My first-ever job in IT was heading up an IT department for a mental health provider with 120 locations across the state of Pennsylvania. I had some management experience, no formal technical training or certifications, but I had been working in residential technology integration and sales and was good with people. I don’t know how I got the job, but I’m forever thankful for the opportunity.
Rather than a formal interview, I met the head of Finance for lunch. We seemed to talk for hours. She was not very technical, so the conversation was around her objectives for the IT department and the organization. Now that I look back on it, that was the most important conversation of my tenure there. I could always get the necessary training to get up to speed technically, but if I could not clearly understand what was needed to support leadership’s mission, it would all be for nothing.
My time there was extremely rewarding. This was not only due to the professional growth, but because I could see the direct benefits to our clients from the services provided through the IT department. The position also gave me access to the senior leadership team so that I and my team could remain aligned with the mission and strategy.
Years later when I left the organization to consult full time, I had an MCSE and CCNA under my belt but most importantly, I applied those early lessons and honed my listening skills. I knew better than to go into a meeting with senior leadership entitled, “Too Much Spam,” with a list of vendor whitepapers and quotes asking for money. I knew it was essential to first understand critical aspects of the problem.
- How big is the problem?
- What are the conditions that make the problem better or worse?
- Do we have the power to change those conditions?
- What does “done,” look like?
Anyone who has worked in first-level support for long enough knows the initial end-user request rarely reflects the actual need. Instead, the support tech should ask the requestor, “What are you trying to achieve?”
This approach is sometimes easier said than done. The noise in the infosec. product space is deafening and often drowns out rational, evidence-based conversations intended to reduce specific risks. Security product advertising slogans that tout the elimination of cyber risk and one-click vulnerability detection and remediation only reinforce the security-in-a-box thinking. The truth is, there are no silver bullets, but there are practical and effective approaches that may require security products, which when implemented correctly, will reduce cyber risk.
This is why I founded South Lake Cyber Risk and what makes SLCR different. I focus on learning about you and providing approaches and solutions for your unique information protection needs by asking, “What are you trying to achieve?” Whether it’s taking a fresh look at your risk profile, threat modeling with your security team, helping you prepare for an audit or designing your first cybersecurity program, SLCR is focused on you.
This is the first in a series of periodic articles providing my perspectives on information security and risk, leadership, personal growth, organizational psychology and other timely topics. Whether you become a client or not, I hope you find them insightful. Be sure to follow me on LinkedIn to get notified when new articles are posted.