Monday, October 27, 2014

How to be Successful in Cybersecurity: Getting Away from “Explicit Deny”

image source: http://cisco-ccna-exploration.blogspot.com




I have the pleasure of being a member of several cybersecurity communities on Twitter and Google+. Comments that I have read there, combined with my newer understanding of the industry are what drive this post.

For my entire, albeit relatively short career in information security, there has been a general ideology of automatically saying “no” to new technology, software, and capabilities. That is, until there is enough pushback. The difference that I have seen between general IT professions who claim to be security guys, and those who actually fill the role in a large organization, is their approach to addressing new capabilities. I attribute this gap to two critical things – laziness and cowardice.

The successful cybersecurity professional embraces new capabilities, no matter how much effort or research is required for securing them.

This concept was one of the most important lessons from my new job. I always had the mindset that security professionals were expected to apply “Explicit Deny” to the entire environment, not just router configurations. Instead of the automatic "no", we should be exploring ways to decrease risk to an acceptable level, while keeping up with the emerging capabilities that are introduced through advancing technology.

If you found this post helpful, please do not hesitate to share the information. I am not so much aiming to glean credit for the concept, but rather to encourage up-and-coming cybersecurity professionals to consider my own lessons learned in the field.


Steve P. Higdon has been working in the information security field for over ten years, providing support and consultancy to several public and private sector organizations. Steve holds several industry certifications and can be reached via email at infosec@stephenhigdon.com and on Twitter at @SteveHigdon.