Derailed projects, unexpected outages and related problems plague IT and security professionals. These distractions can impede progress in your information security program and create unnecessary risks.

It’s human nature to oil the squeakiest wheel, to jump on a problem that’s calling out for immediate attention. We must all resist the urge to chase new leads down those intriguing rabbit holes.

A High-Level Look at Your Information Security Program

In terms of information security, this is most evident when things are boring on the security front and workers are chugging along with nothing big to address. Many people’s limited attention spans get the best of them and they are quick to jump on board with the latest technologies, often guided by rating charts, analyst predictions and auditor mandates without stepping back to think for themselves and see what’s actually going on and needed in terms of their security programs. Some vendors actively encourage customers to buy products they just so happen to resell, even if they might not be the best fit.

Looking at things from a high-level perspective, the business must come first. The purpose of a business is to acquire and retain customers that help generate sales, and ultimately profits, to help the organization grow. I’ve met plenty of IT professionals over the years who focus solely on pushing their initiatives while ignoring core business missions and principles. That’s a bit ironic, since were it not for successful business initiatives, cybersecurity would be written off as unnecessary expenditures. There are bigger fish to fry. The business does not revolve around IT and security as much as we often think it does.

It’s critical to remember what’s important to the organization. This often means helping with initiatives other than your own. If it’s unclear what the business goals are and how security fits into that conversation, ask more questions and get more people involved.

Another reality of human nature is for us (especially men) to not ask for advice. This is especially true when we’re supposed to be masters of the dark art of information security. Some believe that if they reach out for assistance they’ll be seen as weak or not on top of their games. I think most reasonable outsiders such as your peers and executives will actually find that level of humility quite refreshing.

Boring Is Good

Stop chasing so many flashy new security opportunities. Remember, boring is good. That’s when you know what you’ve got, how it’s at risk and what steps to take to eliminate or reduce those risks. Unless and until you get to this point, most things will be mere distractions that keep you from improving your security program.

Consider how unmanaged index funds in the stock market typically beat out managed funds over the long haul. If you literally shuttered outside security influences such as social media headlines, analyst predictions and new technologies and instead focused on your core information security program exclusively, you would presumably come out further ahead in two to three years.

I’m not recommending that you bury your head in the ground and ignore how information security can and should evolve. I am saying that only you know what’s best for your environment. Think for yourself. With the proper insight on risk combined with tried-and-true security principles, you stand to double the effectiveness of your security program. Above all else, focus and discipline around security are what matter most.

More from CISO

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

How the Talent Shortage Impacts Cybersecurity Leadership

4 min read - The lack of a skilled cybersecurity workforce stalls the effectiveness of any organization’s security program. Yes, automated tools and technologies like artificial intelligence (AI) and machine learning (ML) offer a layer of support, and bringing in a managed security service provider (MSSP) provides expertise that isn’t available in-house. But it isn’t enough, especially for the medium-sized businesses that would most benefit from an internal security team. However, the talent shortage doesn’t just impact present-day security concerns. The lack of a…

4 min read