I’ve heard it said that experience is something you don’t get until just after you need it. That essentially defines most information security programs I’ve seen. Generally speaking, chief information security officers (CISOs) and security managers know what needs to be done. The outcome, however, is often not quite what they expected.

Teachable moments may present themselves, but the opportunities are often overlooked. At the 2017 RSA Conference in San Francisco, I couldn’t help but notice that security leaders continue to struggle in this area. The following RSA tips, gleaned from some lessons learned at the conference over the past decade, can help CISOs get out of that rut.

Build a healthy security environment

RSA Tips for CISOs

After listening to the keynotes and sessions, and speaking with colleagues and vendors, it occurs to me that many of today’s information security challenges would be less burdensome had they been addressed 10 years ago. Hindsight is 20/20, of course, but many of our security challenges tie back to core business principles that we’ve known about but largely ignored for decades. Below are some examples:

  • Relationships are everything — budget is not.
  • It’s not just who you know, it’s who knows you.
  • The Pareto principle: Focus on the vital few rather than the trivial many.
  • Policies mean very little without clear focus and political backing from the top.

These tenets drove many of the discussions at RSA. Be it the need for more network visibility to lock down the Internet of Things (IoT), the continuing challenges with users and advanced malware or the promise of machine learning to fix our security woes, enterprises could have controlled these issues had some core business wisdom been invoked just a few years ago.

I certainly understand that many of these challenges are drummed up via the marketing machine. Cybersecurity and other fads have come and gone via this path. But do you really need to reinvent your security program to address today’s challenges? I don’t think so.

Sustaining a Successful Security Program

Back in 2006, I gave a presentation at the RSA Conference titled “10 Essential Elements for Success as an Information Security Professional.” The steps I recommended back then totally and completely apply to security today:

  1. Enhance your soft skills.
  2. Know how to sell security.
  3. Understand risk.
  4. Know the legal side of security.
  5. Possess business savvy.
  6. Find your specialty.
  7. Maintain your technical edge.
  8. Constantly improve your methodologies.
  9. Make a name for yourself.
  10. Commit to continuous learning.

Unlike this year’s RSA Conference, my career track session back then was niche at best. Although I had a good turnout, I’m sure many attendees had their doubts about the importance of focusing on the soft side of security. After all, IT professionals once used firewalls and antivirus software exclusively to manage risk. This year, things at RSA were noticeably different with numerous — not to mention very good — sessions on what it takes to succeed in security.

No Time Like the Present

Stop waiting to address the core elements of security. Most security challenges and opportunities come with hair on top. Stop looking for that next cool technology to solve your problems. Work on the people side of things instead.

The next 10 years are going pass even more quickly than the last. You don’t want to have to revisit this problem time and again. Reflect inward and get started now. As the proverb goes, the best time to plant a tree was 20 years ago. The next best time is today.

Want to truly effect some positive security change in your organizations? It’s all on you.

Build a healthy security environment

More from CISO

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…