Technology Made Simple
Wednesday May 25th 2022

Insider

Archives

Q&A Monday: What is CVSS?

Question:

I am a recent graduate, who just got a job working in IT at a company. During a meeting today, someone mentioned a CVSS score on a system that needed to be patched. I was afraid to ask during the meeting, but what is CVSS?

Kenneth M. Ponce
Washington DC

Answer:

Before I get to the answer to your question, if this is your first job in Information Technology, I hope those that work with you would understand if you asked that question. If I can be honest with you, I try to keep that honesty part of who I am, I’ll ask for clarification if I don’t understand. It’s the only way that I can learn more, once the concept is explained, sometimes I just never heard that term, but knew what it was, just different places use different words.

As to answer your question on what CVSS is, it stands for Common Vulnerability Scoring System. There are tons of vulnerabilities found every year in applications and those vulnerabilities come in all shapes and sizes. The CVSS framework was designed as a way to classify how the vulnerabilities work and their severity. This framework sets a standard, which all researchers or vendors can utilize to give a consistent picture of the severity of the vulnerability.

The CVSS Framework scores system vulnerabilities in a range of 0.0-10.0 and then these scores are mapped to severity ratings (as seen below)

  • None: 0.0
  • Low: 0.1-3.9
  • Medium: 4.0-6.9
  • High: 7.0-8.9
  • Critical: 9.0-10.0

The CVSS provides a score that describes how bad a particular vulnerability is.  CVSS scores can be calculated using a calculator hosted on the NVD (personal favorite) or FIRST websites.  When you calculate a CVSS score, only the Base Score needs to be calculated.  Now there are optional modifiers for Temporal and Environmental scores which can modify the overall score to better reflect the actual risk of that vulnerability currently poses to an organization. It breaks the score into 3 parts and then combines those scores for a total score:

  • Base Score: Base Factors represent characteristics of the vulnerability itself. These characteristics do not change over time, and are not dependent on real world exploitability or on compensating factors that an enterprise has put into place to prohibit exploit.
  • [MODIFIER] Temporal Score: These are exactly like they sound – metrics related to a vulnerability that change over time. These metrics measure the current exploitability of the vulnerability, as well as the availability of remediating controls, such as a patch. Subcomponents of Temporal Metrics include Exploit Code Maturity, Remediation Level, and Report Confidence.
  • [MODIFIER] Environmental Score: Is based on the aspects of a vulnerability that may be unique to a particular environment.  These include attributes of an enterprise environment that might make the impact of a vulnerability greater or less.

You may hear CVSS used in conjunction with CVE (Common Vulnerability Enumeration), which is a unique identifier for vulnerabilities. CVSS is used in CVE’s to idicate the severity of the CVE mentioned. So for example, the CVE for the Heartbleed vulnerability is CVE-2014-0160 and it had a base CVSS Score of 7.5, which makes is severity High.

I hope that this helped you get a better idea of the CVSS score is, and how you can use it to better understand severity of vulnerabilities and the modifiers you can use to determine how it impacts your organization specifically. If you have more questions, feel free to email me at me-at-jimguckin.com. If anyone else has any other questions, you can email there as well.

Rise of the BISO and what it says about IT Security

I have to admit, until very recently, I have never heard of a BISO (Business Information Security Officer), and the first time I came across this title, I was a little confused. I at first thought that it had something to do with physical security or maybe keeping business’ financially secure…and I was wrong. If (like me), you weren’t aware of what a BISO is, it is s a senior security leader assigned to lead the security strategy of a division or business unit. They act like a bridge between the centralized security function and the business. It appears at most companies this role acts like a deputy CISO, but not always.

I found this fascinating for what I think are all the wrong reasons, because I think it shows a problem in the information security field. I think that business’s needed to patch this foundational fault with a new role, show were we are failing. Let me make my case in two different parts. First there are no other parts of the information technology family that feels that need to have this type of role. You don’t find many companies with a Business Information Officer, as your traditional IT staff already serve for the business. Secondly, there aren’t any other C-level functions that need that same level of distinction, you don’t have a Business Finance Officer, or a Business Marketing Officer.

Don’t get me wrong, I’m not saying that some companies don’t need this, to fill a gap in their current organization. What does it say out IT Security as a whole, that we need a separate part to take business into account. It may be 100% in my background in that every position I have ever held, I took the business into all my decisions, and worked with units impacted to make sure things rolled out with as little issue as possible and even in meeting express their concerns. Even when I transitioned into IT Security, everything I did was weighed on the impact of the business as a whole. I work for the business, every decision should help the business, and where things needed to happen (like MFA for example), I took time to help the users understand and work through the new processes.

My frustration with this title, is that either directly or indirectly insinuate that information security isn’t integrated into the business functions and vice versa. Information Security is a tricky balancing beam, as you want to keep the business as safe as possible, with the risk as low as possible and sometimes the business processes can be reluctant for that kind of change. I will stand by that every level of IT, including security should have an active role in business operations and that it isn’t a one way street. Information Technology or Information Security, should not just dictate what is going to happen, they should actively solicit advice and comments from the business.

Every definition or description I see for the BISO roles, are ones that I honestly think that every IT if not Security person should have without having to add Business Infront of it. In my opinion you could have a deputy CISO or Information Security Officer doing that same role and not need to say it’s for the business, because any one else on that lateral level, I start to wonder who they serve, because it must not be the business.

I admit it nitpicky, but no other function needs to call out it’s for the business, and maybe there are roles like that, but I never came across them (like this one), but my gut reaction, is why do we need to call this out, and my fear that it makes Information Security seem like it doesn’t care about the business, so much so, they need a role where it does.

Q&A Monday: To Anti-Virus or Not to Anti-Virus, that is the question!

Question:

I will be in the process of renewing my AntiVirus software at the end of this month, I’m currently using Norton, should I stay with them or should I go to another software company for my AntiVirus?

Marcela Nowicki
Canyonville, OR


Answer:

I love this question, for the fact that no matter how I answer it, in some people’s eyes I’ll be wrong. To be honest, there is no “correct” answer to this. The first piece of advice that I can give you, is if you want to stay with Norton, see what the renewal price will be versus what the price of buying a new subscription would be, sometimes you can save money that way, where the renewal price is higher…but it’s easier, so most people pay it. Also, determine if you were happy with the software and all the bells and whistles they come with nowadays.

I covered a story on my podcast where Norton360 (not sure if that’s the one you had), came with a Cryptominer built into the application, but since then another application Avira added it to their Anti-Virus as well. So it looks like most likely that will come to most Anti-Virus applications soon, and it’s said to be Opt-In, but I’ve spent more time getting rid of Cryptominers, than wanting to have it installed into my application….even if it’s “opt-in”

Here’s where I really make other professionals mad, I’ve had a love/hate for anti-virus since Windows 7 and even more so in the Windows 10 environment. Anti-Virus companies have spent time trying to work with Microsoft on getting their products to work nicely with Windows updates. Microsoft adds new security features, that if your Anti-Virus program isn’t on top of, you can cause problems with your computer in general, up to making it impossible for your computer to boot up. So in all honesty, I recommend to my friends, that we re-think the strategy of anti-virus. I have settled on using the built-in Windows Defender on my computer.

This is where a lot of professionals scoff, Windows Defender is built into the Windows operating system and they’d rather have a third party monitor the system…and that’s fine. Yet Defender being a Microsoft product means way less likely to cause any problems when compared to any third party, and it’s come a long way since its inception.

I would much rather have people use the free one built into Windows 7, 10, and 11, avoid the bloatware that comes from other Anti-Virus products, and be smarter with their online usage. Use a password manager to secure your online identities, back-up your important data (online and offline), create a spam email address that you sign up for things on, but keep your personal email separate, and keep your applications updated.

No program, Windows Defender, Norton, Avast, etc will keep you perfectly safe online. Your actions can help, but not eliminate the issue. I prefer you keep your applications updated to protect yourself over anything else. It’s why I’ll get hate from this…but Microsoft gives you that ability to keep updated while minimizing any issues that you may have.

Leaders Fix Processes Don’t Blame Employees

I’ve talked several times about learning the lessons from every leader that I’ve ever had, good or bad. I was recently talking with a mentee, and they had an issue at their work and their boss berated the entire staff for making a mistake that brought a system down. From the description of the incident, it was an honest mistake, wasn’t intentional, but they asked the best way to deal with it.

Digging further into this incident, I learned that there were no defined processes for updating or making changes to the systems they were managing. They got their tickets and they made the changes accordingly. So obviously the simple fix is to start to build processes and policies in place to have a more vetted approach. Yet that’s not what I want to discuss here, that’s management 101 and while they wanted to take a stab and fix it, my focus became on the manager’s behavior. I’ve had these managers, and my lesson learned from them, was to try and never be that way.

Now I will start this out, by saying this isn’t a blanket statement, that processes always need to be fixed, and sometimes it is the employee. Sometimes no amount of process is going to fix all your problems and every organization has its own ability to self-police it processes or adds checks and balances in place for every step. These are given flaws in the processes.

Now that is out of the way, let’s talk about what your thought process should be. As a leader, your first response to any type of incident, shouldn’t be “who did it?”, it should be what broke in the process, that allowed the thing to happen. When you focus on the WHO and not the WHAT, you start to impact your team. You end up not empowering your team and taking their confidence down and making them afraid to act. I’ve talked before about ending the fear of making a mistake so that you can encourage your team to try new things. Yet under these leaders, teams end up dissuaded from making even the basic of decisions or improvements.

Plus, I don’t think that blaming an individual or team, really gets to the root of the problem. The more constructive and beneficial thought will be what went wrong, for this to occur. For one, it doesn’t assume that it’s a “people” issue, and maybe there is a gap that needs to be filled. For example, when there have been disasters with the space program, you don’t see, “Bob was supposed to connect this wire to the space motherboard, and it was done incorrectly that’s why it happened”, the figure out what caused the issue and put processes in place, or sometimes even backup procedures in place to avoid the issue from occurring in the future.

Blaming a person or team only corrects it for that one person and makes it hesitant for that part of the process again. Instead try figuring out if the process can be improved, where everything is documented, the risks listed, and the approvals documented. In some cases, having a simple thing like another staff member reviewing the change before committing the change, to make sure they don’t see any mistakes or the logic is thought out. I had a leader early in my life, that use to have me check configurations before he committed it.

I always want my teams to grow intellectually and where I can try not to stifle their innovations. I want to put in place processes that allow innovation, but also allow for someone to review and make sure that it will work. While nothing will be “perfect”, this gives your team confidence and a check and balance system. Even if the HotWash/After-Action/Post Mortem says that your process is missing altogether.

Mentor your staff

I think an often overlooked part of leadership for many people on every level, is mentorship. In my career, I’ve had no mentors, indirect mentors, and only one real mentor. Yet from every boss that I have ever had, I have learned something from them, sometimes positive, other times not so much. Yet, I do wish that it was something that more leaders actively did. I have tried to mentor many of the people working on my teams, there are some I still reach out to on an infrequent basis, to see how they are doing or if there was any advice that I could help them with, sometimes it’s work and sometimes it’s not. I wanted to share some of the reasons, I think about finding a mentor or mentoring someone.

Find Someone not like you

This is one, that originally I didn’t like, it didn’t seem to fit me very well, as my first few mentors were exactly like me. Yet, some of the skills and thought processes I use on the regular came from those people whose personalities and management styles weren’t like mine. We all have some blind spots in our jobs, or if you don’t like blind spots, more accurately tunnel vision. “We’ve done it this way forever”, finding a mentor who is different from you, can help you start to see the thought processes, you might not have ever tried, since you always did it this way. While it can be a little uncomfortable at first, there’s a lesson to be learned from new ways and new perspectives.

Mentors support growth

Mentorship can help cultivate growth in your own organization, by helping raise someone to a new level. My personal take is it’s always better to hire someone from within, they know some if not all of the ins and out within a particular company. Also, why would you not want to help someone with personal and professional development (if they are ready for it) and help them grow and see them grow? Plus this helps workplace satisfaction if they feel that you are invested in them.

Encouragment helps

One of my favorite parts of mentoring people is the encouragement part…we all need this every so often. Sometimes we can get down on ourselves and only see the errors we make (I’ve been there), and a mentor can encourage us to get back up and try again when we fail…and help push success. It’s easy to get stuck down in the weeds of work, and being the person who helps them see the bigger picture can reinvigorate a talented person.

Mentors serve as a source of knowledge

Now, this is an obvious one. I’ve learned so much from my mentors about how to approach work, how to interact with fellow employees, and set my moral compass. I am, on a level, every lesson learned from all my previous mentors. All they have taught me makes me the kind of leader that I am today. Now, this isn’t all good, I like to think I’ve passed on my failure lessons to the people I mentored. My hope is that they learn from all aspects, where I have succeeded and where I have failed, so they get a full view and learn that failure isn’t the end…you need to get back up and try again.

Someone to listen

Sometimes we just need someone to bounce some ideas off of, and there is where a mentor helps. They can listen, and give you objective advice or opinions with their relevant experience. This isn’t an all-or-nothing thing, but having someone to listen and provide opposing viewpoints lets you work through thought, and like mentioned before can help you see something you might have missed.

Mentors are Trusted Allies

I honestly debated this one, but I think it needs to be said. Your mentor needs to be someone you trust, and if you are someone’s mentor you need to make sure they can trust you. It’s one of the most important things because you can’t be honest if you think they’ll say something to someone else. This is a constant trust exercise and needs to be there on both sides of the mentor relationship.

Anything I forget, let me know below.

Auditing Standard: A Starting Line not a Finish Line

In one of the many groups I belong to, someone had asked how much do standards really help a company. My answer, as much as I wanted to be, wasn’t straight-forward. I uttered a, “It depends…” I went on to explain the same thing I will here, the nuances of my thoughts.

For a small company or a business that is growing these standards (NIST, ISO, SOX2, etc) help to build the framework which you need to grow to achieve. As when you start this process you have nothing, and this gives you an easily attainable objective, something that is time tested and usually lot of resources that help you achieve the goal. So in this case, standards and auditing are a real help.

On the other side of this discussion are companies that have been around a while and have these standards followed (or closely followed) and they get their regular audit and they pass and they’re happy. This is where working to an auditable standard, in this case, no longer is a value add. Yes it does help to make sure you maintain compliance or find maybe some systems you may have missed, but in the most part, it’s a check box.

This is where I say to companies, if you are just working to the standard, you’re already behind. See the standard is just that, a standard and in our personal lives (if you have money), you don’t settle for that anymore. All cars follow a standard, but I bet when you look into your organizations parking lot, executives don’t just have a base standard vehicle, they go with a vehicle that goes beyond a standard, a company that goes above and beyond for their comfort. Well that’s the same with IT and Security standards…that’s the entry model we should be getting into…and then building a better product, not just a standard one.

This is something that needs to start from the top down, look at your last audit and what controls can you “tweak to 11” look at other compliance standards what can you take from them to build a more robust defense. That’s what I want every person to think…if you are passing audits regularly, then it’s time for the next step figure out how you can do better, plan and achieve it. To a degree we do this already, if you are trying to implement zero trust, the most standards don’t just call that out.,,that’s something above and beyond.

Like most of my security advice, this is a stepping stone process, not every company needs to get to this level immediately, take your time and build just to a standard at first. Security is not an off and on switch, you can turn all these controls on and not cause chaos and user hatred. Security should be thought of as a sliding scale, and as long as you are moving up…then you are moving in the right direction, until you get a few passed audits under you belt…then set your next goal and target that.

Multi Factor Authentication Considerations

It still is somewhat shocking to me that most businesses still aren’t taking Multi Factor Authentication seriously, and don’t mandate it for the employees and like I mentioned the other day for executives. Yet, I see articles like this one from Yubico that shows that people are making the effort in increasing spending by 75%. This is great, and I think if you work in any kind of business, MFA should be a required part of getting an account.

Yet, I think some people are so quick to jump to MFA/2FA that they don’t do the required amount of thought before rolling out the tool. Before I go any further, these are things you need to consider, and your business maybe willing to accept the risk of these discussion points, or another reason. This discussion should also not make you write off using MFA/2FA, just things that you need to plan for.

1. Text Message MFA is not secure

Microsoft pressed users to move away from text based MFA due to a lack of security among telephone networks. The text messages you get containing the business verification codes aren’t encrypted, so attackers can gain access to them fairly easily. I mention this, because it’s the most popular way to get codes, and there are many businesses that only offer this at the MFA method you can use. I have this for a couple of my accounts, and while it’s better than no MFA, it’s not as inherently secure as we might be lulled into believing. It’s better to use an authenticator like Microsoft or Googles (or any other third parties) or even a token based version.

2. Tokens have high cost to implement and maintain

So I said that text messages shouldn’t be your go to, so obviously tokens have been around forever, so that must be the better choice. So the problem with these for many companies is selling the upfront cost to the company, you’ll need to buy these for every user in your organization, which depending on size can be costly. Then you need to figure out the amount you’ll need to hold onto for when people loose them…and I do this with my own keys for personal accounts (and I later find them…the record was loosing one for 8 months). So in a business you’ll need to have some you can give people when they are lost.

Following on the lost thought process of lost, what are you processes when an employee forgets their token at home? We’ve all gotten half way (or all the way) to the office, and then realized that we forgot something that we needed, how will your MFA plan account for this? This can really hamper a persons productivity and may get your IT or Security unit blamed when a user can’t work.

3.Lost MFA

So I touched on this, but it is something that needs to be called out on it’s own. So I explained earlier I had a security token (YubiKey), which I use for my own personal accounts. I used this key to secure an authenticator (double security…yea it was smart and dumb simultaneously) and then I lost that key for the better part of 8 months. I was locked out of using some of my accounts because I lost my security key. This doesn’t just apply to token based security, there are times where my phone was wiped and then realized that my rolling authenticator codes were on there (I’m forgetful if you don’t see a pattern). In both cases, I lost my MFA ability and needed to get into my accounts, and you need to plan for when a user has the same issues…”tough luck” isn’t going to cut it.

4. Overconfidence in two-factor authentication

There is always a part of information security that is psychological, anyone who has studied social engineering can attest. Users will behave less safely when they believe they are being kept safe by others means. Computer users who run anti-virus software are more likely to install risky software, as that should protect them if there is anything malicious. Yet, we as information technology worker, can tell you that only catches stuff that has been out there a while. Researchers have shown that this applies to the use of two-factor authentication, they observed that users who were required to employ a second factor (they used a fingerprint in their study) chose weaker numeric PINs than those who were not. So take that into account, If you believe that MFA is a fool-proof way to protect your user accounts, they may be more willing to login from an untrusted computer or more likely to risk linking a cloud or software from an unknown or unfamiliar publisher which can steal their data.

5. The more factors the better

One of the best things you can do is allow multiple factors, not a single option. This will give your users the largest chance to give themselves access to their account. For example, at one place I worked, I had the ability to choose how I was to MFA whether it was phone call, text, authenticator push (on multiple devices), token or even a rotating code. Now I had to set all of these up, and we didn’t mandate how many we needed to use, but I encouraged everyone I helped to set up as many as possible, to avoid lock out. Now were all of them the most secure? No! But the system allowed me to make the choice, I had text set up…but I never once needed it, but it was a safety net in-case I did.

6 Lock all other methods out

Once MFA is in place, make sure you use it everywhere and lock out any protocol or legacy system that lets you bypass MFA. This is probably the most difficult from some companies to implement, so you may not be able to shut off those systems that bypass, but figure out some other compensating controls that will allow you to secure your environment., because I’ve seen first hand, when malicious actors see MFA or any other security control, they will switch tactics and look for legacy ways to get in, without MFA.

Like most things, knowing the right areas to look before rolling out your tool and making it simple for the end users is key to make any security work. Too many security methods can be draconian, and people will either not follow them. Also MFA should be part of a well rounded security program and when paired correctly, can be a useful tool.

Anything I missed, let me know in the comments below.

Protect the Executives

Locked Laptop

For years, I’ve advocated spending extra attention to accounts on a network that once compromised, can cause devastation to the environment. Depending on what industry your work in, these are Executives, VIPs, Politicians, or even the C-Suite, whatever you call them, these are accounts, you may not have considered dangerous, but they can be. The damage from one of these email account takeovers can run into millions of dollars. In 2019, Toyota Boshoku Corporation lost $37 million after the information in a payment transaction was changed, sending millions to the fraudsters.

Information Security professionals responsible for securing sensitive C-suite email accounts face a two-fold challenge, first securing accounts with wide-ranging permissions coupled with a significant educational role with the largely non-technical executive. Surprisingly, this struggle is added by malicious actors knowing this and their brute-force attacks for C-suite mailboxes have escalated by 671%, according to the latest report from Abnormal Security.

What tends to make security headlines now, is all ransomware, but that’s not all we need to focus on. I’ve made the case before, that most security professionals know, that regardless of how sophisticated our tools are to detect intrusions, we all know that our users are the weakest links. Out of the typical user, the executives of the organization are the groups most at risk. In my personal opinion, the two best targets in business are first and foremost, the executives and then IT people.

Let me explain my thought process on this view of the landscape. Executives, by nature of their position, may not be the most technologically savvy user, that’s not their position in the organization. Secondly, that same group may be more likely to have exemptions to the security practices for your standard user. Our average users, generally can’t opt-out of the practices to defend the network, but an executive who wants to get around Multi-factor authentication will put pressure to be exempt. Plus in the numerous companies, I’ve worked within the past, some of them are more than likely administrator’s to their own systems. Plus the example I give every IT person, if your boss’s boss’s boss, asks you to do something now, how likely are you to hesitate or quote policy to them? If we’re honest, not many.

In an article from CSO, Terry Thompson, adjunct instructor in cybersecurity at Johns Hopkins University said, “The combination of social engineering and clever use of email made to look like it’s from the boss/CEO is a real threat in business email compromise’s,” He also stressed that the importance of securing these accounts, comes with the “greater vulnerability and risk to the organization, which will be exposed to ransomware, email spoofing, and related threats.” Executives are the most trusted with corporate secrets and confidential data, and their communication is more likely to be read and their instructions followed. “[C-suite executives] are more likely to change technology and more likely to insist on breaking the rules. They are also more prominent and therefore easier to target and imitate for abuse,” says Holden.

The second coveted group is the IT department. Though honestly a tougher target than executives, if you can get an account with privileged access, then your whole job is easier. You may be able to leverage an executive account to gain access to a privileged account, by just asking. The reason an IT account is an amazing catch reminds me of a story from an Information Security professional, where malware from a compromise was hidden in a group policy object, to install and infect the network when a user logged in. How scary is that?

So after all that…what can we do to protect those accounts? Well, I wish it was easy, but like most of our work in the information security field, it’s not. You really need to educate those executives and make sure they really understand the why…and keep themselves from exempting themselves out. I recommend going through tabletop exercises to raise their awareness and run through the process if something does happen. Like most things with executives, make the exercises and training, non-threatening and try to give them the information they need to prioritize this and other threats.

Once the awareness part is in place (or underway), then the technical controls need to be worked on with the executive suite. This is probably what you are doing with others in the organization, but you may need to make it easier for them. One example is multi-factor authnerication, but maybe changing the tactic with them…for example, if your system allows it, let the executives use push notifications, rather than the text, random codes, or security keys that your average user is using.

The third step to this is to make sure the executives know the importance that they play in the process. For any security program to really succeed in the organization, everyone needs to know the executives support this 100%, and not only do they back it, but they are also doing the same thing as every other user. It’s like the foundation of a building, if they are strong and understand the why and the risk and back it, there will be fewer people who are willing to challenge it. I remember this discussion at a position when I had an important user try to fight against security protection, and I mentioned the top person of the organization was doing it, and if they needed an exemption they’d need to explain why they deserve to be expected when everyone else was included. They weren’t happy, but as far as I know, they never tried to exempt themselves again.

These may read like easy tasks, but I can assure you they are not. Information technology professionals have a difficult time explaining the technology risks already, let alone security ones. So these may not be single engagements, and you’ll need to spend a lot of time laying the knowledge foundation to get everyone on the same page.

Q&A Monday: Is IT Security nothing but paperwork?

Question

Oh boy, I’m excited, I haven’t done one of these in a while!

Question:

In my current company, I just switched over from the server operations side to the security side of the business. While I have only been in this position for about two weeks so far, I’ve been doing more meetings and paperwork than I have other work. Is security nothing but paperwork?

Evelyn Clayton
Okmulgee, OK
Answer:

This is a good question, because I have heard this a couple of times…and while I wish there was a straight forward answer, but the real answer is it depends. IT Security can be different depending on where you work or what you are doing. For example if you are doing Red Team (penetration testing), there would be more technical work, but there still is the meeting and reporting piece. People who work in Security Operation Center’s tend to not have paperwork (per se), but tend to work on tickets instead.

Like I said, this all depends on the company you work for, small or medium companies may not have all the normal security roles filled. In these places, while you may have a title (like security analyst) but you may fill many other roles that traditionally have separate roles. I’ve seen security analyst who did risk management type of work, since they didn’t have someone to fill that, but the organization needed their Security professional to complete that task.

Now this isn’t something that it just tied to security, but I feel like more people have an expectation of security roles. For example, I was a Systems Administrator in one company and I did almost everything on the network, configured switches, rack and install servers, manage VoIP phone systems,etc. all while friends with the same title at other companies just managed servers, and have teams to rack servers, or a telecom team to manage the VoIP phones. This is something in IT we all need to be cognizant of, what does the role really entail. There is nothing good or bad about these extra roles, but you need to make sure you understand the position before excepting it.

Now from my personal experience, I’ve had a lot more on the meeting, compliance and paperwork side this is something that I don’t mind, as I view this as something that you need to build a successful security program from, but I need people with the expertise to do the scanning and reporting the results, to help me build a successful strategy.

So to answer concisely, understand what security means for your company, and what is expected. If it’s not for you, that doesn’t mean you need to give up on security, maybe look for a position that more matches your needs. If it’s not too overwhelming, doing a multi-faceted security role can help you learn skills without the pressure of having to be excellent at it. When you sole skill is penetration testing, there’s sometimes a little pressure to be good at it. Either way, you need to make the decision for yourself and what’s best for where you want to go in your career.

——————————————————————————————–
If  you have any questions that you want Jim to answer, from business servers to home computers, drop him a line at me@jimguckin.com, and he’ll try to answer your question.  Check back every Monday for a new Question and Answer session, and check back Wednesday and Friday for other technical insights.

Leading Remotely…Making better Leaders

Most businesses are switching to either a remote or hybrid model to help employees in these pandemic times, and employees are loving the freedom in which it brings. I’ve seen more than a couple managers struggle with this change, so if you have felt this way, you are not alone. Most managers are used to being able to see the people they are leading, and without that, it makes it harder.

I like to not look at this as a challenge, and more of a shift that should make managers up their game, per se. I think many managers tend to use seeing people in the office as a crutch to good leadership. Relying on keeping an eye on your team, was nice, but now you need to become a better leader by being more deliberate in what you are doing with your team.

So what do I mean by being more deliberate? Well, some managers are used to being in the office and hands-off unless something needed to be done, and then finding the person with the least load, and assigning them the task. That’s easy when you can easily see all your team, but remotely, you need to be actively more aware of the workload and what tasks might be coming to your team. It’s switching from a passive to an active leadership strategy.

I think this may be a controversial statement, but I think the office environment helps mediocre managers. If you communicate something wrong, you can see your mistake and correct it and continue to make those mistakes. While remote management is less forgiving in this manner, you may not catch a miscommunication until hours later. If a team member is struggling, it’s easier to see that in an office environment, and you’ll need to improve your skills to catch this remotely.

Communication is a key thing, that I’ve heard and seen many managers struggle within this remote environment. There is way more communication than there was in the office, but that doesn’t mean that the communication is better. There’s a balance that needs to be struck, and a more direct and succinct direction given. Think of communication as a wild animal, that needs to be tamed to do what we need it to do, not over-communicate and not under-communicate, something that strikes balance, and that’s not easy.

Goal setting is something that you’d expect every leader to have, and while I wish that was the case, it’s not. Most leaders have a solid handle on what the task is but may miss “why” is this task important. In an office setting, some people can learn this through talking with coworkers naturally, but you need to make sure your team still gets the bigger picture.

While all this discussion has been about existing teams, I would be remiss if I didn’t mention the leadership skills when it comes to new hires. Every job I’ve had, I’ve had the advantage of sitting with or near my teammates. This let me naturally pick up the flow of the job, rules of the job, and even the knowledge I needed to be successful. Remotely you’ll need to encourage that in your team and be an active part of it, rather than most leaders’ formerly passive approach.

I’d like to put it this way, I’ve yet to be at a company where I haven’t leaned on a team member who’s been there forever to point me in the right direction or help influence someone to assist me in getting a task done. They have the built-in trust of other employees that carry weight or help you through a process. I’ve yet to be at a place, that was so perfectly documented that I didn’t need that assistance, it’s hard for a new person to navigate that.

So all this is to say, take this opportunity, while remote to make yourself a better leader. Take some time to adjust your previous strategies, talk candidly with your employees, make sure you use clearer communication, don’t over-communicate, don’t under-communicate, and most importantly, if you do go back in the office…don’t let these skill improvements fade and lean on the crutch of mediocre leaders.

 Page 1 of 20  1  2  3  4  5 » ...  Last »