What do we mean by “security”? Really, what we are doing in this job is probably more adequately described as “asset protection” although I once chatted with a professional bodyguard and that’s what he said he did. Perception is important because within the organisation, as an information security professional, you are likely to be in a very small minority.
If you say that you work in security what’s the first thing that people reply. Here a few responses that I’ve had:
“Where’s your peaked hat?”
“Do you want to check my pass?”
“Have you got a gun?”
“Let’s go to bed”
OK, I made up the last one. And tell someone that you are in IT Security and the sex factor takes a real plummet as they imagine you sitting in a dark basement, munching endless pizza, trying to hack into government computers for a game of thermonuclear war.
So, tell someone within your own organisation that you work in security and what do you think their response will be? We’ve been having a debate within my own group about job titles: my official title when I started in my role was “security consultant” however, I suggested that this did not encourage the right people, who might not know me personally, to approach me for help nor did it suggest a position of authority. On the other hand, “consultant” does describe my principle set of tasks and I don’t manage my own team so the word “manager” is not really appropriate. It also matters to the external world because we get categorised by what we tell people our job titles are. If I have “consultant” on my business card then your perception of me is different than if I have the word “director” there instead.
The problem is that I need the perception to be the right one because within the organisation I’m providing council to senior management, and outside I’m expected to network with sufficiently highly placed peers. I know myself that I don’t always get the external perception of me right: I’ve been described as “dogmatic” and “inflexible” and sometimes we can get carried away with our own sense of worth. I’m fortunate enough to be in an organisation where feedback is open and honest so can work on corrective measures but I know from experience that when the perception is wrong that it’s harder to deal with the right people in the right way.
Is this even an issue and what has this got to do with the management of risk? I believe it’s important because managing security is more than just understanding the technicalities of controls and knowing who Mr Diffe and Mr Helman were. How we are perceived as professionals is important: if I’m in a room full of system architects or a room full of company directors then I need both sets of people to perceive me as a person with credibility and authority in my field – and 80% of that isn’t anything to do with what I know, it’s how I say what I’m saying. In other words, you can be the most proficient security expert in the field of all things security, but if you can’t string a sentence together without every other word being “y’know” then I’m afraid you are not going to win people over to your way of thinking.
Disagree with me if you like – and I don’t mind if you do because, y’know, I like a good debate. But perception is important. Take it from some-one who has learnt the hard way!