Speaking at BSides San Francisco today Katie Ledoux, manager of trust and security governance at Rapid7, presented a session exploring some creative solutions to infosec problems.
Ledoux said that when fixing problems “managing little fires without losing sight of long-term goals is an issue that anyone who has a job needs to deal with” but in infosec, she says it is particularly challenging as “much of our work is reactive and time-sensitive.”
In Ledoux's experience, fixing information security problems and building environments in which problem-solvers thrive in comes down to managing two categories: individual factors and environmental factors.
The first individual factor is ability to define a problem, Ledoux said, explaining that “we often fail to articulate the problem we need to solve before we jump into action.
“A better problem statement invites you to consider all of your options.”
The second individual factor is an ability to stack small victories, Ledoux continued. “When we’re trying to fix something in our organization or industry, there’s nothing wrong with starting small. Not only does every improvement count, but these experiences are also valuable lessons that we will use for larger issues down the road.”
The third individual factor is the ability to leverage diversity of thought, Ledoux said. “The more diverse backgrounds we leverage, the more associations we get, and the more paths we have towards solving a hard problem.”
As for the environmental factors, the first to consider is how to most effectively manage resources to generate meaningful outcomes. “More resources alone won’t solve all of our problems,” Ledoux argued, so “we need to be strategic about how we direct them”. To do that, Ledoux advised using “crafty” metrics to:
- Set boundaries on time spent on operational tasks
- Use clear, visible KPIs to drive attention to priorities
The final factor to manage is the environmental one of encouraging problem-solvers to challenge the status quo, Ledoux concluded.