Real security is often lost in the translation of sophisticated exploits, vendor pitches and business complexity. We are seeing the same issues and asking the same questions we did yesterday, and the day before, and last year, and 10 years ago. We’re stuck in Security Groundhog Day.

How do we get past the never-ending day? How does a security professional decide the best tools, technologies and techniques for securing the organization? Where do we go from here to escape the security quagmire of threats, vulnerabilities, risks and constant breaches?

Simplifying Real Security

It’s time for real security for real life.

We know what needs to be done for security and why we need to do it, but we are often missing steps for how to do it. This article series focuses on specific, actionable steps you can take in your security program. It will cover tips, tools and techniques that security professionals and CISOs need in their tool belts. Use real security to develop your leadership qualities, and set a strategy map for security.

Let’s start our real security journey with the end in mind. What are we trying to do with our security programs? What is the focus of our security efforts? How will we get there?

In a world full of multitaskers and distractions, it’s easy to lose focus and make things overly complicated. In 2012, security pundit Bruce Schneier said, “Complexity is the worst enemy of security.” Our world has become more complicated, with thousands of distractions keeping us from our real goals.

Goal-Setting

In an effort to get real, let’s start by looking at goals. When was the last time you asked yourself, “What are my goals for information security?”

To simplify, use the KISS-OT approach to find the one thing you need to do today, tomorrow and for the rest of the year. KISS-OT stands for Keep Information Security Simple and focus on One Thing.

Ask and answer the questions below in order to KISS and find that one thing to meet your real security goals. You can either do it yourself or as part of a brainstorming session with others. As you develop your answers, write them down and include the date. Written goals have a much greater chance of being accomplished.

The questions to ask include:

• Operational: What are you doing today? What one thing do you need to accomplish to make your or someone else’s life better or more secure? How will you get that one thing done? Do you need to lock yourself away? Can it be done today?
• Tactical: What one thing do you need to have accomplished in the next two to three months? What’s the top security priority for your organization that can actually be completed? What is the one task that must be done to make your organization run better and be more secure in the midterm?
• Strategic: What one thing do you need to have accomplished in the next year? What risk do you need to solve, what threat do you need to reduce or what vulnerability do you need to mitigate? What’s the top priority for your organization that can realistically be completed?

Tips for Setting Security Goals

Below are some ideas for determining your operational, tactical and strategic KISS-OT list in case you run into trouble.

• Start with three to five items for each area. Keep the list simple. You should limit the time you take to 10 minutes — any longer and you’re probably overthinking it.
• Out of that list, which items can you accomplish in the given time period? If it can’t or won’t be done, either it shouldn’t be on the list or it should be moved down the timeline.
• Identify the resources (people, technology, applications, etc.) you need to get the job done. Are they available in the time frame? If they’re not, then remove them from your list.
• Identify the risks and rewards associated with each item. We’ll talk about risk identification, measurement and management in future posts. In the meantime, determine the ramifications if your one thing isn’t done. What’s the worst that can happen? How likely is it?
• Ask someone you trust for advice. They can provide a different perspective.

Don’t worry that your list needs to be perfect. Perfection is the destination, not the starting point. You can refine it as you go along.

Keeping it simple helps you optimize your security program to focus on what’s important. By keeping it real, keeping it simple and focusing on one thing, you can take the small steps in security to ultimately solve the complex problems.