Back to Insights
Beaver: Address Security Opportunities or Remain on the Path to Mediocrity
September 5, 2017 | Security Policies and Strategy
By Kevin Beaver, IANS Faculty
Opportunity. I think that word best describes any given information security program. In every organization, there are obstacles and challenges that IT and security professionals have to overcome in order to get their work done, but this is somewhat unique among other business functions. Imagine legal counsel having to continually sell themselves and what they believe needs to be accomplished for the business. What if HR had a continuous uphill battle in implementing processes and procuring business systems that would help their initiatives?
I'm not saying these other business functions don't face barriers and that management fully supports them without question. However, security is unique in that we constantly need to demonstrate what's wrong and then justify what we need to do to fix it.
Your specific circumstances as an IT/security professional present opportunities. Every obstacle you face in and around security provides an opportunity to get better and make improvements – to strengthen your weaknesses and strengthen your strengths. The thing is, you have to seek them out. You likely know what some of the overarching challenges are. It’s the same old stories: not enough time or money and users doing dumb things. But it's more than that. You mentally handicap yourself by thinking things like:
- Management just doesn't get security.
- Users won't listen to me.
- I've got too much going on to get that new security system up and running.
Your security opportunities lie at a deeper level. Rather than focusing on what you can't get done, focus on what you can get done. It's human nature to exert a little effort and then give up quickly if things don't go your way. But when excuses start flying about, it does nothing but lower confidence and impede progress.
There are so many situations where IT and security professionals can't see the forest for the trees. They think they've done all they can do to move security forward when, at the root of it, they've done very little. Many even say "I'm doing the best that I can" when all they're really doing is arguing for their own limitations. Think about it. How would you feel if someone approached you with the same circumstances that you're griping about? Would you want to go out of your way to help them or merely shrug them off, wish them well, and stay away from them? The answer’s clear.
Being positive pays huge dividends. It's one of the hardest things to accomplish – at least it is for me – but it's still a universal law. Focus on the negative and you’ll get negative. Focus on the positive and positive will follow. Instead of taking a “woe is me” approach to your security program, start (today) thinking about and focusing on what you can get to work on right now to address your security challenges. There will be opportunities for you to use tools that you already have. There will be opportunities for you to establish or improve relationships with other people in the business who can help you with your goals. There will most definitely be opportunities for you to improve yourself. Things like becoming a better communicator – in both writing and speaking – learning more about sales, learning more about your own business and so on. There’s always more.
If your information security program is not where it needs to be, or it downright stinks out loud, you have to stop blaming circumstances for your situation. It's not management. Nor is it your users. It's not your industry or the economy. It's you.
It's up to you to change the situation or continue to struggle. The road to hell (and security breaches) is paved with good intentions. Only you can take control of the situation. Rather than blaming the path that you're on, change the path. Blaze a new trail and make things happen. If you really want to do something, you’ll find a way.
Kevin Beaver, CISSP is an independent information security consultant, writer, professional speaker, and expert witness with Atlanta, Georgia-based Principle Logic, LLC. Kevin has written/co-written 12 books on information security including the best-selling Hacking For Dummies (currently in its 5th edition).
| Event Takeaway
Handling Chaos: Thriving When Policy and Business Priorities Clash
| Tools & Templates
Comprehensive Security Policy Generator
| Tools & Templates
Information Security Job Description Templates
| Tools & Templates
CISO Impact Security Process Maturity Matrix