EXPEL BLOG

The Security Clause

· 5 MIN READ · DAVE JOHNSON · DEC 22, 2022 · TAGS: Careers

In 1994, businessman and parent Scott Calvin unexpectedly stepped into a new role for which he had very little experience. But when he clocked in for his first day, things were significantly different from what he expected. There was a relatively steep learning curve, but, as luck would have it, there was a happy ending (along with two sequels and a dedicated TV series).

In case you missed it, we’re talking about the 1994 holiday classic, The Santa Clause. Believe it or not, there are some undeniable parallels between Scott Calvin figuring out his new gig as the big man in red, and a person entering a new cybersecurity role. So, in the spirit of the season, we thought we’d share a few insights on those similarities.

Maybe you’ve been there too. Sometimes we find ourselves in a position bearing little resemblance to the job discussed during the interview gauntlet. At Expel, we talk to many security pros who’ve faced this challenge, so you’re not alone.

Over time we’ve learned some of their most successful coping strategies. Here are a few.

Putting on “the suit”

Ok, it’s day one as a security professional. You found your desk (easier to do if you’re working from home) and you’re sorting out all your onboarding paperwork. You introduce yourself to your neighbors (via Zoom if necessary) and get to know your new team. Meanwhile, in the back of your mind (if you’re anything like us, anyway) you’re especially vigilant—making a list of pros and cons, headwinds and tailwinds, and anything else you can categorize as generally naughty or nice about your new company and the challenges ahead.

What we’ve learned from our customers is that assessing your environment happens in phases, and it constantly evolves. The keys to success are awareness, flexibility, and organization. Maintaining and diligently documenting those key items can lead to a level of foresight for future challenges, because there’s no substitute for having solutions in mind before problems happen. Think of all the problems you’ve solved before in similar positions. Any one of those issues could already be at play here along with their solutions—at least conceptually. Some may even be similar to problems you’ve solved in completely different types of jobs. Being continuously mindful of your entire skillset and breadth of experience will help you solve problems in cybersecurity without having to reinvent yourself at each new company.

If you keep your eye on the horizon and anticipate the evolution of the role over the first few months, you’ll have a much better chance of success.

Expectations vs reality一maintaining altitude

Sometimes, it’s easy to get distracted comparing what you initially expected to the actual reality of a new role. For many folks, ruminating on the differences might be…cathartic. But it may not be useful unless you apply what you learn and focus on the outcomes. Remember, expectations and reality will always differ with a new role. What’s even more important right now is defining how you’re going to accomplish your goals within that context. It’s helpful to document differences so you can keep track of them and develop your strategy to implement your security practice. If it’s really complex, a project management tool can help keep you organized.

“Reality testing,” or process simulation, is another pro tip customers have told us about. After all, how do we know what’s possible in a new environment without testing? Rather than waiting for things to happen naturally, make a checklist (check it twice) and record observations as you go. What do you need to do in the role to accomplish your objectives? Savvy pros will exercise familiar processes and procedures to test the outcomes, and will note how actual results squared with (or didn’t) their expectations. Quantification of gaps in knowledge and process helps identify problems, which is way better than just continuously stumbling over them in your day-to-day. You may be surprised by what you find, and finding it before you’re in an emergency scenario will yield dividends.

Exercise caution, of course, when running process simulations, so you don’t waste your colleagues’ time. In some cases, a paper-based tabletop may suffice. Coordinating with others may also be useful for everyone involved.

Finding your “Bernard”

Remember when you start a new security gig, you aren’t doing it in isolation—though it can sometimes feel that way, and functionally actually become that way, until you find your people.

We’re not talking about your assigned team necessarily, we’re talking about the people within your organization that know how the place runs and are willing to share their knowledge. Finding and connecting with them is paramount to your success. Sometimes finding them is simple, and other times it can require a little more magic.

Identifying your metaphorical “elders” is a good starting point. Anyone who is directly affected by the actions of security teams probably has stories that may be helpful in your goals. Make sure you keep an open mind and ask questions on topics that are also relevant to them. Maybe bring your initial strategy along and toss some ideas around for a bit. Make a meeting of it, or maybe buy them lunch. After all, their experience could be extremely valuable to you down the line, not to mention you might even make a new work friend.

Asking for help from a larger group is also helpful. Explain what your goals are and solicit help with specific projects via Slack or whatever platform your organization uses. This may be a good way to find your “Bernard” in the new organization—that is, your go-to person for questions and advice. For example, “I’m building a tool for the Security team that leverages a lot of Python but I’m getting stuck on a few things. Does anyone have experience with Python and time to go over some things we’re building?” You might be surprised how many people raise their hands to help.

Lastly, consider that sometimes, your Bernard finds you. If someone at your organization asks you questions about a security related matter, take a step back to think how the question might have broader implications. Follow ups like, “What’s the history of this question?” or maybe, “Have you had prior experiences that were similar to this challenge, or is this unique?” or “How has this issue, or others like it, affected your own projects?” If you keep your ears and eyes peeled, you can learn big lessons from everyday problems.

Making the workshop your own

At this point, you’re hopefully feeling stable. You’ve got some direction and a plan of action. But just figuring out how to do things the same way it’s always been done may not always be in your best interest. This may be a good time to lean on your Bernards—adjust and develop your strategy with lessons learned along the way to ensure this new workshop is the best it can be.

You’ll also need to stay organized, so check your organization’s existing software licenses for something suitable for project management. (If that doesn’t exist, you may need to budget for something you know that works well for you.)

Maintain a continuous cadence with your people (your Bernards). Their advice and experience will continue to be valuable moving forward—don’t lose that momentum.

Don’t forget to keep testing your processes. If they don’t work as is, then bring solutions with you to the discussion about how and why to change those processes.

Remember, you have all the tools you need to figure out how to accomplish your security goals, but approaching it like everyone else who came before you might not be the best fit. Make it your own and you’ll probably find yourself struggling less, and making inroads to successful solutions. Bring your culture and background to the gig, and be the awesomely skilled security professional they hired in the first place. We believe in you.

And when and if you need us, just shake the snowglobe and we’ll be there. (Or just reach out. That works too.).

Congratulations on your new gig, happy holidays, best of luck, and a topo gigio to all!

?>