the quality of basic safety managers

Posted by tzul at 2020-04-13

Recently, companies have come to the mid year evaluation stage again. When you self-evaluation, you must be thinking hard about how to organize the work into a system. Some of you can't write the key points freely, some of you are suffering from "nothing to write, but all of you are daily work". How to use the medium and long-term plan to improve the comprehensive ability? My experience is to think about the value and measurement index of this thing before doing everything. The next implementation is to achieve it, so that even if there is a problem, there will be no out of control direction, and finally there are ready-made quantitative data. For example, the team meeting needs to write a weekly report, which can be written at the beginning of work on Monday, instead of summarizing on Friday. For example, the minutes of the meeting can be drafted before the meeting. The meeting is for the participants to reach an agreement, rather than the discussion that everyone divergent together. The final minutes are to track the promotion of things.

The author thinks about the quality that the basic level managers of safety team need to have in combination with daily safety operation management. Of course, the requirements of each grass-roots management post must be universal. The simplest internal management work and coordination projects usually done by readers reflect on the philosophy of management and the art of leadership. It must be beneficial for us to look at PMP and structured thinking books.


Vision is a kind of comprehension ability. Only when you know the good can you understand the bad. Why do companies always parachute executives, or encourage leaders to rotate freely? Because there will be a fixed position in the same post, it is impossible to continue to work hard. The official account repeated the best practices of the best companies in the benchmarking industry, which is also the requirement of high standards. Grassroots managers should think in running, with Eagle like vision, and lead the team to set up thresholds for the latecomers to surpass. For example, to achieve the target of vulnerability discovery rate, we should understand that the target is the absolute convergence number of vulnerabilities, not the absolute number of continuously dug vulnerabilities as the measurement standard. Generally, it is more important to achieve the extensive defense coverage of the company's whole business line technology stack than the single vulnerability technology capability. If we take the current "still can" complacency, the final result is to delay the aircraft Half the work. With the rapid development of IT security and data security technology, various new terms emerge in endlessly. Managers should focus on where the team will go in the future, and keep thinking hard to clarify the development prospects of next week, next quarter and next year.

Upward management

The middle level is also the grass-roots level. When implementing the resolutions, they often encounter seven kinds of problems: quantitative problems, accumulation problems, limited problems, planning problems, process and result problems, control problems, and innovation problems. The role of the grass-roots managers is to form a joint effort to solve the above problems and then be responsible for the result report. The purpose of the report is to give priority to conclusions and win simply. Please refer to the pyramid principle. For example, in the event of an emergency response, the head of the SRC team went through a series of stop loss processing, evidence collection, log investigation, post event review and todo follow-up. During this period, the superior was most anxious. He didn't know what happened. There was no data in the weekly and monthly reports, and he was dragged in the group and couldn't manage accurately. At this time, it's not appropriate to send a wiki link to the summary report, It's a long winded way of saying how we did it and what difficulties we encountered. It's only important to make clear whether we can solve this case and what we have exposed. We admit that we have just passed where we are currently doing, and we are confident to reach the absolute and relative best level. Briefing is to do PDCA cycle well, and inform each stakeholder of progress and risk impact. Reference style of reporting questions: 1. What is this question? 2. What is the impact of this issue? 3. Is there a solution? 4. How long does this solution take? 5. What are the time and consequence risks? 6. What cooperation is needed for the next step.

Motivation and recognition

When facing the large government enterprises and process solidified companies, the newly established safety partners will "kill thieves with heart, unable to return to the sky". When they don't understand the essence of safety, they will only engage in standing and infiltration. Naturally, they will be arranged to do safety audit. They can start at the early stage, and become boring after half a year. Hackers will always have new ideas. At this time, they are tired of the perfunctory attitude that often accompanies them. They will not only miss the security issues and be challenged, but also have no sense of achievement. Managers at the grass-roots level should analyze the personality characteristics of employees and allocate work reasonably. For example, let people who understand some codes complete a work with certain risks and difficulties, such as SDL and security components, and give affirmation and praise in time when making progress in phases, and let them participate in vulnerability analysis and technical article writing shyly. "One person's security department" needs to have its own "boastful points". Even if it is to build a set of open-source solutions, there are always challenges. I believe that a young man without "breakthrough" will not be a hacker. When dealing with the business team after strengthening the employees' recognition of the safety team, they will consciously maintain the authority of safety. Jack Welch of Ge summed it up well: "grassroots managers should not be loudspeakers, they should be cheerleaders. "

Analysis and judgment ability

This ability refers to whether managers can analyze the internal relations of seemingly unrelated events from a higher level. Only with this ability can managers grasp the overall situation and accurately analyze and solve problems. Taking a threat intelligence template as an example, the external intelligence channel feeds back a large number of reptile sales or "herding wool" events that may affect the business published in the dark net. Based on the known information, the manager controls the event trend in a directional way, and fails to ask the "situation" team what "perception" is. The reason why the internal risk control system does not perceive after Rd feedback is that A small amount of data in special scenarios is not connected to the system, and the comprehensive conclusion is that the event impact is controllable and will not rise to the conclusion of public relations crisis. In the next step of resource planning and planning, it is required to improve the ability of data model validation. We often explain that security is a risk management work, and dealing with risks requires managers to have insight into the areas they are responsible for and prepare for the future, so that when facing real attacks, they can "draw inferences from one instance" and turn the crisis into a turning point.

Planning ability

This ability is quite old-fashioned. The last thing to fight for security is the comprehensive ability of the team. Even if the code audit is not protected, WAF, HIDS, rasp and logs have the opportunity to monitor the invasion, which is also acceptable for the initial stage of security construction. We should coordinate the concept of "defense in depth". Managers should form their own annual and quarterly tasks into a plan and follow the tasks The priority decomposition is implemented by the partners. The managers pay attention to the key indicators of the key issues. There is no need to be hands-on and clear about 20% of the important work.

Command and coordination ability

No matter how good the plan of enterprise safety construction is, it also needs people to command and implement. Command ability includes the ability to distribute, coordinate, present and perform the emergency scene. It also includes whether the command method and tone are appropriate, and the ability to stimulate fighting spirit and guide the way forward. Recall that the wannacry virus outbreak was on Friday, May 12, 2017. During the weekend, we need to cooperate with the IT department to complete risk prevention and patch management for a large number of systems and cloud environments. Leaders need to command and dispatch multiple teams and businesses to achieve the atmosphere of "corporate security war". Hackers are also colleagues. Good command inspires sense of responsibility and mission. Blind command makes the company waste security resources, so that security becomes a waste of cost department. Command ability is best supported by good language expression ability, and can speak like a parrot. As a matter of fact, many people are "entrusted with heavy responsibilities" because of their good safety technology. When they first contact with project management, they will spend a lot of time in coordination, including internal personnel, task allocation, promotion between departments, and handling of external customers. There is no way. Technology is a hindrance. Management is a hindrance. Good managers must be able to coordinate.

Writing ability

We often say that so and so do not work, only ppt architect, report to the leader well. In fact, grass-roots managers can't help writing implementation plans, event summaries, research and analysis of open-source solutions and other documents. In many cases, what they write is evidence of communication progress, which can sort out ideas, and can also be used as a knowledge base for department work.

control ability

Business control is a cliche, such as plan implementation and goal achievement. It's hard to do self-control. You have to control that you don't spend too much time looking for CVE loopholes and digging Oday, and appropriately delegate more energy and work time to collect data, competitive research, business security communication meeting, team performance scoring and personnel training. Thirdly, we should control the psychological situation and treat the problems in our work rationally and objectively. Don't be impatient. The more important the safety issues are, the more stable they need to be. Emotional language can't solve any problems. Instead, it destroys the image of "serving people with virtue, only virtuous and only virtuous" as a manager. It will even be regarded as unprofessional.