Over a million developers have joined DZone.

4 Habits From Consulting Every Security Professional Should Steal

DZone's Guide to

4 Habits From Consulting Every Security Professional Should Steal

When it comes to communicating security issues to people, it's just plain hard. But stealing some lessons from others might make it easier.

· Security Zone ·
Free Resource

Address your unique security needs at every stage of the software development life cycle. Brought to you in partnership with Synopsys.

After being home with paternal leave 80% of the week and working 20% of the week, I will be switching percentages tomorrow. That means more time to get hands-on with security. I’ve recently switched from risk management consulting to a pure security position within a fast-growing organization with a very IT-centric culture. Working one day a week in this environment has been great to get an impression of the organization and its context, and now the real work begins. I think habits from the consulting world will be beneficial to everyone involved. Here’s how.


Successful consultants must not only be good at what their technical area of expertise is, but also at moving around in unknown territories in client organizations while navigating complex issues with many stakeholders – these are habituated skills that security professionals should adopt.

Getting Into Someone Else’s Shoes

Consulting is about understanding unarticulated problems, and getting to the core of those problems through intelligent questions. That is the essence of it; the good consultant understands that context is everything and that the perception of context is different depending on the shoes you wear. This goes for strategy development, for risk management in general, and definitely for cybersecurity.

Use Your Analytics for (Almost) Everything

As a consultant, you must be able to back up your claims. Your recommendations are expensive to get, and they’d better be worth the price. Often you will create recommendations that will be uncomfortable to decision makers – due to cost, challenged assumptions, or that your recommendations are not aligned with their gut feeling.

This is why consultants must be ready to back up their claims, with two essential big guns: a convincing approach to analysis, and solid data. Further, to add to the credibility of the recommendations, the methods and data should be described together with the uncertainties surrounding both.

Working in security means that you are trying to protect assets – some tangible, but most are not. The recommendations you make usually carry a cost, and to convince your stakeholders that your recommendations are meaningful you need to provide the methods and the data to make them compelling. Which brings us to the next step.

Always Make an Effort to Communicate With Purpose

Analysis and data become useless without communication. This is the high-stakes point of consulting: to communicate with clients, stakeholders, and internal and external subject matter experts. Not only for presenting your facts but as a support for the whole process. Understanding context is never a one-way street; it is a multifaceted, multichannel communication challenge. Understanding data and uncertainties often require multidisciplinary input. This requires questions to be asked, provocations to be made, and conversations to be had. Presenting your recommendations requires public speaking skills. And following up requires perseverance, empathy, and prioritization.

In cybersecurity, you deal with a number of groups, each with their own perspectives. Involving the right people at the right time is key to any successful security program, ranging from optimizing automated security testing during software integration to teaching support staff about social engineering awareness.

And That Leaves One More Thing: Learning

If there is one thing consulting teaches you, it is that you have a lot to learn. With every challenge you find another topic to dive into, another white spot in your know-how. Consultants are experts at thriving outside their comfort zones – that is what you need to do to help clients solve complex issues you have never seen before. You must constantly reinvent, you must constantly remain curious, and you must process new information every day, in every interaction you have.

Cybersecurity requires learning all the time. One thing that strikes me when looking at new attack patterns is the creativity and ingenious engineering of bad guys. Not all attacks are great, not all malware is complex, but their ability to distil an understanding of people’s behaviors into attack patterns that are hard to detect, deny, and understand is truly inspiring; to beat the adversaries we can never stop learning.

Find out how Synopsys can help you build security and quality into your SDLC and supply chain. We offer application testing and remediation expertise, guidance for structuring a software security initiative, training, and professional services for a proactive approach to application security.

cybersecurity ,security ,consulting

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}