February 17, 2017 By Kevin Beaver 3 min read

I’ve heard it said that experience is something you don’t get until just after you need it. That essentially defines most information security programs I’ve seen. Generally speaking, chief information security officers (CISOs) and security managers know what needs to be done. The outcome, however, is often not quite what they expected.

Teachable moments may present themselves, but the opportunities are often overlooked. At the 2017 RSA Conference in San Francisco, I couldn’t help but notice that security leaders continue to struggle in this area. The following RSA tips, gleaned from some lessons learned at the conference over the past decade, can help CISOs get out of that rut.

Build a healthy security environment

RSA Tips for CISOs

After listening to the keynotes and sessions, and speaking with colleagues and vendors, it occurs to me that many of today’s information security challenges would be less burdensome had they been addressed 10 years ago. Hindsight is 20/20, of course, but many of our security challenges tie back to core business principles that we’ve known about but largely ignored for decades. Below are some examples:

  • Relationships are everything — budget is not.
  • It’s not just who you know, it’s who knows you.
  • The Pareto principle: Focus on the vital few rather than the trivial many.
  • Policies mean very little without clear focus and political backing from the top.

These tenets drove many of the discussions at RSA. Be it the need for more network visibility to lock down the Internet of Things (IoT), the continuing challenges with users and advanced malware or the promise of machine learning to fix our security woes, enterprises could have controlled these issues had some core business wisdom been invoked just a few years ago.

I certainly understand that many of these challenges are drummed up via the marketing machine. Cybersecurity and other fads have come and gone via this path. But do you really need to reinvent your security program to address today’s challenges? I don’t think so.

Sustaining a Successful Security Program

Back in 2006, I gave a presentation at the RSA Conference titled “10 Essential Elements for Success as an Information Security Professional.” The steps I recommended back then totally and completely apply to security today:

  1. Enhance your soft skills.
  2. Know how to sell security.
  3. Understand risk.
  4. Know the legal side of security.
  5. Possess business savvy.
  6. Find your specialty.
  7. Maintain your technical edge.
  8. Constantly improve your methodologies.
  9. Make a name for yourself.
  10. Commit to continuous learning.

Unlike this year’s RSA Conference, my career track session back then was niche at best. Although I had a good turnout, I’m sure many attendees had their doubts about the importance of focusing on the soft side of security. After all, IT professionals once used firewalls and antivirus software exclusively to manage risk. This year, things at RSA were noticeably different with numerous — not to mention very good — sessions on what it takes to succeed in security.

No Time Like the Present

Stop waiting to address the core elements of security. Most security challenges and opportunities come with hair on top. Stop looking for that next cool technology to solve your problems. Work on the people side of things instead.

The next 10 years are going pass even more quickly than the last. You don’t want to have to revisit this problem time and again. Reflect inward and get started now. As the proverb goes, the best time to plant a tree was 20 years ago. The next best time is today.

Want to truly effect some positive security change in your organizations? It’s all on you.

Build a healthy security environment

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today