The problem with being technical in security

What’s the biggest problem with a strong technical background in security?

Having one makes it much easier to relate and communicate with other technical folks - developers, admins, etc. Because it’s what’s familiar and what comes easiest, it makes it comfortable to stay in those circles at the expense of communication and collaboration with other parts of the business.

But, in the words of the great visionary, Admiral Ackbar, “It’s a trap!”

If you're in information security, you obviously need to be tight with the teams that, you know, manage the information.

At a software company, the platform is always going to be a major focus point for security.

But if you think your job starts and ends with managing AWS and container configs, you're setting yourself up to be stuck in a box, mumbling about how unfair it is you don’t have a seat at the table.

In what I hope is news to no one, your business has many facets and managing information security risk is just one part of it. Every different team plays a role in the success of the business as a whole.

If you’re not working closely with each of them, you’re missing out on massive opportunities not only for improving the company’s chances of success but for your own.

Take the sales team. The same people engineers often speak disparagingly about but whose mere presence brings excitement to company holiday parties the world over.

Want to have a bigger voice in the business?

Understand how their ability to close deals quickly is influenced by your work. Ask about the hurdles they face during the sales cycle - are there missing security features? Recurring questions or concerns that add friction?

Pro tip: There’s no easier way to get a budget for your project than to tie it directly to revenue.

How about finance?

Are you aware of how their world works? What do the company’s cash flows and balance sheet look like? Do you know what factors are important to them as they prioritize budget between competing requests?

If you don’t, you’re not able to talk on their terms and putting yourself at a major disadvantage vs. all the other groups working to get their own projects approved.

Security is about enabling the entire business to succeed and that isn’t always about technology.

It's about understanding the balance of risks and rewards across the whole organization and speaking the languages of the teams of other teams even if they don’t use sexy terms like “holistically integrated threat management platform” or “Intelligent automated vulnerability remediation”.

Step out of your comfort zone.

Learn the terminology used in other departments.

The job isn't just to secure the platform, it's to take a part in helping the organization succeed and it’s much harder to do that if you’re operating in your own bubble.

Listen to the Admiral, avoid the trap.