March 22, 2017 By Kevin Beaver 3 min read

When it comes to running an information security program, barriers to success are predictable. Many are quite obvious, such as lack of budget and minimal buy-in. Others, not so much. Still, it’s often the small things that add up to create real security hurdles.

Some that I’ve witnessed — and you have likely experienced — include:

Barriers such as these get in the way of achieving results in security. And, not unlike the eating and exercising habits we tend to take on, negative outcomes can sneak up in a hurry.

Setbacks in security are an inevitable part of the process. It’s like any other important aspect of life such as marital relations or business dealings: If you sit back and just let things happen rather than confronting the issue firsthand, things tend to fester. Resentment grows, passive aggressiveness rears its head and nothing ends up being done. The problems just get worse.

Clearing Common Security Barriers

So, how do you address these tangible impediments to security? Well, the specific approach depends on the situation. Many people give up at this point and just let things play out. Don’t do that! If you’re going to cut through the nonsense and get things done, it’s going to take guts, chutzpah and the motivation to affect change.

One of the most important things that’s innocently overlooked — or intentionally ignored — is just getting the topic out onto the table. Corporate America, and I presume in other countries around the world, is great at stifling progress because of political correctness or the fear of losing one’s job and retirement plan. Many people are afraid to rock the boat at work, especially when it’s something like information security, which doesn’t necessarily always have good buy-in outside the IT department. It’s classic politics at play, but that doesn’t make it right.

A great exercise to figure out current challenges in your security program is to open the issue with management and/or your peers and then proceed asking the tough questions. These questions might include:

  • What’s going on here?
  • How is it impacting the business?
  • Why do we think this is happening?
  • What is currently being done to address the issue?
  • What’s required to take the bull by the horns and get this initiative/project on the right track?
  • How do we ensure steps are being made in the right direction? When do we do that?

This is really nothing more than textbook problem-solving with a bit of assertiveness mixed with passion. It may just be precisely what’s needed to get you and your program out of a rut.

Great Risks, Great Rewards

President Trump has taken this approach to leading the U.S.: He observes what’s going on in Washington, D.C., calls it like he sees it and then vows to make changes. Only time will tell whether those changes will come to fruition. After all, talk is cheap in politics — and cybersecurity.

As brash as it may seem, I think this is a good approach to tackling what’s holding your security program back. You need to be prepared to get the runaround, pushback and, perhaps, put your job at risk. The greatest leaders in history have been the ones that have been brave enough to step up, stand out and question what’s going on. This is your opportunity to stand out.

If you’re having such challenges in your information security program and you don’t feel passionate enough to stand up and do these things, then it’s probably time to move on to a different organization or different role where you can have the ear of decision-makers and find a way to make things happen.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today