Cardinal rules of the information security officer.
This is posted on the wall of my office. It is
surprising how often I point at it and refer to a
specific rule during a conversation with my
One of the most fundamental rules that I preach in my practice is "No Surprises". There are a few more, but that is really the most important one. While co-workers and direct reports play an important role in the "No Surprises"-rule, every now and then I have to remind myself of the fact that I'm just as responsible for not springing any surprises on myself.

My personal situational awareness contributes to that rule. Between attempting to achieve and maintain network situational awareness, which provides me with a decent level of understanding what is going on in my infrastructure from a deep technical view (think: packets, flows, logs, etc), I also need to maintain business situational awareness.

For a hard-core techie like me, that is sometimes harder. However, knowing what my organization is up to from a business perspective is just as important, if not more so, than knowing what's going on from a technical perspective. Have our revenue streams changed? What does that mean for our critical processes and our sensitive data? Are my preventative and my detective controls still sufficient?

What global trends are affecting the way we do business? Are there new contracts coming down the pipeline that I should know about? Do we have any business partners that are being acquired, or who are acquiring other companies? All questions that are directly relevant to the information security practice, but are often overlooked.

The way to get to answers to these questions varies per person, and may be different from one organization to the next. One way to be in-the-know is to make sure that you are not perceived as a roadblock; information security must be seen as an enabler, and not as a hindrance  Offering help to others on a regular basis, even if it is something that is out of your comfort zone and may not reap immediate short-term benefits, is a great way to cultivate that goodwill. Having lunch with non-technical people is another great way to learn about what's going on (yes, even auditors eat)!

In general, being in-the-know boils down to having people respect you.

Attend that corporate-wide event, even though you would much rather be knee-deep in packets. Being seen, really helps. Being polite helps even more. Finally, being perceived as somebody who knows what he is doing helps the most. Even if that means that you need to wear a suit and tie, or at least a jacket and a pair of nice dress pants when you leave the inner sanctum of security operations, it may be worth it. Try it; it will not hurt (much), and it does pay off in the end.

Once I have achieved personal situation awareness (network situational awareness and business situational awareness), I can pass it on to those who I work with. In the end, knowing what is normal is necessary to detect those pesky "deviations from the norm that can cause harm".