Changing Infosec Perceptions by Being 'Nice'

Tuesday, February 22, 2011

Brad Bemis


It’s a reoccurring theme I’ve been hearing a lot lately – security teams are being given specific direction by senior leadership to change how security is perceived within the organization. Or, more specifically, how the security team itself is being perceived.

Sometimes, our passion for security gets in the way of our responsibility to the business. It’s easy to get caught up in the fervor of “doing things right” when you’re surrounded by people who don’t understand security, people who just don’t care about it, or (more likely) people who just don’t have the time to make it a priority.

Who’s fault is it really though? Senior leaders appear to be saying it’s our fault; and you know what – they’re absolutely right. Perception is reality after all. If security is perceived as an impediment to business, or the security team is seen as a roadblock to success, then the fault does indeed lie with us. So what have we been doing wrong, and how do we fix it?

It all comes down to relationships – no, this is post not going to get all ‘touchy feely’ and tell you to hand out chocolate hugs and rainbow kisses with a great big smile on your face every day. The importance of relationships (built individually and collectively) is absolutely essential to your success though.

It doesn’t matter if it’s a 15 second conversation in the elevator, an hour together in some formal meeting, or going out together after work – every single interaction you have with the people in your organization is an opportunity to build and nurture relationships.

If you have the right relationships in place, and you are leveraging those relationships to help educate people on the importance of information security, discuss their personal responsibility to protect the company and its customers, and explain the operational and strategic benefits that comes with building security into the corporate culture; then you're already 80% of the way there.

The great thing is – building relationships and changing perceptions is easier than you might think.  For one, we can try being 'nice'.  Not a revolutionary idea, but an important one.  

There is a great line in the movie ‘Roadhouse’ where Patrick Swayze’s character “Dalton” is introducing himself to his new employees and describing his expectations of them. If you are unfamiliar with the movie – go rent it (it’s a great movie).

Just so you get the context, Dalton is a bouncer hired to help clean up a seedy bar in the middle of nowhere. The relevant part of the conversation goes something like this:

"All you have to do is follow three simple rules. One, never underestimate your opponent - expect the unexpected. Two, take it outside - never start anything inside the bar unless it's absolutely necessary. And three, be nice. If somebody gets in your face and calls you a [expletive removed], I want you to be nice - ask him to walk – but be nice. If he won't walk, walk him - but be nice. If you can't walk him, one of the others will help you - and you'll both be nice. I want you to remember that it's a job. It's nothing personal. I want you to be nice until it's time to not be nice – I’ll tell you when it’s time to stop being nice."

There is a lot that we security professionals can take away from this quote (hey, Dalton was a security professional of sorts). In my opinion, the most important statement he made there was “I want you to be nice until it's time to not be nice”. Being nice is a fine line to walk, so you have to be careful.

I’ll talk about other relationship building tools later on that will help balance this out a bit, but for now let me just say that being nice doesn’t mean you have to be a pushover, or capitulate to every demand, or bite your tongue when you really should say something with firmness and conviction. Remember “be nice until it’s time to not be nice”.

Anyone who’s worked with me over the past few years will likely tell you that I am a pretty laid back, jovial kind of guys who’s reasonably easy to get along with. I get chided for lacking a sense of seriousness that security professionals are supposed to maintain – right up until they see me in action when confronted with a challenging conversation. From then on, it’s a non-issue – this puppy can do more than just bark, you can be certain of that.

What they tend to miss in the beginning is my focused effort on being nice. Pardon my language, but in my experience you don’t have to be a prick to be an effective security professional – in fact, being a prick is counterproductive in almost every way imaginable. Being nice however, will serve you in ways that I can’t even begin to explain.

So how do you know when to cross that line and stop being nice? You’ll have to judge for yourself, but there was another part of Dalton’s quote that may apply here “I’ll tell you when it’s time to stop being nice.” Who or what will fill Dalton’s role in telling us when it’s time to stop being nice?

Quite frankly, I don’t think there is a time when you stop being nice – even under the most difficult of circumstances. Firm – yes, clear – yes, confident – yes, nice – absolutely. Just remember not to take anything personally – stay focused on the issue at hand, whatever it is.

My advice to be nice may sound silly to some… If so, my question to you is this – are you in one of those organizations where security is seen as an impediment to business? Are you one of those people who’s viewed as a roadblock to success?

If the answer is no – then great! I’d love to hear how your getting by without the need to be nice – please do share. But if you answer yes to either question – or even think you’re on the fence, maybe you should lighten up just a little and see if anything changes.

As stated in another quote – one that is ageless and known to all: “You can catch more flies with honey than you can with vinegar.”  It's true...

‘till next time – be nice… and enjoy…

Cross-posted from

Possibly Related Articles:
Management Security Information Security Professional Teams Perceptions
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.