I’ve worn many hats over the years - everything from IT support and DevOps to starting the internal application security team at a large multi-national defense contractor. Seeing all sorts of different infrastructures and their security problems has lead me to a few truths that I hold about every organization, regardless of its size:

If you are an obstacle, people will step around you. If you make it a battle you will lose. Period. There are always going to be more of your users than there will be of you and your team, and no amount of firewall rules is going to change that. Your users will go to ridiculous lengths to circumvent you if they feel it necessary to get their stuff done, and you simply can’t be everywhere at once. Attempt to never flat-out refuse anything, and suggest secure alternatives to work with people to accomplish their goals.

If you make it a battle you will lose. Period. There are always going to be more of your users than there will be of you and your team, and no amount of firewall rules is going to change that. Your users will go to ridiculous lengths to circumvent you if they feel it necessary to get their stuff done, and you simply can’t be everywhere at once. Attempt to never flat-out refuse anything, and suggest secure alternatives to work with people to accomplish their goals. Your users aren’t (usually) trying to hurt your organization , so don’t treat them like they are. They usually just want to get their work done and get on with their lives. If they’re doing something “dumb”, then it’s up to you and your team to either put bubble wrap on it in the form of a technical mitigation, or convince them to not do it anymore.

, so don’t treat them like they are. They usually just want to get their work done and get on with their lives. If they’re doing something “dumb”, then it’s up to you and your team to either put bubble wrap on it in the form of a technical mitigation, or convince them to not do it anymore. Make the easy thing the right thing. See #2, a security organization’s sole purpose should be to enable the company to conduct whatever business they need to do, securely. Are people using an unauthorized chat client for internal meetings? Talk to them and understand why they felt it necessary to do that, don’t block it and yell at them about it. If you treat people like adults, they’ll give you respect back and will generally be more open to suggestions for ways to improve their security.

See #2, a security organization’s sole purpose should be to enable the company to conduct whatever business they need to do, securely. Are people using an unauthorized chat client for internal meetings? Talk to them and understand why they felt it necessary to do that, don’t block it and yell at them about it. If you treat people like adults, they’ll give you respect back and will generally be more open to suggestions for ways to improve their security. You have to market yourselves. It’s critical to build up trust with the organization you’re protecting, otherwise your users will always see your team as a group of isolated people who occasionally come disrupt them. You need to (nicely) socialize your teams goals and make it clear that security is everyone’s responsibility. Host a meet-and-greet, or a happy hour and force them to empathize with you. You also have to socialize good behaviors, since giving a bit of kudos here and there leads to large returns in opening communication channels.

It’s critical to build up trust with the organization you’re protecting, otherwise your users will always see your team as a group of isolated people who occasionally come disrupt them. You need to (nicely) socialize your teams goals and make it clear that security is everyone’s responsibility. Host a meet-and-greet, or a happy hour and force them to empathize with you. You also have to socialize good behaviors, since giving a bit of kudos here and there leads to large returns in opening communication channels. The Mossad is going to do Mossad things no matter how hard you try to stop them, so when you can’t prevent it you damn well better detect it. Do thought experiments and understand how data and authorization flow in you organization and spend actual time thinking about how an attacker would move laterally within your network. Use that to bolster your defenses. Firewalls, 2 factor auth, and an “oh shit” plan are your best friends when you have unexpected visitors in your network.

no matter how hard you try to stop them, so when you can’t prevent it you damn well better detect it. Do thought experiments and understand how data and authorization flow in you organization and spend actual time thinking about how an attacker would move laterally within your network. Use that to bolster your defenses. Firewalls, 2 factor auth, and an “oh shit” plan are your best friends when you have unexpected visitors in your network. Security tools all kinda suck, plain and simple. I don’t know who the vast majority of security tools were written for, but humans definitely don’t seem to be on the list. Most interactions end up leaving your users either scared, frustrated, or angry. Most interactions you and your team have with the administrative side is more of the same. More on that later though ;).

If you can grok those points and live by them then you and your team will have a much easier time defending your organization from threats internally and externally.

Building a relationship of mutual respect and trust leads to a strong, distributed, security organization that gives your users a feeling of genuine security, and helps socialize the work of you and your team, freeing you up to help ensure that your organization is as safe as it can be.