While Googling for something else entirely, I chanced across this statement from Darren on a ten year old SceptikLawer forum thread:
"The essence of my job as an information security architect is to understand the balance between risk (legal, practical, and otherwise) and the need for an organization to conduct business efficiently. I think a lot of what I do really does boil down to seeing the other side of things; I know what the “most secure” way is, but I also have to understand that implementing it might mean debilitating restrictions on the way my employer does business. So what I have to do is see their point of view, clearly articulate mine, and propose a compromise that works. There’s a reason a lot of IT security folks become lawyers. "
Nicely put, Darren! While personally I'd be reluctant to claim that I 'know what the most secure way is', the point remains that an information security - or indeed any professional's job revolves around achieving workable compromises. For us, it's about helping or persuading clients and employers identify and reduce their information risks to 'reasonable' levels, then maintaining the status quo through ongoing risk management.
Some of our professional peers struggle with this, particularly inexperienced ones with IT backgrounds. They (well OK, we) can come across as assertive, sometimes to the point of being arrogant and pig-headed, obstinate or even rude. Things 'must' be done in a certain way - their way. They are trained professionals who have been taught the 'most secure way' and are unwilling to countenance any other/lesser approach. Situations appear black or white to them, with no shades of grey.
Along with with Darren, presumably, I view most situations as greys, sometimes multicoloured or even multidimensional due to inherent complexities and differing perspectives. There is almost always more to a situation than it first appears, and often more to it that I appreciate even after studying it hard. I embrace ambiguity. I value flexibility and open-mindedness, and strive to be flexible and open-minded in my work: for me, it's an integral part of 'being professional'.
Such pragmatism is fine ... up to a point. However there are situations where it gets harder to back down and eventually I may stand my ground, refusing to compromise any further on my core values (particularly personal integrity). That, too, is a part of 'being professional'.
There are behavioural clues that I'm approaching my sticking point, such as:
- Doubling-down on the analysis, carefully reviewing and reconsidering the position, searching even harder for those 'workable compromises'
- Openly acknowledging what I know about the situation, including other perspectives, ambiguities, the limits of my/our knowledge and (ideally) the pros and cons of the range of options available
- Being explicit about my advice/recommendations, explaining myself as clearly as I can - generally in writing
- Focusing on 'what's best for the organization' and 'the business' rather than me/us as individuals, or our professional judgement, or best practices, compliance obligations or whatever
- Trying (not always successfully!) to distinguish the relationship, personal and more subjective or emotive issues from [what I believe to be] the objective situation and decisions at hand
- Either negotiating the workable compromise, or playing my trump card - usually something along the lines of "They are your information risks, not mine. You are accountable for the risk management decisions you make, but I stand by my advice." That's my reasonably polite but hardly subtle version of take-it-or-leave-it, my-way-or-the-highway - and I mean it. I have literally walked away from untenable situations and don't regret it one bit.
Talking of which, I'm so busy now that I'm turning down new work because I don't the energy and time to do things 'properly'. Must dash, things to do.