4 minute read
IS IT TIME FOR A PERSONAL C-I-A TRIAD?
According to the Merriam-Webster dictionary accountability is “an obligation or willingness to accept responsibility or to account for one’s actions.”
As information security professionals we naturally hold ourselves accountable for ensuring the systems and data under our care are kept secure. We are constantly reminded of the C-I-A triad (see diagram on the next page).
How are we doing with our accountability to each other in information security? I have had reason to ask that question for myself. I have read comments where individuals and organisations have been publicly abused. This goes above sharing information about doing better. It is outright abuse. Our profession is stressful enough without the additional stress that results from personal attacks.
I suggest creating your own personal C-I-A triad, as I have done and as I will explain later in this article.
Recently, I had a conversation with a woman who reached out to me about setting up a network for women in information security in her country. She had just started getting a group of similar professional women together. She expressed frustration about one woman to whom she had given a ticket to a capture the flag (CTF) event. The woman did not show up and did not respond after the event. I suggested to my contact that, instead of complaining to me about someone I did not know, she should dedicate no further time or thought to the no-show and not invite her to any future events.
This woman who reached out to me had been inspired by what she had read about New Zealand Network for Women in Security (NZNWS). I told her that, over the last three years, my fellow co-founder Tash Bettridge and I had heard from many women, and men, who had said they wanted to assist with NZNWS. However, when we asked them to join us, we were met with silence. We have even been recipients of negative comments. Rather than complain about those who would ignore us, or even try to thwart us, the two of us moved forward with our own limited resources.
Eventually others saw what we were trying to do and joined us. We now have an active crew of ambassadors who have taken personal responsibility and accountability for preparing and presenting events in line with our mission. We are also fortunate to have international partners such as Women in Security magazine join us in our efforts.
Accountability To Self
As women we are expected to give more readily of ourselves in our many roles. We are also expected to more readily forgive others. In doing so, where is the accountability to ourselves? Do we continue to drag others along who reap the benefit of our hard work with no effort on their part? Do we sit in silence while others take credit for our hard work? It can be a tough decision. As women, we are expected to be kind, forgiving and to serve everyone.
I once offered friendship and connections to someone I knew. She would come to me only when she needed something from me. During the years of our ‘friendship’ I only asked her to do one thing for me, at an event, and I expressed how important it was to me. She committed to do as I asked but when the event occurred, she failed to fulfil her commitment. She did not even express any remorse.
I reflected on the many times she had received support from me, which I had given without question, and I gave myself permission to speak my truth to her. I told her, politely and privately, that I could no longer continue the friendship. This may sound harsh, but in doing so I relieved myself of continuing to help someone who did not demonstrate accountability to me, my time or the connections I had built through my reputation.
Employer Accountability
Employers should show accountability towards all their employees. How do they show respect for your hard work, experience, knowledge, teamwork and mentoring? This can be done in many ways including, but not limited to, offering paid educational opportunities, mentoring and leadership opportunities and, of course, promotions.
In addition, does the enterprise’s environment accept our many faceted selves? Does the enterprise hold itself accountable for helping us grow or when we face workplace challenges? I have left an employer because of racist statements made by others. I received no support from management, and I grew to distrust my colleagues.
The need for information security professionals is growing as are their responsibilities and workloads in line with the number and types of cyberattacks. So, why is accountability of employers to information security professionals falling? We see this in the number of reasons for the ‘great resignation’. Our profession is seen only when something negative occurs. The general public does not see what it takes to keep systems and data safe. Staying on top of new technologies and the threats they bring is stressful. Sometimes we take that stress out on each other.
In looking back at the C-I-A triad, I can share my personal triad: www.linkedin.com/in/saihonig
• Confidentiality – I have kept conversations between myself, other individuals and organisations confidential. I could have shouted to the world about the negative things said or done to me. I could have shared names of those who have tried to thwart our efforts to create NZNWS and make it a viable entity.
• Integrity – I maintain integrity by keeping my commitments. I also maintain integrity by sharing any difficulties I may have in keeping commitments to others. I expect the same level of integrity from others. If you make a commitment to me and are not able to keep it, just tell me. Otherwise, you lose my trust which is awfully hard to gain back.
• Availability – I allow myself to offer my precious time and network to those who will benefit. However, that availability may increase or decrease based on the type of interactions we have.
So, as women and as information security professionals, should we adopt one of the core tenets of our profession for the conduct our personal interactions? Is it time for you to create your personal C-I-A triad?
