Vulnerabilities / Threats

10/17/2017
10:30 AM
Bill Bradley
Bill Bradley
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Security Leaders Can't Afford to Be Just 'Left-Brained'

The left side of the brain is logical and linear; the right side, creative. You have to use both sides of the brain to connect to your audience in your business.

Although my lifelong passion for technology has served me well, one particular lesson truly transformed my career — the acknowledgment that there are two sides of the brain: the right side, which is the source of creativity, and the left side, where technical thinking takes place.

I've always been technically minded — or left-brained — and wanted to understand how things work. But I also developed an appreciation for the right side of the brain, the engine of creativity. A Whole New Mind by Daniel Pink is a great read on left-brain/right-brain theory. It also supports my belief that to be an effective security leader one must learn to use both the technical and creative sides of the brain. Because when we use both sides effectively, new doors are opened.  

Two Sides Are Better Than One 
In my role at CenturyLink, I've been raising awareness of our cybersecurity efforts throughout the company, up to and including the boardroom. In the process, I've found that using the "two-brained" approach pays dividends.

Technology professionals, including those in cybersecurity, have been trained their whole lives to mostly use the left side of the brain, where most of the math, science, and logic functions occur. From the time they enter school and throughout their careers, technologists are rewarded and encouraged to use their left brain. You set a goal to build or secure a system and you achieve it through careful planning and determination. Sometimes you hit a wall, but you either find a workaround or plow through it.

However, achieving cross-organizational goals requires technical leaders to collaborate and influence senior corporate leadership, all the way up to the board of directors. Many of these senior leaders may not have a technical background, but all of them understand business. Often, technical leaders struggle in communicating with senior leadership because influencing others requires them to use the creative side of their brain.

I've seen this occur on several occasions when security leaders presented to a group of executives. When asked about what security gaps or risks the company faced, the security leaders gravitated to the left side, analytic part of the brain. In these situations, the security leaders would typically address the technologies, processes, and people required to secure the enterprise. Their response was logical, factual, and linear — classic left-brain thinking. What they failed to understand was that the executives were primarily interested in how a particular threat might affect the company's bottom line and return on investment, or lead to additional risk.       

Had these security leaders also used the right side of the brain — which is said to be strong in holistic thinking, intuition, nonverbal cues, and creative visualization — they would have been better able to relate to the executives' perspective, and as a result better able to respond to their questions.         

It's important to understand your audience's points of view and the response you want to elicit from them. When presenting to your executive team, for example, knowing to focus on the threat actors and probable business effects — rather than the technologies and processes — is a more effective way of getting your security budget approved. For that reason, I regularly remind my team to always use both sides of their brain.     

Creativity Can Reveal Alternative Solutions
I've also encountered security professionals who are quick to say no to changes within an organization that could enable business transformation. These could be changes to existing security processes, new password rules, or the use of new tools or products. Although security is a top priority, I challenge my team daily to not just refuse but to explain why we have to say no and then seek to understand the perspectives of our audience. I encourage them to use the creative side of the brain to think about alternative solutions.

The following types of questions are often helpful in this process: What is the business driver or goal behind the desired change? Is there another way to address these needs? What additional effort would it take to close the security gap? Can we come up with a more cost-effective security control? Can we modify our rules to simplify the process without increasing risk to the company?

Members of the security team will be more effective in protecting the enterprise if they are viewed as enablers of business transformation rather than inhibitors. Security leaders must learn that many issues shouldn't be addressed with an either/or conversation. More productive conversations are enabled by the word "and." For example, instead of thinking "I can either defend the company or implement the requested change," think "How can I communicate more effectively to influence others, and protect the company?"

Using the creative side of your brain will dramatically increase the chances of gaining cross-organizational buy-in. And obtaining this type of support will enable you to achieve your key goals more easily.

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Bill Bradley has been with CenturyLink for 32 years. During that time he has served in a variety of technical roles with increasing responsibilities, including software developer, security manager, CTO, CIO and now as senior vice president of cyber engineering and technology ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
HardenStance
50%
50%
HardenStance,
User Rank: Strategist
10/17/2017 | 10:59:55 AM
Facebook's Alex Stamos
Facebook's Alex Stamos made much the same point in his BlackHat keynote in July. A function of human nature that it has to be repeated over and over again and will likely need to be forever more.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/18/2017 | 4:54:00 PM
The relativity of good advice
This left-brainedness -- and stereotypes of it -- are also part of why a lot of business execs aren't fond of their legal and compliance teams. The former often feel that the latter exist just to tell them "no".

And if that's the case, then neither side is doing its job.

Legal teams, compliance teams, and cybersecurity teams are simply part of risk assessment and risk management. As an attorney and data-privacy consultant myself, I consider it my job to say, "Here are all the pertinent facts, here are the possible outcomes and their probabilities, and here are my recommendations accordingly."

And my job doesn't end there. There's an if-then relationship. If the client chooses, say, the second-best or third-best option instead of what I deem the best option, then I have to have my recommendations ready on how to proceed -- and how to deal with the potential consequences of those actions.

And, again, "best" is a relative term. "Best" isn't always "most secure" or "most compliant." Those are just factors.
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-3937
PUBLISHED: 2018-08-14
An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera G5 firmware 1.87.00. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability...
CVE-2018-3938
PUBLISHED: 2018-08-14
An exploitable stack-based buffer overflow vulnerability exists in the 802dot1xclientcert.cgi functionality of Sony IPELA E Series Camera G5 firmware 1.87.00. A specially crafted POST can cause a stack-based buffer overflow, resulting in remote code execution. An attacker can send a malicious POST r...
CVE-2018-12537
PUBLISHED: 2018-08-14
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.
CVE-2018-12539
PUBLISHED: 2018-08-14
In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows,...
CVE-2018-3615
PUBLISHED: 2018-08-14
Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.