Derailed projects, unexpected outages and related problems plague IT and security professionals. These distractions can impede progress in your information security program and create unnecessary risks.
It’s human nature to oil the squeakiest wheel, to jump on a problem that’s calling out for immediate attention. We must all resist the urge to chase new leads down those intriguing rabbit holes.
A High-Level Look at Your Information Security Program
In terms of information security, this is most evident when things are boring on the security front and workers are chugging along with nothing big to address. Many people’s limited attention spans get the best of them and they are quick to jump on board with the latest technologies, often guided by rating charts, analyst predictions and auditor mandates without stepping back to think for themselves and see what’s actually going on and needed in terms of their security programs. Some vendors actively encourage customers to buy products they just so happen to resell, even if they might not be the best fit.
Looking at things from a high-level perspective, the business must come first. The purpose of a business is to acquire and retain customers that help generate sales, and ultimately profits, to help the organization grow. I’ve met plenty of IT professionals over the years who focus solely on pushing their initiatives while ignoring core business missions and principles. That’s a bit ironic, since were it not for successful business initiatives, cybersecurity would be written off as unnecessary expenditures. There are bigger fish to fry. The business does not revolve around IT and security as much as we often think it does.
It’s critical to remember what’s important to the organization. This often means helping with initiatives other than your own. If it’s unclear what the business goals are and how security fits into that conversation, ask more questions and get more people involved.
Another reality of human nature is for us (especially men) to not ask for advice. This is especially true when we’re supposed to be masters of the dark art of information security. Some believe that if they reach out for assistance they’ll be seen as weak or not on top of their games. I think most reasonable outsiders such as your peers and executives will actually find that level of humility quite refreshing.
Boring Is Good
Stop chasing so many flashy new security opportunities. Remember, boring is good. That’s when you know what you’ve got, how it’s at risk and what steps to take to eliminate or reduce those risks. Unless and until you get to this point, most things will be mere distractions that keep you from improving your security program.
Consider how unmanaged index funds in the stock market typically beat out managed funds over the long haul. If you literally shuttered outside security influences such as social media headlines, analyst predictions and new technologies and instead focused on your core information security program exclusively, you would presumably come out further ahead in two to three years.
I’m not recommending that you bury your head in the ground and ignore how information security can and should evolve. I am saying that only you know what’s best for your environment. Think for yourself. With the proper insight on risk combined with tried-and-true security principles, you stand to double the effectiveness of your security program. Above all else, focus and discipline around security are what matter most.
Independent Information Security Consultant