February 2, 2017 By Kevin Beaver 2 min read

Derailed projects, unexpected outages and related problems plague IT and security professionals. These distractions can impede progress in your information security program and create unnecessary risks.

It’s human nature to oil the squeakiest wheel, to jump on a problem that’s calling out for immediate attention. We must all resist the urge to chase new leads down those intriguing rabbit holes.

A High-Level Look at Your Information Security Program

In terms of information security, this is most evident when things are boring on the security front and workers are chugging along with nothing big to address. Many people’s limited attention spans get the best of them and they are quick to jump on board with the latest technologies, often guided by rating charts, analyst predictions and auditor mandates without stepping back to think for themselves and see what’s actually going on and needed in terms of their security programs. Some vendors actively encourage customers to buy products they just so happen to resell, even if they might not be the best fit.

Looking at things from a high-level perspective, the business must come first. The purpose of a business is to acquire and retain customers that help generate sales, and ultimately profits, to help the organization grow. I’ve met plenty of IT professionals over the years who focus solely on pushing their initiatives while ignoring core business missions and principles. That’s a bit ironic, since were it not for successful business initiatives, cybersecurity would be written off as unnecessary expenditures. There are bigger fish to fry. The business does not revolve around IT and security as much as we often think it does.

It’s critical to remember what’s important to the organization. This often means helping with initiatives other than your own. If it’s unclear what the business goals are and how security fits into that conversation, ask more questions and get more people involved.

Another reality of human nature is for us (especially men) to not ask for advice. This is especially true when we’re supposed to be masters of the dark art of information security. Some believe that if they reach out for assistance they’ll be seen as weak or not on top of their games. I think most reasonable outsiders such as your peers and executives will actually find that level of humility quite refreshing.

Boring Is Good

Stop chasing so many flashy new security opportunities. Remember, boring is good. That’s when you know what you’ve got, how it’s at risk and what steps to take to eliminate or reduce those risks. Unless and until you get to this point, most things will be mere distractions that keep you from improving your security program.

Consider how unmanaged index funds in the stock market typically beat out managed funds over the long haul. If you literally shuttered outside security influences such as social media headlines, analyst predictions and new technologies and instead focused on your core information security program exclusively, you would presumably come out further ahead in two to three years.

I’m not recommending that you bury your head in the ground and ignore how information security can and should evolve. I am saying that only you know what’s best for your environment. Think for yourself. With the proper insight on risk combined with tried-and-true security principles, you stand to double the effectiveness of your security program. Above all else, focus and discipline around security are what matter most.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today