Back to Insights
Beaver: Establishing Credibility Key to Infosec Success
August 7, 2017 | Certifications and Training
By Kevin Beaver, IANS Faculty
What’s the one thing you have as an information security professional that can make or break your success? No, as important as it may be, it’s not your time. And as much as you’ve invested in it, it’s not your technical expertise either. Rather, it’s your credibility. It’s your trustworthiness and personal brand that dictate what other people think of you and say behind your back.
One thing I've discovered over the years is that security has a credibility problem. It's nothing personal. It's just that other people are not buying what we are selling for myriad reasons.
Selling security is all about credibility. People won't buy your message unless and until they buy you. People are certainly judging you based on your work deliverables and outcomes, including the perceived business value of your overall department. However, in the end, they're not buying anything until they’re convinced you are a person of value and worth listening to. So, the question becomes: what are you doing to make sure that happens?
To build credibility, you must dispel any doubts (real or perceived) that will arise. This means knowing questions or concerns that people will have and taking the proper steps to answer and address them in advance. IT and developers might need more details. Management might question how certain findings impact the business. Internal audit may have concerns as to the viability of testing. External business partners and customers may not approve of your work at all. So, how can you prepare in advance to ensure what you're doing – and selling – comes across as solid work that benefits everyone involved?
Connect With Colleagues
I've learned over the years (especially in my work as an expert witness) that people will judge you based on how you present yourself to them. Show interest in others by asking a lot of questions; the person at the table asking the questions is the person who's in control. Ask what you can do to improve a project you’re working on. Find out what other needs they have beyond simply checking a box to be compliant – or to get you out of their hair. Show your audience that you’re concerned about the outcomes of projects and want to maximize the value they get out of them.
People do things for their reasons, not yours. If you want to sell a security initiative, you need to understand your audience’s needs and put them first. Mastering the art of persuasion is critical to succeeding in information security. If people seem like they're not interested in what you're selling, it probably means you're not interesting enough. You can’t attempt to force your ideas down other people's throats. Focus on the relationship. Study how to become a better communicator and salesperson as much as you do about infosec topics. Security professionals with top-notch technical skills are a dime a dozen. Those with personal skills and business common sense, however, are a rare breed.
Looking out for the best interests of the business and doing what you say you’re going to do will go a long way towards building your professionalism and credibility. Speak your mind (within reason of course), but be willing to meet on some sort of middle ground. Selling security and building the credibility necessary to do so is about fostering positive relationships, not force.
Your credibility and reputation are all you have. Building this credibility and leveraging it to gently persuade others on a day-to-day basis over the long haul can work wonders in your information security career.
Kevin Beaver, CISSP is an independent information security consultant, writer, professional speaker, and expert witness with Atlanta, Georgia-based Principle Logic, LLC. Kevin has written/co-written 12 books on information security including the best-selling Hacking For Dummies (currently in its 5th edition).
Poulin: What I Hacked this Summer in Vegas
Tips for Acing the CISSP Exam
Poll: What Are the Most Critical Skills For Client-Facing Security/Risk Management Professionals?