Wisdom in the making – that’s how you need to view your position, your thoughts and your leadership in and around information security. The truth is that unless and until people go through a traumatic event involving security, they never really become wise — it is merely blind shuffling of best practices.
I’ve found that acknowledging you don’t know everything is essential. As Friedrich Hayek said, “Man does not and cannot know everything, and when he acts as if he does, disaster follows.” Vowing to fine-tune your skills in the pursuit of wisdom is critical for getting — and keeping — people on your side, especially when it comes to information security.
The thing about growing wise is we have to learn from others who have already paid the price. Here are the five most important things I have learned about information security:
1. You cannot secure what you do not acknowledge. No one can afford to get into a comfort zone with security. No matter what physical and logical controls you have deployed, it is guaranteed that there is something, somewhere, that has been overlooked on your network. Go find it….today.
2. Compromise does not have to mean loss. Regardless of the size of your business or the industry it resides in, you are going to experience security events and incidents. Smart security executives do everything they can, in advance, to minimize their impact. That’s really all you can do. Do not be afraid to fail — just make sure something is being done.
3. IT is changing daily; security not so much. Study the decades-old concepts found in information security standards such as FISMA, ISO/IEC and even the CISSP Body of Knowledge. While they are not the magic cure-all solution to your information security woes, they are there for a reason. If businesses implemented a mere 25 percent of these core principles, it would make huge strides in overall information security.
4. Users and management alike cannot buy into something they do not understand. Explain in a clear and concise fashion what it is that you want them know and want them to do. As Murphy’s Law says: In case of doubt, make it sound convincing. That is the essence of selling security.
5. Information security strategies are mere thoughts in your head until you put them into action. One of the biggest challenges we have in information security is people being afraid to call things as they see them when it comes to risk, and then doing what’s actually needed to mitigate them. Talk is cheap, and your organization’s security posture right now is a direct reflection on you.
Taking your information security wisdom to the next level requires setting yourself up for success. Expect disapproval. Struggling against the grain is only going to lead to unnecessary frustration.
Instead of waiting for people to get on board with security, just make it happen, and do what you know needs to be done. Make the fire inside you known, and if you add enough value over time, the right people with notice, thus giving you the traction needed to really make a difference.
Kevin Beaver is an information security consultant, expert witness, author and professional speaker with Atlanta-based Principle Logic, LLC. With over 23 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around minimizing information risks. He has authored/co-authored 10 books on information security including the best-selling Hacking For Dummies as well as the newly-released Implementation Strategies for Fulfilling and Maintaining IT Compliance. In addition, he’s the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach Kevin through his website www.principlelogic.com, follow him on Twitter at @kevinbeaver and connect to him on LinkedIn.
