Interestingly, when attempting to get to the root cause of problems and incidents, communication and business acumen skills noted come into play and improve outcomes. "Diplomacy also can be effective in crisis or reactionary scenarios," says K. C. Yerrid, Senior Security Consultant at FishNet Security. "Consider the barriers to determining root cause for an incident. By utilizing diplomacy, personal motivations to distort the truth and protect job security or ego may be reduced, resulting in a more efficient resolution and shifting the goal of the root cause from a personal witch-hunt to a bona fide process improvement mechanism," says Yerrid.
Effective Habit 5: Proficient Consumer of Knowledge.
Another critical trait mentioned among those we queried is quenching the constant desire to learn new things. Kelly Lum, Technical Information Security Officer at Citi says it's about keeping on top of news and changing developments in their field whether it be policy developments, new exploitation techniques and bug classes, emerging tech, and other trends.
The need for an attitude of life-long learning is clear on the surface. In the past five years alone, technology has changed tremendously and so has the industry's general understanding of the adversaries it faces. To keep abreast of the latest technologies, exploits, and attack trends, it's important to hit the books, blogs, social media, and news sites daily, and obtain certifications and attend a conference or two every year.
Tagged's Sverdlik says he is also sure to hit a number of resources every day. "I personally read Reddit, a full disclosure mailing list, and several others every day just to stay on top of trends and correlate them back to my organization," he says.
Effective Habit 6: Actively Engage with Business Stakeholders.
Effective security pros are always looking for ways to engage with business stakeholders, whether it's business leadership or IT and operations teams. "Without engagement up front, during requirements definition, security will be hard-pressed to be proactive," says Tadd Axon, IT Architect at Oakville, Ontario-based Softchoice. "Engaging with infrastructure and development teams at the beginning (actually becoming a stakeholder in a project, rather than just a gatekeeper), and during the building and testing of a given system gives all parties a better understanding of the business objectives and technical, organizational, and other reasons as to why [certain] choices are made to ensure functionality," he says.
This level of early and persistent engagement enables security to properly argue against certain courses of action and to more coherently offer alternatives," says Axon.
Effective Habit 7: Being a Student of Offense and Defense.
When it comes to information security, a good offense often means an effective defense. "To understand your risk profile, you should begin to look at your organization from an adversarial perspective; this requires a thorough understanding of offensive [attack] techniques. When we speak about offense, we are referring to techniques used by adversaries to exploit weaknesses in your organization be it for financial gain, competitive advantage or, worse yet, to tarnish your reputation," says Sverdlik.
Sign up for Computerworld eNewsletters.