Source: Westend61 GmbH via Alamy Stock Photo
COMMENTARY
As a teenager, I commented to my father that not everyone gives good advice. In fact, some people give just plain bad advice. My father told me that while I didn't have to take everyone's advice, I needed to listen to what everyone was saying to me.
Knowing whose advice to take versus whose advice to leave is a skill that most people spend a lifetime honing. One thing is for sure, though: There is no shortage of advice, information, and distraction. This is particularly true in our profession — it seems that most everyone has something to say about just about every topic in cybersecurity.
Thus, as most of us mature and grow as security professionals (and as people), we realize that knowing what to ignore is just as important as knowing what to pay attention to. If we pursued every new idea that came our way, we would spend our entire day churning away on a variety of different possibilities, most of which would bring little improvement in our organization's security posture. On the other hand, if we ignored everything new, we would miss plenty of great opportunities to improve the ways in which we defend our organizations.
How to Organize Your Thinking About Advice
Clearly, we need to find a happy balance. The question is, how can we know what we should ignore versus what we should act on? There is no absolute answer here, but here are a few guidelines to help assess advice. To illustrate an example, we will talk about improving the state of your organization's API security.
"So what?" factor: When evaluating whether to pursue a suggestion, it can be helpful to ask the question: "So what?" If I were to pursue this, what impact would it have? Is there a real potential for any outcome that would be worth it, or will this merely be a time sink? If the impact is nonexistent, that is probably a sign that we can safely ignore it. In this our scenario, improving API security is almost certain to yield value, so the suggestion would remain on the table.
What's my action?: It can also be helpful to think about what, if any, action is required from you. Is any action required? Will this bring tangible results? Or is this just a whirlwind of information that will not yield any material change in your day-to-day? If there is no action, you can probably look elsewhere for suggestions. Improving the state of API security would definitely involve action from me, so I'm still listening.
Practicality: Unless we are in a theoretical research position (which most of us are not), any idea we consider needs to have a practical application. It can be helpful to ask the question: "Is this an academic exercise?" If it is, it is probably safe to move along. There are many API security improvements a colleague might recommend to me that would have real-world impact, so I'm still taking notes.
Strategic fit: Most security teams have a strategic direction that includes priorities designed to steer them in that direction. If some new API solution grabs people's attention, for example, it is worth my taking a moment to slow down and assess whether it fits the team's strategy. If not, it is probably best to move along.
Detraction: When assessing a suggestion, most people will think about what it could potentially bring to the security team. What fewer people consider, unfortunately, is what the suggestion could detract from. This is an important point to consider, however. If pursuing a suggestion will take away from other, more important activities, it is likely not a good one. If this theoretical API security project took resources away from threat detection and response, we'd want to know that and weigh the pros and cons.
Source: When an idea is suggested, it can be helpful to consider the source. Some people suggest practical, actionable ideas that fit the organization's strategic direction and don't detract from other important activities. Other people suggest ideas that are more half-baked. It is worth asking: "Has this person led us astray in the past?" If they have, it is likely safe to ignore their ideas absent any compelling evidence that the ideas are good ones. If, for example, my colleague tends to make suggestions based on their friends' social media posts, I am less inclined to get excited about any new API security ideas they bring up.
As security professionals, we all get a tremendous amount of advice, information, and distraction coming at us every day. Pursuing all of it would be unwise — as would be pursuing none of it. We can reach a happy medium by following some guidelines. Regardless of what methods we use to help us sort and filter what comes at us, doing so successfully is certainly an important part of remaining productive in our careers.