Anyone working in Cybersecurity can tell you that there are endless fields of specialisation. For example, helping R&D through AppSec, hacking companies through red-teaming, or responding to incidents in a CyberSecurity Incident Response Team (CSIRT). Regardless of speciality, there are skills you will have mastered, and ones you haven’t. In addition to the skills there are knowledge, ways of working etc. connected to each field.

An aerial view of lots of fields

We as cybersecurity professionals need to be better at leveraging this diversity of skills and knowledge to our advantage. We can learn from each other when it comes to securing our business, because that is what’s most important. There is no need to be territorial about our knowledge, we need to share with and learn from others. This is not only applicable for skills and knowledge, but also for ways of working and other methodology. It is always a good idea to leverage the diversity of a group.

IT and OT-Security

Two fields that rarely communicate, but I feel could learn lots from each other are IT and OT security. There are things in both areas that are not transferable between them, but that does not mean that nothing can be transferred. For example IT and OT is moving towards convergence on a technical level, therefore it could do the same on a technical level.

The following talk by Mats Karlsson Landré is a great starting point for this kinds of discussions. Here he describes the current state of OT-Security, and at what points a discussion between IT and OT professionals will be relevant.

Lawyers and Practitioners

When we talk about cybersecurity professionals we should not get stuck in the box with whom we are talking to. For example a lawyer could be invaluable for a practitioner, regardless if they are technical penetration testers or management consultants writing a policy. For example a penetration test could yield extra findings due to stricter regulations for healthcare providers. If you only know the technical part, how would you know the difference?

In the other direction lawyers might get better at triaging after discussing with the Security Operation Center (SOC) team. In their field it is important to get a priority at a glance, and know what tasks needs to be fixed immediately and which can wait.

Security and Developers

Due to my work in AppSec, my experience of the importance of sharing is not only with other security professionals. It is just as much, if not more, with developers. When it comes to complex vulnerabilities in a system I often discuss them with developers. Since I need to support developers for different systems, programming languages, and deployments I cannot be an expert of the ins and outs of each of them. Therefore, it is much more efficient to have a discussion with an expert. Often when I describe the risk (how I think it will be possible to exploit something) the developer can show how it is not a problem, or we together build an exploit that helps the developer understand why it is an issue. Either way, we build trust with the development team, I learn about the specific system/language etc, and the developers learn about potential risks to avoid. All of which are desirable outcomes.

Two persons sitting in front of a computer cooperating on a problem

Conclusion

The security field, as well as IT in general is a huge field. No one can be an expert at everything, but everyone has their niche. To protect the business as well as we can we need to communicate between disciplines and learn from each other.

By just working together and getting the chance to get a common language and ask why to things the overall understanding increases in the organisation, while the overall risk is lowered. When everyone get to ask questions, we broaden our views and sees things from other points of view. In doing so we also find both problems and solutions that otherwise never would have been found.

For anyone interested in the benefits of great communication (outside security), and generally on how to improve a workplace I must recommend anything by Adam Grant. He has TED talks, books and podcasts etc. Usually all of them gives insights into how we can improve the workplace.

Photos

Photos from Unsplash

  1. Photo by Rod Long on Unsplash
  2. Photo by Alvaro Reyes on Unsplash