February 17, 2017 By Kevin Beaver 3 min read

I’ve heard it said that experience is something you don’t get until just after you need it. That essentially defines most information security programs I’ve seen. Generally speaking, chief information security officers (CISOs) and security managers know what needs to be done. The outcome, however, is often not quite what they expected.

Teachable moments may present themselves, but the opportunities are often overlooked. At the 2017 RSA Conference in San Francisco, I couldn’t help but notice that security leaders continue to struggle in this area. The following RSA tips, gleaned from some lessons learned at the conference over the past decade, can help CISOs get out of that rut.

Build a healthy security environment

RSA Tips for CISOs

After listening to the keynotes and sessions, and speaking with colleagues and vendors, it occurs to me that many of today’s information security challenges would be less burdensome had they been addressed 10 years ago. Hindsight is 20/20, of course, but many of our security challenges tie back to core business principles that we’ve known about but largely ignored for decades. Below are some examples:

  • Relationships are everything — budget is not.
  • It’s not just who you know, it’s who knows you.
  • The Pareto principle: Focus on the vital few rather than the trivial many.
  • Policies mean very little without clear focus and political backing from the top.

These tenets drove many of the discussions at RSA. Be it the need for more network visibility to lock down the Internet of Things (IoT), the continuing challenges with users and advanced malware or the promise of machine learning to fix our security woes, enterprises could have controlled these issues had some core business wisdom been invoked just a few years ago.

I certainly understand that many of these challenges are drummed up via the marketing machine. Cybersecurity and other fads have come and gone via this path. But do you really need to reinvent your security program to address today’s challenges? I don’t think so.

Sustaining a Successful Security Program

Back in 2006, I gave a presentation at the RSA Conference titled “10 Essential Elements for Success as an Information Security Professional.” The steps I recommended back then totally and completely apply to security today:

  1. Enhance your soft skills.
  2. Know how to sell security.
  3. Understand risk.
  4. Know the legal side of security.
  5. Possess business savvy.
  6. Find your specialty.
  7. Maintain your technical edge.
  8. Constantly improve your methodologies.
  9. Make a name for yourself.
  10. Commit to continuous learning.

Unlike this year’s RSA Conference, my career track session back then was niche at best. Although I had a good turnout, I’m sure many attendees had their doubts about the importance of focusing on the soft side of security. After all, IT professionals once used firewalls and antivirus software exclusively to manage risk. This year, things at RSA were noticeably different with numerous — not to mention very good — sessions on what it takes to succeed in security.

No Time Like the Present

Stop waiting to address the core elements of security. Most security challenges and opportunities come with hair on top. Stop looking for that next cool technology to solve your problems. Work on the people side of things instead.

The next 10 years are going pass even more quickly than the last. You don’t want to have to revisit this problem time and again. Reflect inward and get started now. As the proverb goes, the best time to plant a tree was 20 years ago. The next best time is today.

Want to truly effect some positive security change in your organizations? It’s all on you.

Build a healthy security environment

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today