Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

We Need to Have "The Talk"

This is a blog about two subjects many consider to be off-limits. Verboten. Taboo. Namely, “sex” and “IT security.” If either of those topics trigger feelings of discomfort or squeamishness, it’s probably best you should move on to the next article in your feed.

You decided to stick around? Great! I’m going to start with the easier of the two subjects: Sex. More specifically, talking about sex. Even more specifically, talking about it, with your kids.

It’s a common bit of parenting wisdom that, if the first time you have The Talk happens when your kid is 16, you’re too late—by roughly 16 years. Far too often, parents find themselves faced with a child who is making critical choices based on misinformation or the lack of it, peer pressure, and a false sense of invulnerability; and suddenly must combat those forces armed with little more than their experience and a paltry handful of facts.

To have an effective conversation with your 16-year-old, you should lay the groundwork long beforehand. You should build up not just a vocabulary of terms, but also your child’s confidence that any topic CAN be discussed. There needs to be a sense of trust in open and relatively judgement-free channels of communication. Faith that questions can be asked, and answers will be given, clearly and directly.

If you’ve done that: established a vocabulary, built a rapport, kept the lines of communication open, and continued to engage in the subject from time to time; when (not if—trust me, this conversation WILL happen) it comes time to have a more significant (if not more urgent) conversation with your 16-year-old, the conversation will be able to occur as smoothly as possible under the circumstances.

That, as the cool kids say, is the whole tweet: talk early. Talk often. Answer the question(s) you’re asked openly, honestly, and directly.

At this point, I’m sorry to say we need to delve into the far less comfortable of my two taboo topics for today: IT security.

It’s a common bit of IT pro wisdom that, if your first talk about information security happens when leadership has gone years without, you’re too late—by roughly the time since the last infosec emergency. Far too often, IT practitioners find themselves faced with a manager who is making critical choices based on misinformation or the lack of it, peer pressure, and a false sense of invulnerability; and suddenly must combat those forces armed with little more than their experience and a paltry handful of facts.

To have an effective conversation with your manager... OK, you get the point, right?

Before you roll your eyes, I want to stress that “talking to management about infosec is like talking to your kids about sex” being gimmicky doesn’t make it any less true. Having serious conversations about security—conversations that may be difficult but are nevertheless incredibly important—requires IT practitioners to have laid the groundwork long before those difficult conversations started.

If IT has established an infosec vocabulary, established ongoing dialogue, and built a relationship of trust and transparency then even difficult conversations will contribute to getting the hard work done quickly and effectively.

When (not if—trust me, this WILL happen) your organization is faced with a security breach, you want to focus on understanding the scope of the issue, creating a strategy to address it, and executing the plan. You don’t want to be sidetracked by excessive and unnecessary hand-wringing and unproductive “how-could-this-have-happened” navel-gazing.

When (again, not if) you must patch a vendor’s software because they’ve identified a vulnerability, you want to be able to do it NOW. You want to be able to immediately pivot to identifying the work-of-the-work: namely, how to get your hands on the patched, vulnerability-free version, get it installed, and get your critical systems back online. You don’t want to be stuck in an angry confrontations with leadership, explaining the IT facts of life to an executive who’s making decisions based on misinformation, peer pressure, and a false sense that “it’s in production” creates a magical guarantee of bug-free perfection.

As we’ve seen time and time again, that’s simply not the case.

IT security doesn’t just happen on its own, or as a result of some magical “culture” that exists within the organization. Like an open and trusting relationship between parents and children, it happens by design when everybody puts in the effort, day by day and conversation by conversation to build it up and keep it strong.

Find more posts tagged with

Comments

There are no comments yet

Quick Links

Cisco ASR Devices
Cisco ASR Devices.pollerCisco ASR Devices
Basic SWQL Syntax
SWQL is built on the framework of SQL and as such supports most of the standard clauses as part of a query. A very simple example query is: SELECT Caption, IPAddress, Vendor, ResponseTime FROM Orion.Nodes Dissecting this query is relatively straightforward: show some fields (Caption, IP address, Vendor, and Response Time)…
Cisco ASA SSL Tunnels
Active SSL Tunnels-ASA.UnDPThis poller *should* display the number of Active SSL VPN (Anyconnect) Tunnels currently connected to your box. However, I tried it with my 5520 running 8.0.4 and for some reason I get a OID Not Supported. Here's my post in the forum: *EDIT* This is confirmed working with at least Interm release…
HP ProCurve Switches Hardening check
HP ProCurve Switches Hardening check.xmlGeneral hardening for HP switches