Vulnerabilities / Threats

10/17/2017
10:30 AM
Bill Bradley
Bill Bradley
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Security Leaders Can't Afford to Be Just 'Left-Brained'

The left side of the brain is logical and linear; the right side, creative. You have to use both sides of the brain to connect to your audience in your business.

Although my lifelong passion for technology has served me well, one particular lesson truly transformed my career — the acknowledgment that there are two sides of the brain: the right side, which is the source of creativity, and the left side, where technical thinking takes place.

I've always been technically minded — or left-brained — and wanted to understand how things work. But I also developed an appreciation for the right side of the brain, the engine of creativity. A Whole New Mind by Daniel Pink is a great read on left-brain/right-brain theory. It also supports my belief that to be an effective security leader one must learn to use both the technical and creative sides of the brain. Because when we use both sides effectively, new doors are opened.  

Two Sides Are Better Than One 
In my role at CenturyLink, I've been raising awareness of our cybersecurity efforts throughout the company, up to and including the boardroom. In the process, I've found that using the "two-brained" approach pays dividends.

Technology professionals, including those in cybersecurity, have been trained their whole lives to mostly use the left side of the brain, where most of the math, science, and logic functions occur. From the time they enter school and throughout their careers, technologists are rewarded and encouraged to use their left brain. You set a goal to build or secure a system and you achieve it through careful planning and determination. Sometimes you hit a wall, but you either find a workaround or plow through it.

However, achieving cross-organizational goals requires technical leaders to collaborate and influence senior corporate leadership, all the way up to the board of directors. Many of these senior leaders may not have a technical background, but all of them understand business. Often, technical leaders struggle in communicating with senior leadership because influencing others requires them to use the creative side of their brain.

I've seen this occur on several occasions when security leaders presented to a group of executives. When asked about what security gaps or risks the company faced, the security leaders gravitated to the left side, analytic part of the brain. In these situations, the security leaders would typically address the technologies, processes, and people required to secure the enterprise. Their response was logical, factual, and linear — classic left-brain thinking. What they failed to understand was that the executives were primarily interested in how a particular threat might affect the company's bottom line and return on investment, or lead to additional risk.       

Had these security leaders also used the right side of the brain — which is said to be strong in holistic thinking, intuition, nonverbal cues, and creative visualization — they would have been better able to relate to the executives' perspective, and as a result better able to respond to their questions.         

It's important to understand your audience's points of view and the response you want to elicit from them. When presenting to your executive team, for example, knowing to focus on the threat actors and probable business effects — rather than the technologies and processes — is a more effective way of getting your security budget approved. For that reason, I regularly remind my team to always use both sides of their brain.     

Creativity Can Reveal Alternative Solutions
I've also encountered security professionals who are quick to say no to changes within an organization that could enable business transformation. These could be changes to existing security processes, new password rules, or the use of new tools or products. Although security is a top priority, I challenge my team daily to not just refuse but to explain why we have to say no and then seek to understand the perspectives of our audience. I encourage them to use the creative side of the brain to think about alternative solutions.

The following types of questions are often helpful in this process: What is the business driver or goal behind the desired change? Is there another way to address these needs? What additional effort would it take to close the security gap? Can we come up with a more cost-effective security control? Can we modify our rules to simplify the process without increasing risk to the company?

Members of the security team will be more effective in protecting the enterprise if they are viewed as enablers of business transformation rather than inhibitors. Security leaders must learn that many issues shouldn't be addressed with an either/or conversation. More productive conversations are enabled by the word "and." For example, instead of thinking "I can either defend the company or implement the requested change," think "How can I communicate more effectively to influence others, and protect the company?"

Using the creative side of your brain will dramatically increase the chances of gaining cross-organizational buy-in. And obtaining this type of support will enable you to achieve your key goals more easily.

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Bill Bradley has been with CenturyLink for 32 years. During that time he has served in a variety of technical roles with increasing responsibilities, including software developer, security manager, CTO, CIO and now as senior vice president of cyber engineering and technology ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/18/2017 | 4:54:00 PM
The relativity of good advice
This left-brainedness -- and stereotypes of it -- are also part of why a lot of business execs aren't fond of their legal and compliance teams. The former often feel that the latter exist just to tell them "no".

And if that's the case, then neither side is doing its job.

Legal teams, compliance teams, and cybersecurity teams are simply part of risk assessment and risk management. As an attorney and data-privacy consultant myself, I consider it my job to say, "Here are all the pertinent facts, here are the possible outcomes and their probabilities, and here are my recommendations accordingly."

And my job doesn't end there. There's an if-then relationship. If the client chooses, say, the second-best or third-best option instead of what I deem the best option, then I have to have my recommendations ready on how to proceed -- and how to deal with the potential consequences of those actions.

And, again, "best" is a relative term. "Best" isn't always "most secure" or "most compliant." Those are just factors.
HardenStance
50%
50%
HardenStance,
User Rank: Strategist
10/17/2017 | 10:59:55 AM
Facebook's Alex Stamos
Facebook's Alex Stamos made much the same point in his BlackHat keynote in July. A function of human nature that it has to be repeated over and over again and will likely need to be forever more.
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.