LinkedIn CISO Cory Scott uses 'security narratives' to hire the most successful team and improve the company's security function.
Creating a narrative isn't just something writers do: Cybersecurity professionals can build a working story of their role to help them improve in their job, as well as help managers create the most diverse, successful teams, according to Cory Scott, CISO of LinkedIn.
Scott joined the LinkedIn team about five years ago, after leading a security consulting practice. LinkedIn's security team has since grown significantly larger, thanks in part to Scott's efforts to build it out.
The concept of "narrative identity," born many years ago, can be distilled down to the idea of telling a story about ourselves, Scott said. "When someone asks me what I do, I try to spend less time talking about title or position," he said. "Instead, I try to tell a story about the work that I do, and how I work on securing this platform, and I work on protecting our employees. I have a narrative about the things that I do and how I get there."
SEE: Security awareness and training policy (Tech Pro Research)
Creating a personal security narrative is particularly important for CISOs, Scott said. The narrative is composed of two parts. Present narrative refers the work you are currently doing: For Scott, this means how he thinks about member privacy when building new security features. Long-term narrative refers to your career as a whole, and what you want to be known for through the work you performed.
"It's really important to have that narrative in times of adversity or conflict, and make sure that you don't let other people define your narrative for you," Scott said.
Creating your cybersecurity story
How do you create a security narrative of your own? First, think through some of the standard stories you hear security practitioners adopt today, Scott said.
One is the defender, who is driven primarily by wanting to stop bad things from happening to the people and companies they protect. Another is the clever trickster, who looks for flaws in software and implementation. There's also an engineering narrative, that sees security as an engineering problem at its core, just like performance, scalability, or reliability. Another is the assessor, who wants to align security to the business and prioritize protecting the most important assets.
"When I talk to different CISOs, they put themselves maybe in one or two of these camps based on their current mindset, their career background, and how they want to interface with their organization," Scott said. "Having that narrative explored really helps them in their development."
SEE: Network security policy template (Tech Pro Research)
It's important for every individual in the security team to have a narrative, Scott said. Uncovering the narratives of each individual applying for a job or a project can help the CISO build the strongest, most diverse security team, he added.
"I want to have those tricksters, but I also want the defenders working with them, so that that defender can figure out how to detect an attack that might be perpetrated by that trickster," Scott said. "I want an actuarial assessor type of folk saying, 'Hey, is this actually a threat priority?' I want an engineering woman to say 'Hey, I could actually write a library or piece of code here that will eliminate the attack in a cost effective way.' So, when you look at it from that perspective, you end up with individuals all working together by using those narratives to build a strong security team."
Discovering a security practitioner's narrative should ideally start in the interview process, Scott said. "I have hired people with no security experience who have one of these narratives about how they approach technology and operations and engineering in a manner that I know will fit into the narrative of the security professionals," Scott said. "And we can bring them along for the journey and have them develop their career."
All of these narratives form a wide array of diverse perspectives and background, Scott said.
"I've seen a lot of CISOs that hire a lot of people that look exactly like them, that talk like them, that try to solve problems the way that they'd solve the same problem. I've even caught myself in that trap from time to time," he added. "The idea is, is that you need to make sure that you're hiring people that have different narratives than your own, because they are going to provide the necessary perspective and interface to other parts of the organization, that might also have that same type of narrative in a way that you wouldn't be able to relate."
- Essential reading for IT leaders: 10 books on cybersecurity (free PDF) (TechRepublic)
- Cybersecurity specialisation status up for grabs with new ACS accreditation program (ZDNet)
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- Cybercrime and cyberwar: A spotter's guide to the groups that are out to get you (ZDNet)
- How cybersecurity pros can improve their LinkedIn profiles: 4 tips (TechRepublic)