What keeps you up at night?

 

What keeps you up at night?

Spend enough time wearing the Security badge and you will eventually be asked this question. I'm pretty sure this isn't something that's unique to the InfoSec realm, but I do think it's given a lot more traction when the person asking knows you have something to do with keeping the business secure.

I don't believe I was ever once asked this question when I was working in theatre, and I lost a LOT more sleep in that world than I do now. We'd be 6 weeks out from opening night, and not one single person at any of the production meetings would come anywhere close to asking this. We all knew there would be set backs, unforeseen emergencies, unplanned outages, etc., but no one was ever brazen enough to throw this kind of bad juju into the conversation. Plus, we all knew sleep was a luxury none of us could afford until the show was up and running.

Once I moved from theatre to InfoSec, I started hearing people discussing the "What keeps you up at night" conundrum, and I would dwell on how I would someday answer this mythical question. I also listened closely to my leadership when they would give their answers. How my bosses answered their bosses let me know what I should be focusing on, and looking back now, I think that's a problem.

I've come to really dislike this question. I don't think it fosters an honest discussion between the security leader and the person posing the query. It just feels like fishing to me, and that's because it is.

The world of the Security professional is cloaked in mystery and acronyms that can leave even the best business minds spinning. So most times, the person asking is looking to you to share your expertise with them in terms they can understand. 

Let's distill the question down to its basic meaning. "What is something that troubles you enough about your current Cyber Security program that causes you to have to spend energy 'off the clock' worrying and trying to resolve?" 

If you pick something that has a technological remedy ("our outdated stateful firewall rules" or "our lack of a secure email gateway") then you either get the funding you need to make those purchases, or you don't.

You can answer something a little more ethereal and abstract like "our Risk appetite isn't keeping pace with our growing threat landscape" or "limited user awareness training." 

In either of the above scenarios you're going to now be charged with putting in extra effort around those items, and if that's the entry-point later, then you're toast.

Finally, if you answer "Nothing", then you're going to look like an over confident fool (and you're just inviting Karma to send a Zero-Day to your infrastructure). 

So, how do you answer this impossible question and still manage to convey confidence while also pinpointing the areas where you need more resources? To me, it's about shifting the conversation. When asked "What keeps you up at night?" my advice is to use that as a chance to reply "I'd rather talk about what helps me sleep better."

"When the shoe fits, the foot is forgotten."

- Zhuang Zhou

Use this as a chance to highlight your program's strengths. Talk about how you have protections in place that layer on like the cozy blankets you snuggle comfortably under at night. 

After that, you can explain how, in the event that something happens while you were getting some much needed rest, you have mitigations and playbooks, tools and technologies, plans and strategies to help you come through the crisis. 

Finally, be sure to point out that you have the right people on your team, either in headcount or partners, that are ready, at a moment's notice, to start loosing sleep for a valid reason. 

Make sure leadership understands that it's in their best interest that you NOT be loosing sleep worrying about what MIGHT happen, because you and your team need to be well rested for the events that DO occur. If you have gaps or areas that need improvement, then bring those up as ways to ensure that everyone can rest easier. 

Don't be ashamed when your head hits the pillow that your mind is free from worry, because you've taken the steps needed to earn that rest.