I’ve heard it said that experience is something you don’t get until just after you need it. That essentially defines most information security programs I’ve seen. Generally speaking, chief information security officers (CISOs) and security managers know what needs to be done. The outcome, however, is often not quite what they expected.
Teachable moments may present themselves, but the opportunities are often overlooked. At the 2017 RSA Conference in San Francisco, I couldn’t help but notice that security leaders continue to struggle in this area. The following RSA tips, gleaned from some lessons learned at the conference over the past decade, can help CISOs get out of that rut.
RSA Tips for CISOs
After listening to the keynotes and sessions, and speaking with colleagues and vendors, it occurs to me that many of today’s information security challenges would be less burdensome had they been addressed 10 years ago. Hindsight is 20/20, of course, but many of our security challenges tie back to core business principles that we’ve known about but largely ignored for decades. Below are some examples:
- Relationships are everything — budget is not.
- It’s not just who you know, it’s who knows you.
- The Pareto principle: Focus on the vital few rather than the trivial many.
- Policies mean very little without clear focus and political backing from the top.
These tenets drove many of the discussions at RSA. Be it the need for more network visibility to lock down the Internet of Things (IoT), the continuing challenges with users and advanced malware or the promise of machine learning to fix our security woes, enterprises could have controlled these issues had some core business wisdom been invoked just a few years ago.
I certainly understand that many of these challenges are drummed up via the marketing machine. Cybersecurity and other fads have come and gone via this path. But do you really need to reinvent your security program to address today’s challenges? I don’t think so.
Sustaining a Successful Security Program
Back in 2006, I gave a presentation at the RSA Conference titled “10 Essential Elements for Success as an Information Security Professional.” The steps I recommended back then totally and completely apply to security today:
- Enhance your soft skills.
- Know how to sell security.
- Understand risk.
- Know the legal side of security.
- Possess business savvy.
- Find your specialty.
- Maintain your technical edge.
- Constantly improve your methodologies.
- Make a name for yourself.
- Commit to continuous learning.
Unlike this year’s RSA Conference, my career track session back then was niche at best. Although I had a good turnout, I’m sure many attendees had their doubts about the importance of focusing on the soft side of security. After all, IT professionals once used firewalls and antivirus software exclusively to manage risk. This year, things at RSA were noticeably different with numerous — not to mention very good — sessions on what it takes to succeed in security.
No Time Like the Present
Stop waiting to address the core elements of security. Most security challenges and opportunities come with hair on top. Stop looking for that next cool technology to solve your problems. Work on the people side of things instead.
The next 10 years are going pass even more quickly than the last. You don’t want to have to revisit this problem time and again. Reflect inward and get started now. As the proverb goes, the best time to plant a tree was 20 years ago. The next best time is today.
Want to truly effect some positive security change in your organizations? It’s all on you.