Exactly, this is what I rely on. People know me as the "people person" on my team. My career progression thus far has mostly been due to my ability to forge positive relationships throughout the organization (something that's desperately needed for cybersecurity teams.) If I screwed over a colleague like this, people know it would shatter those relationships and absolutely decimate my career. And cybersecurity is a small world, so it wouldn't be something I could easily brush under the rug.
It's sad, and sometimes frustrating, that I have to think in these "nuclear arms race" terms. And that's something else I try to be open about: that I'm really frustrated with this environment of fear. I think the more people openly acknowledge that, the easier it will be to move toward a healthier environment.
> positive relationships throughout the organization ... desperately needed for cybersecurity team
Why is that more important for cybersecurity teams? Is it that other teams can sometimes look at security as something annoying that slows them down? So they care about security not because they care about security, but because you + team are their friends? :-)
It's really common for other teams to view cybersecurity as an antagonist. We're the a-holes who slow them down, demand they follow rules, wag our fingers when they try to cut corners, etc.
It's also very common for people to view cybersecurity engineers as people who needlessly make things more difficult just so they can "look like they're busy" and collect a heftier salary. (I've found this mindset especially common in non-technical teams.)
We're kind of like the dentists of the industry--everyone grumbles about how pricey we are, no one looks forward to visits from us, people question whether we're actually fixing things or just out to make a buck, and we have to hand out all sorts of annoying reminders (floss your teeth! don't install Chrome add-ons! brush twice a day!)
Having a strong relationship with other teams allows me to come to the table and say, "Hey, look, we both respect each other. You know I don't bullshit, and I wouldn't be asking you to do this if it wasn't a real issue. So please at least listen to my concern and try to work with me here. And you know I'll always listen to your concerns in turn, so we can do this as painlessly as possible."
So it's not exactly "getting them to care about security because we're friends." It's more of, "getting them to listen because we both respect each other." And if you can do that--get them to listen instead of having them immediately shut down, get angry, and convince themselves it's all bullshit--then usually they'll quickly understand there's an actual threat at hand. And once you convince them there's an actual threat, they're way more likely to do something about it, instead of throwing a fit and resorting to vindictive pushback.
Could that be the topic of a blog post? I'm interested in security and I've understood that I'd better avoid browser add-ons, but what more to not do?, from you & your team's perspective
> listen because we both respect each other
Ok yes "respect each other" sounds like a better way of saying that.
Fortunately, where I work, I can be as paranoid as I want wrt security :-) and postpone "deadlines" if needed, to do security stuff instead.
> And if you can do that--get them to listen instead of having them immediately shut down
I find it a bit interesting that soft skills (helping teams respect each other) can "convert" into and catalyze hard skills, I mean, secure IT systems
Still, is kind of "weapon" that is hold like in deterrence.
See #metoo, where facts were kept hidden, until the society was actually prepared to accept the truth, because at that time, a woman would have been laughed in face, for accusing a man of sexism in the 70's ....
Using your weapon analogy, she is both "disarming" herself to the fullest extent possible and providing nukes to other nations to ensure mutually assured destruction in the event she is holding a concealed weapon. What more can she feasibly do?
It's not what she can feasibly do, there are no points for effort- even when the effort is admirable. It's how the risk/reward dynamics end up looking.
