Although my lifelong passion for technology has served me well, one particular lesson truly transformed my career — the acknowledgment that there are two sides of the brain: the right side, which is the source of creativity, and the left side, where technical thinking takes place.
I've always been technically minded — or left-brained — and wanted to understand how things work. But I also developed an appreciation for the right side of the brain, the engine of creativity. A Whole New Mind by Daniel Pink is a great read on left-brain/right-brain theory. It also supports my belief that to be an effective security leader one must learn to use both the technical and creative sides of the brain. Because when we use both sides effectively, new doors are opened.
Two Sides Are Better Than One
In my role at CenturyLink, I've been raising awareness of our cybersecurity efforts throughout the company, up to and including the boardroom. In the process, I've found that using the "two-brained" approach pays dividends.
Technology professionals, including those in cybersecurity, have been trained their whole lives to mostly use the left side of the brain, where most of the math, science, and logic functions occur. From the time they enter school and throughout their careers, technologists are rewarded and encouraged to use their left brain. You set a goal to build or secure a system and you achieve it through careful planning and determination. Sometimes you hit a wall, but you either find a workaround or plow through it.
However, achieving cross-organizational goals requires technical leaders to collaborate and influence senior corporate leadership, all the way up to the board of directors. Many of these senior leaders may not have a technical background, but all of them understand business. Often, technical leaders struggle in communicating with senior leadership because influencing others requires them to use the creative side of their brain.
I've seen this occur on several occasions when security leaders presented to a group of executives. When asked about what security gaps or risks the company faced, the security leaders gravitated to the left side, analytic part of the brain. In these situations, the security leaders would typically address the technologies, processes, and people required to secure the enterprise. Their response was logical, factual, and linear — classic left-brain thinking. What they failed to understand was that the executives were primarily interested in how a particular threat might affect the company's bottom line and return on investment, or lead to additional risk.
Had these security leaders also used the right side of the brain — which is said to be strong in holistic thinking, intuition, nonverbal cues, and creative visualization — they would have been better able to relate to the executives' perspective, and as a result better able to respond to their questions.
It's important to understand your audience's points of view and the response you want to elicit from them. When presenting to your executive team, for example, knowing to focus on the threat actors and probable business effects — rather than the technologies and processes — is a more effective way of getting your security budget approved. For that reason, I regularly remind my team to always use both sides of their brain.
Creativity Can Reveal Alternative Solutions
I've also encountered security professionals who are quick to say no to changes within an organization that could enable business transformation. These could be changes to existing security processes, new password rules, or the use of new tools or products. Although security is a top priority, I challenge my team daily to not just refuse but to explain why we have to say no and then seek to understand the perspectives of our audience. I encourage them to use the creative side of the brain to think about alternative solutions.
The following types of questions are often helpful in this process: What is the business driver or goal behind the desired change? Is there another way to address these needs? What additional effort would it take to close the security gap? Can we come up with a more cost-effective security control? Can we modify our rules to simplify the process without increasing risk to the company?
Members of the security team will be more effective in protecting the enterprise if they are viewed as enablers of business transformation rather than inhibitors. Security leaders must learn that many issues shouldn't be addressed with an either/or conversation. More productive conversations are enabled by the word "and." For example, instead of thinking "I can either defend the company or implement the requested change," think "How can I communicate more effectively to influence others, and protect the company?"
Using the creative side of your brain will dramatically increase the chances of gaining cross-organizational buy-in. And obtaining this type of support will enable you to achieve your key goals more easily.
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.