a solution that balances both risk and business concerns. Simply put, others will stop giving to those who do not give in return.
4. Irrationality: If you've ever tried to have a rational conversation with an irrational person, you've likely concluded it is not a productive use of time. A good security team will use data, facts, and sound logic to make decisions around devising and implementing a strategy. Others in the enterprise are quick to take notice when the security team is making decisions that properly balance risk, available resources, and the needs of the business. When a security organization is behaving irrationally, the enterprise simply works around it. That, of course, causes people to evade, bypass, or otherwise work around security measures. That is not a recipe for success.
5. Rigidity: Sometimes a decision or agreement that was made becomes unrealistic, unreasonable, unworkable, or otherwise undesirable when circumstances or criteria change. In these situations, the ability for a security organization to be agile, flexible, and think on its feet is important. Those on the business side will appreciate this and will work together with the security team to reach a new solution that is agreeable to all. An inability to be flexible will only harm the security organization’s ability to recruit and sustain advocates within the enterprise.
In summary, be nice and kind. Be grateful, operate in good faith, be giving, be rational, and be flexible. You will be more effective as a security professional, and you will be better able to improve your organization's security posture.