Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/17/2017
10:30 AM
Bill Bradley
Bill Bradley
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Security Leaders Can't Afford to Be Just 'Left-Brained'

The left side of the brain is logical and linear; the right side, creative. You have to use both sides of the brain to connect to your audience in your business.

Although my lifelong passion for technology has served me well, one particular lesson truly transformed my career — the acknowledgment that there are two sides of the brain: the right side, which is the source of creativity, and the left side, where technical thinking takes place.

I've always been technically minded — or left-brained — and wanted to understand how things work. But I also developed an appreciation for the right side of the brain, the engine of creativity. A Whole New Mind by Daniel Pink is a great read on left-brain/right-brain theory. It also supports my belief that to be an effective security leader one must learn to use both the technical and creative sides of the brain. Because when we use both sides effectively, new doors are opened.  

Two Sides Are Better Than One 
In my role at CenturyLink, I've been raising awareness of our cybersecurity efforts throughout the company, up to and including the boardroom. In the process, I've found that using the "two-brained" approach pays dividends.

Technology professionals, including those in cybersecurity, have been trained their whole lives to mostly use the left side of the brain, where most of the math, science, and logic functions occur. From the time they enter school and throughout their careers, technologists are rewarded and encouraged to use their left brain. You set a goal to build or secure a system and you achieve it through careful planning and determination. Sometimes you hit a wall, but you either find a workaround or plow through it.

However, achieving cross-organizational goals requires technical leaders to collaborate and influence senior corporate leadership, all the way up to the board of directors. Many of these senior leaders may not have a technical background, but all of them understand business. Often, technical leaders struggle in communicating with senior leadership because influencing others requires them to use the creative side of their brain.

I've seen this occur on several occasions when security leaders presented to a group of executives. When asked about what security gaps or risks the company faced, the security leaders gravitated to the left side, analytic part of the brain. In these situations, the security leaders would typically address the technologies, processes, and people required to secure the enterprise. Their response was logical, factual, and linear — classic left-brain thinking. What they failed to understand was that the executives were primarily interested in how a particular threat might affect the company's bottom line and return on investment, or lead to additional risk.       

Had these security leaders also used the right side of the brain — which is said to be strong in holistic thinking, intuition, nonverbal cues, and creative visualization — they would have been better able to relate to the executives' perspective, and as a result better able to respond to their questions.         

It's important to understand your audience's points of view and the response you want to elicit from them. When presenting to your executive team, for example, knowing to focus on the threat actors and probable business effects — rather than the technologies and processes — is a more effective way of getting your security budget approved. For that reason, I regularly remind my team to always use both sides of their brain.     

Creativity Can Reveal Alternative Solutions
I've also encountered security professionals who are quick to say no to changes within an organization that could enable business transformation. These could be changes to existing security processes, new password rules, or the use of new tools or products. Although security is a top priority, I challenge my team daily to not just refuse but to explain why we have to say no and then seek to understand the perspectives of our audience. I encourage them to use the creative side of the brain to think about alternative solutions.

The following types of questions are often helpful in this process: What is the business driver or goal behind the desired change? Is there another way to address these needs? What additional effort would it take to close the security gap? Can we come up with a more cost-effective security control? Can we modify our rules to simplify the process without increasing risk to the company?

Members of the security team will be more effective in protecting the enterprise if they are viewed as enablers of business transformation rather than inhibitors. Security leaders must learn that many issues shouldn't be addressed with an either/or conversation. More productive conversations are enabled by the word "and." For example, instead of thinking "I can either defend the company or implement the requested change," think "How can I communicate more effectively to influence others, and protect the company?"

Using the creative side of your brain will dramatically increase the chances of gaining cross-organizational buy-in. And obtaining this type of support will enable you to achieve your key goals more easily.

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Bill Bradley has been with CenturyLink for 32 years. During that time he has served in a variety of technical roles with increasing responsibilities, including software developer, security manager, CTO, CIO and now as senior vice president of cyber engineering and technology ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/18/2017 | 4:54:00 PM
The relativity of good advice
This left-brainedness -- and stereotypes of it -- are also part of why a lot of business execs aren't fond of their legal and compliance teams. The former often feel that the latter exist just to tell them "no".

And if that's the case, then neither side is doing its job.

Legal teams, compliance teams, and cybersecurity teams are simply part of risk assessment and risk management. As an attorney and data-privacy consultant myself, I consider it my job to say, "Here are all the pertinent facts, here are the possible outcomes and their probabilities, and here are my recommendations accordingly."

And my job doesn't end there. There's an if-then relationship. If the client chooses, say, the second-best or third-best option instead of what I deem the best option, then I have to have my recommendations ready on how to proceed -- and how to deal with the potential consequences of those actions.

And, again, "best" is a relative term. "Best" isn't always "most secure" or "most compliant." Those are just factors.
HardenStance
50%
50%
HardenStance,
User Rank: Strategist
10/17/2017 | 10:59:55 AM
Facebook's Alex Stamos
Facebook's Alex Stamos made much the same point in his BlackHat keynote in July. A function of human nature that it has to be repeated over and over again and will likely need to be forever more.
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21273
PUBLISHED: 2021-02-26
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, requests to user provided domains were not restricted to external IP addresses when calculating the key va...
CVE-2021-21274
PUBLISHED: 2021-02-26
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, a malicious homeserver could redirect requests to their .well-known file to a large file. This can lead to...
CVE-2021-23345
PUBLISHED: 2021-02-26
All versions of package github.com/thecodingmachine/gotenberg are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when the src attribute of an HTML element refers to an internal system file, such as <iframe src='file:///etc/passwd'>.
CVE-2021-21297
PUBLISHED: 2021-02-26
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default beh...
CVE-2021-21298
PUBLISHED: 2021-02-26
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with `projects.read` permission is able to access any file via th...