What does a CISO need to ensure the organization is secure? Money? Skilled staff? Leading edge technology? Knowledgeable employees who don’t click on every link they see in messages? All that, to be sure.
There are also some personal skills, including cunning, discipline and patience,
But Ken Westin, a senior security analyst at Tripwire Inc. suggests another quality: Humility. In a blog he suggests that is one of the essential traits an infosec leader needs these days. Why? Because you won’t learn otherwise.
“Some of the most successful people I know in technology and security view “I don’t know” not as an admittance of failure, or giving up, or to get defensive,” he writes, “but as a challenge to learn and collaborate.”
The more one learns about IT security, he believes, the more one realizes knowing everything is impossible — and therefore the more one respect people willing to share their expertise.
It’s an interesting observation, and one that is important in an era when well-funded criminal organizations as well as nation-states are seemingly attacking and penetrating organizations at will. Collaboration is a tremendous defensive weapon that hasn’t been leveraged to the fullest yet.
Some Canadian industries, such as the financial sector, have extensive co-operative infosec mechanisms between normally competitive institutions that should be copied. Does the industry your organization is in encourage IT security pros to collaborate? Does your CEO encourage it? At the very least does the industry have a trade association that acts as a clearing house for security alerts? These are the ways you and your colleagues will learn from each other.
One thing’s certain: If infosec pros don’t share what they know, attackers have a tremendous advantage.
Let us know in the comments section below if you think there’s enough infosec sharing in your sector — and if not, what should be done about it.