Hunched forward in an effort to find comfort in old, wooden chairs gathered around a whiteboard in an oversized conference room, the ten people sitting before me each clutched a single sheet of white paper in one hand, a pen in the other.
Nervously, they looked to me for direction, wondering what on earth I was about to ask them to do. "Take five minutes and write down your definition of the word security," I asked.
Nervousness instantly changed to comfort, for I asked a simple question everyone knew the answer to. Each of the participants quickly started to scribble their definition on the paper.
About a minute later, I noticed a few people scratching out words, phrases and, in some cases, the entire definition. Three minutes in, people were still writing, pausing for a moment to think, draw an arrow or two, scratch out a concept and then scribble again.
At the end of the five minutes, I asked the members of this team to share not only their definitions, but also their reflection on the exercise. More interesting than the actual shared definitions was the fact that by asking 10 security professionals to define security, I got 15 responses!
I've repeated this challenge multiple times and generally get more definitions than the number of people. This happens because when first presented with information, a task or a concept familiar to use, we readily presume understanding.
The moment we need to translate a loosely held notion in our minds to a precisely defined meaning, we realise that context matters, and the definition might change.
Test it out on yourself and on your team.
Why it matters
To be an effective security professional requires an understanding of risk, risk tolerance, threats, business and a multitude of other essential topics. Under the moniker of "security," lies a large potential of technologies, processes and services we offer to those we serve in an effort to reduce or maintain risk at reasonable, acceptable levels.
Consider the responses people offer when we introduce ourselves as security professionals?
Over the last two decades of testing and changing how to explain what we do, the responses have tended to focus on what the person I was talking to understood. If they considered security a firewall, that's what they thought I did. If it meant a bodyguard, I must be in personal protection.
For some folks, though, it's just too nebulous to pin down (it has too many meanings); for these people, we're more likely an impediment to their success (real or perceived) than anything else.
If we are unable to advance a clear, consistent definition of security, how can we reasonably expect the people we serve to understand, let alone comply? We provide a valuable service to the organisation, but to be successful, we have to be clear on what that service is.
What to do about it
While the exercise may not prove simple, the first step to is work with the team to define what it means to be secure. Perhaps go further and describe, using a common example, how your efforts to improve security and reduce risk help the business.
Then walk the definition around to the water cooler and lunch tables and socialise it with examples to the folks you know. Ask them how they would describe what you do. By sharing a documented approach with them and listening to their impressions, it is possible to build a definition others will understand and possibly embrace.
In the meantime, what does it mean to be secure at your organisation? Does your entire team know this?