Fighting complacency

They are just beginning their career in the security and risk management field, and were looking for opportunities to grow and expand their knowledge. They also wanted to apply what they had learned in the classroom and gain real life experience.

I wanted to tell them they had a clear path ahead, and that finding a fulfilling role would be straightforward and simple.  But I knew that wasn’t true — most security and risk professionals I know have taken a very interesting journey to become the person they are, not knowing where their careers would eventually lead them.

If we (as a profession) want to continually grow our body of knowledge, and learn about new and exciting research from the risk management field, we need to steer these recent graduates into mentorship programs or work placements within the security field.  This is the only way I feel we can mitigate one of the most underrated risks facing us today — complacency.

We see it every day, in the assignments we perform, the meetings we hold with our clients, and the reports we issue to our management.  We become accustomed to looking at risk issues through a particular lens. We begin to see threats as “more of the same,” instead of spending personal time researching how impactful a realized threat could be.  I’m not saying all security professionals are this way — not at all.  What I am pointing out is that our schedules, commitments, personal lives, and (occasionally) volunteer work takes time away from research and review.

What I felt at this recent conference was different and inspiring.  These students were truly engaged in conversations about risk mitigation, crisis management, digital forensics, industrial control system security, and anti-phishing technologies. It was refreshing to listen to these students present their dissertations, carefully explaining the hypothesis they were attempting to either credit or disprove.  The conference was very academic in its focus, but you could sense the commitment from these students in their work, and their plans for their own careers.

We could all learn from these conferences, and the enthusiasm these young security professionals displayed during their sessions. I was gently reminded not to take assessments for granted, and to reset my “risk compass” a bit by reviewing my own perceptions of threats and risks, and how my viewpoints may have faded over time.  I felt that I had let myself down over the past decade, relying on experience and personal perspectives instead of looking at empirical evidence. It prompted me to load up my personal iPad with some books I have been meaning to read, but never got around to it. These are industry journals and reference materials I now am taking the time to read while I travel, to sharpen some of the edges and become a bit more precise in my work.

The world of risk changes so dramatically, we need to continually review our own perceptions of threats and risks, and reset our personal “risk compass” frequently. Over the past decade, we’ve become numb to online events like data breaches and the theft of credit cards. But we need to keep learning from these and other incidents to continually focus on the threats, how they were realized, and what controls we can look at in our own environment to reduce our exposure to the threat. The adage, “It’s never too late to start” truly applies to our world of risk.
 
Tim McCreight is director, advisory services at Above Security (www.abovesecurity.com).