I’ve heard it said that experience is something you don’t get until just after you need it. That essentially defines most information security programs I’ve seen. Generally speaking, chief information security officers (CISOs) and security managers know what needs to be done. The outcome, however, is often not quite what they expected.

Teachable moments may present themselves, but the opportunities are often overlooked. At the 2017 RSA Conference in San Francisco, I couldn’t help but notice that security leaders continue to struggle in this area. The following RSA tips, gleaned from some lessons learned at the conference over the past decade, can help CISOs get out of that rut.

Build a healthy security environment

RSA Tips for CISOs

After listening to the keynotes and sessions, and speaking with colleagues and vendors, it occurs to me that many of today’s information security challenges would be less burdensome had they been addressed 10 years ago. Hindsight is 20/20, of course, but many of our security challenges tie back to core business principles that we’ve known about but largely ignored for decades. Below are some examples:

  • Relationships are everything — budget is not.
  • It’s not just who you know, it’s who knows you.
  • The Pareto principle: Focus on the vital few rather than the trivial many.
  • Policies mean very little without clear focus and political backing from the top.

These tenets drove many of the discussions at RSA. Be it the need for more network visibility to lock down the Internet of Things (IoT), the continuing challenges with users and advanced malware or the promise of machine learning to fix our security woes, enterprises could have controlled these issues had some core business wisdom been invoked just a few years ago.

I certainly understand that many of these challenges are drummed up via the marketing machine. Cybersecurity and other fads have come and gone via this path. But do you really need to reinvent your security program to address today’s challenges? I don’t think so.

Sustaining a Successful Security Program

Back in 2006, I gave a presentation at the RSA Conference titled “10 Essential Elements for Success as an Information Security Professional.” The steps I recommended back then totally and completely apply to security today:

  1. Enhance your soft skills.
  2. Know how to sell security.
  3. Understand risk.
  4. Know the legal side of security.
  5. Possess business savvy.
  6. Find your specialty.
  7. Maintain your technical edge.
  8. Constantly improve your methodologies.
  9. Make a name for yourself.
  10. Commit to continuous learning.

Unlike this year’s RSA Conference, my career track session back then was niche at best. Although I had a good turnout, I’m sure many attendees had their doubts about the importance of focusing on the soft side of security. After all, IT professionals once used firewalls and antivirus software exclusively to manage risk. This year, things at RSA were noticeably different with numerous — not to mention very good — sessions on what it takes to succeed in security.

No Time Like the Present

Stop waiting to address the core elements of security. Most security challenges and opportunities come with hair on top. Stop looking for that next cool technology to solve your problems. Work on the people side of things instead.

The next 10 years are going pass even more quickly than the last. You don’t want to have to revisit this problem time and again. Reflect inward and get started now. As the proverb goes, the best time to plant a tree was 20 years ago. The next best time is today.

Want to truly effect some positive security change in your organizations? It’s all on you.

Build a healthy security environment

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…